Sophos and Rubrik made Sophos Backup and Recovery Powered by Rubrik Cyber Resilience generally available worldwide on June 1, 2026, giving Sophos customers Microsoft 365 backup and restore for Exchange Online, OneDrive, SharePoint, and Teams directly inside Sophos Central. The announcement is not just another channel partnership in the crowded backup market. It is a bet that recovery has become part of security operations, not a separate task waiting in another console after the fire is out. For Windows shops living in Microsoft 365 all day, that distinction matters.
For years, Microsoft 365 backup has been sold as insurance: necessary, prudent, and too often discussed only after someone deletes the wrong mailbox or an attacker encrypts the wrong SharePoint library. Sophos and Rubrik are reframing it as incident response infrastructure. The new offering brings Rubrik’s SaaS-based Microsoft 365 protection into Sophos Central, where many customers already manage endpoint security, detection and response, email protection, and related telemetry.
That positioning is deliberate. Sophos is not trying to become a backup company from scratch, and Rubrik is not trying to build a full security operations platform overnight. Instead, the two companies are stitching together the two halves of the ransomware story that vendors usually sell separately: finding the attack and getting the business running again.
The integration covers the usual Microsoft 365 crown jewels: Exchange Online, OneDrive, SharePoint, and Teams. Those workloads have become the working memory of the modern organization. A decade ago, losing access to email was bad enough; today, the same identity compromise can expose chat history, shared files, project documentation, customer records, HR material, and the collaboration fabric that tells employees what to do next.
That is why this announcement lands differently from an ordinary product availability note. Backup is no longer merely about restoring a deleted file. In a Microsoft 365 incident, recovery is about determining what changed, what was touched, what can be trusted, and how quickly the organization can resume normal operations without restoring the attacker’s mess along with the data.
Microsoft keeps the service running. That is not the same thing as guaranteeing that every tenant can roll back every business-impacting mistake or malicious change on the customer’s preferred timeline. Retention policies, recycle bins, legal holds, versioning, and native recovery features all have value, but they are not a universal substitute for an independent, tested backup and restore strategy.
Sophos and Rubrik are exploiting that gap, but the gap is real. The more deeply Microsoft 365 becomes embedded in daily work, the more the recovery conversation shifts from “Can we get the file back?” to “Can we reconstruct a trusted operating state?” That is a harder problem, especially when attackers arrive through identity rather than malware alone.
The press release leans on familiar threats: ransomware, account compromise, insider threats, and accidental deletion. The interesting part is that all four can look similar from a recovery perspective. Whether the damage came from a criminal, a disgruntled employee, a misconfigured retention policy, or a well-meaning user with too much access, the business still needs clean data restored quickly and precisely.
The timing is worth noting. Sophos has spent years pushing Sophos Central as more than a dashboard, presenting it as the connective tissue across endpoint, cloud, network, identity, email, and business application telemetry. Rubrik, meanwhile, has been recasting backup as cyber resilience: not just storing copies, but helping organizations survive data attacks, recover cleanly, and understand blast radius.
The companies are meeting in the middle because the old division of labor is increasingly artificial. Security teams identify compromised accounts, suspicious behavior, malicious inbox rules, mass deletions, abnormal file activity, and lateral movement. Backup teams restore mailboxes, sites, channels, and drives. During an incident, however, the business experiences all of this as one event.
That is the operational promise of the Sophos-Rubrik integration. If the security console already knows which user account was compromised, which endpoint was involved, which mailbox showed suspicious activity, and which cloud resources were accessed, then recovery should not begin with a separate team manually translating incident notes into restore jobs. It should begin with context.
Still, the Sophos-Rubrik move reflects a real market pressure. Mid-market organizations, managed service providers, and lean IT teams often do not have separate departments for endpoint detection, Microsoft 365 administration, identity governance, backup operations, and incident response. The same small group may be triaging alerts in the morning, restoring SharePoint files at lunch, and explaining risk posture to executives by the afternoon.
For those teams, integration is not a luxury. It is how work gets done under pressure. A backup product that requires separate authentication, separate policy management, separate investigation, and separate reporting may be technically strong but operationally slow. In a ransomware or identity compromise event, slow is expensive.
Sophos Central already has a large installed base. The company says it defends more than 600,000 organizations worldwide, and the earlier partnership announcement emphasized more than 75,000 MDR and XDR customers as a natural audience for the Rubrik-powered add-on. That gives Rubrik a distribution path into organizations that might not be shopping for a standalone enterprise backup platform but are already buying managed detection and response.
The flip side is lock-in by gravity rather than contract. Once recovery workflows sit inside the security platform, moving away from that platform becomes more complicated. That may be good business for Sophos and Rubrik, but customers should recognize the architectural trade: unified operations can reduce friction, but it can also concentrate operational dependency.
That is important, but it should not be treated as a spell. Immutability reduces a major class of risk, especially when attackers try to delete or corrupt backups before detonating ransomware. It does not eliminate the need for careful identity design, least privilege, multifactor authentication, restore testing, retention planning, or incident playbooks.
The phrase air-gapped also deserves scrutiny in cloud services. In traditional infrastructure, an air gap evoked physical or network separation. In SaaS backup, it usually means logical isolation, separate control planes, restricted access paths, and architectural barriers designed to prevent production compromise from becoming backup compromise. Those controls can be strong, but customers should still ask exactly how isolation works, who can administer it, how encryption keys are controlled, and what happens if Sophos Central access itself is abused.
WORM locking is similarly valuable but not self-explanatory. Write once, read many controls are meant to prevent alteration or deletion during a defined retention period. That helps against malicious tampering, but it also requires policy discipline. Keep too little, and you may miss the clean restore point. Keep too much, and costs, compliance obligations, and e-discovery exposure can grow.
Rubrik’s involvement gives the offering credibility because this is its home turf. Sophos gains a recovery engine without reinventing one; Rubrik gains a front door inside active security operations. Customers gain a more coherent workflow, assuming the integration is deep enough to matter in real incidents rather than simply embedding backup screens in a familiar shell.
That sounds mundane until you imagine a real Microsoft 365 incident. A compromised account might delete or alter files across multiple SharePoint sites. A malicious inbox rule might redirect sensitive mail. A Teams channel might contain files stored in SharePoint, conversations stored elsewhere, and permissions inherited through group membership. A departing employee’s inactive account might suddenly become relevant because it holds the last clean copy of a critical conversation or file history.
Restoring all of Microsoft 365 to yesterday is rarely the right answer. Restoring one message, one mailbox, one folder, one site, one channel, or one user’s OneDrive may be the difference between a contained incident and a business-wide interruption. The practical value is not just whether the data exists in backup; it is whether the team can find the right object, identify a clean restore point, and put it back without breaking something else.
That is where security context matters. If Sophos Central can help map suspicious activity to recovery scope, then recovery becomes less of a guessing game. If it cannot, the integration risks becoming cosmetic: useful for procurement, less transformative during an attack.
The announcement’s language about understanding what was affected and restoring clean, trusted data is therefore the center of the story. The hard part is not saying “restore clean data.” The hard part is determining what clean means when identity, permissions, mail flow, files, and collaboration history are all entangled.
Microsoft 365 environments do not sit still. Users join and leave. Shared mailboxes appear. Teams are created for temporary projects and then become permanent repositories. SharePoint sites multiply. OneDrive becomes the default dumping ground for work-in-progress documents. If backup coverage depends on someone remembering to add every new object manually, gaps are inevitable.
Policy-based automation is the right direction because identity and group structure already define much of the Microsoft 365 operating model. If backup follows those controls, organizations can reduce the lag between business creation and data protection. That matters especially for MSPs and mid-sized IT teams managing many tenants or fast-changing environments.
But automation also inherits the quality of the identity design beneath it. If Entra ID groups are messy, roles are overbroad, naming conventions are inconsistent, and lifecycle management is weak, policy-driven backup can protect broadly but not necessarily elegantly. The integration may reduce manual effort, but it will not rescue a tenant from years of governance neglect.
This is where the announcement intersects with a broader truth about Microsoft 365 administration. Security, compliance, backup, and collaboration are all downstream of identity hygiene. A recovery product can help restore data after a bad day. It cannot fully compensate for an environment where no one knows who owns a Team, which sites are business critical, or why a former contractor still has access.
That is Sophos’ sweet spot. The company’s MDR and XDR business has long appealed to organizations that need security operations capability without building everything themselves. Adding Microsoft 365 recovery to that operational model is a logical extension. If Sophos or a Sophos partner is already helping detect and respond to threats, the customer may reasonably ask why recovery is still in a disconnected tool.
Rubrik gets something equally valuable: a route into the mid-market without forcing every customer through a standalone enterprise data protection sales motion. Its brand is strong among larger organizations and security-conscious buyers, but Microsoft 365 backup is crowded with specialists, MSP-oriented platforms, and Microsoft’s own native backup offering. Being embedded in Sophos Central gives Rubrik a differentiated channel.
The phrase “available as an add-on” is doing a lot of work. It signals that this is not a free entitlement and not a replacement for Microsoft 365’s native features. Customers will need to evaluate licensing, retention needs, protected workload scope, restore performance, administrative roles, and how the integration fits existing backup contracts.
That evaluation should include the uncomfortable question of whether the organization has ever tested a Microsoft 365 restore under realistic conditions. Many have not. They have retention policies, assumptions, and vendor brochures. They do not have measured restore times, documented authority to approve restores, or a rehearsed process for recovering after an identity-led attack.
The old third-party pitch was straightforward: Microsoft provides the platform, but you need someone else for backup. The new pitch has to be sharper. If Microsoft offers native backup, partners must explain why their recovery workflow, isolation model, security context, retention flexibility, cross-workload visibility, or operational integration is superior for the customer’s risk model.
Sophos and Rubrik appear to be answering with workflow rather than raw backup capability alone. Their case is that recovery belongs next to detection and response, not merely inside the Microsoft admin ecosystem. For organizations already using Sophos Central as their security operating layer, that may be persuasive.
Microsoft still has structural advantages. It owns the platform, the APIs, the tenant boundary, the product roadmap, and the customer relationship at massive scale. Native backup can be simpler to justify for organizations standardizing on Microsoft tools, especially those that prefer fewer vendors and tight alignment with Microsoft 365 administration.
But third-party recovery still has a strong argument in cyber incidents. Independence matters when the tenant itself is compromised. So do immutable controls, externalized recovery workflows, and vendor diversity. The best choice will depend less on brand loyalty than on threat modeling: what kind of failure are you trying to survive, and who has authority when the failure occurs?
For Sophos and Rubrik, the product’s credibility will depend on how well it performs in drills and real events. Can a customer identify all affected Microsoft 365 objects tied to a compromised account? Can they restore a mailbox or SharePoint library to a clean point without overwriting legitimate recent work? Can they recover Teams-related data in a way users understand? Can delegated admins perform the right tasks without being granted dangerous levels of access?
The managed service provider angle is equally important. Sophos’ channel ecosystem is large, and many customers will experience this offering through a partner rather than directly through either vendor. That means documentation, role-based access, multi-tenant management, alerting, billing clarity, and support escalation will shape the product’s real-world reputation as much as the underlying Rubrik technology.
There is also a cultural issue. Security teams often think in incidents, indicators, containment, and threat actor behavior. Backup teams think in restore points, retention windows, recovery objectives, and data integrity. Putting the tools in one console does not automatically merge those disciplines. Organizations still need runbooks that say who declares an incident, who freezes retention changes, who authorizes restore, who validates data cleanliness, and who communicates with users.
If the product encourages those conversations, it will have value beyond the restore button. If it lets organizations pretend that buying an add-on is the same as building resilience, it will become another checkbox in a long line of security purchases that looked better in procurement than in practice.
That makes recovery harder because the attacker may not need to deploy malware in the classic sense. A compromised account can search mail, alter forwarding rules, delete files, modify sharing links, create persistence, and exploit trust relationships. The damage can be subtle, distributed, and perfectly valid from the platform’s point of view.
Backup and recovery products must therefore adapt to identity-led incidents. Restoring data is only one part of the response. Administrators must also revoke sessions, reset credentials, rotate secrets, review app consents, inspect mailbox rules, audit sharing, examine Teams and SharePoint permissions, and determine whether restored data will be exposed again the moment it comes back.
Sophos has an advantage if it can connect endpoint and identity signals to Microsoft 365 recovery decisions. Rubrik has an advantage if its recovery model can preserve clean copies even when the production tenant is under duress. The integration’s value lies in whether those advantages actually reinforce each other.
This is why the announcement is more interesting than a simple “backup now available” headline. It reflects a shift in how the industry talks about Microsoft 365 risk. The question is no longer whether cloud collaboration needs backup. The question is whether backup can keep up with cloud-native attacks.
Recovery Moves Into the Security Console
For years, Microsoft 365 backup has been sold as insurance: necessary, prudent, and too often discussed only after someone deletes the wrong mailbox or an attacker encrypts the wrong SharePoint library. Sophos and Rubrik are reframing it as incident response infrastructure. The new offering brings Rubrik’s SaaS-based Microsoft 365 protection into Sophos Central, where many customers already manage endpoint security, detection and response, email protection, and related telemetry.That positioning is deliberate. Sophos is not trying to become a backup company from scratch, and Rubrik is not trying to build a full security operations platform overnight. Instead, the two companies are stitching together the two halves of the ransomware story that vendors usually sell separately: finding the attack and getting the business running again.
The integration covers the usual Microsoft 365 crown jewels: Exchange Online, OneDrive, SharePoint, and Teams. Those workloads have become the working memory of the modern organization. A decade ago, losing access to email was bad enough; today, the same identity compromise can expose chat history, shared files, project documentation, customer records, HR material, and the collaboration fabric that tells employees what to do next.
That is why this announcement lands differently from an ordinary product availability note. Backup is no longer merely about restoring a deleted file. In a Microsoft 365 incident, recovery is about determining what changed, what was touched, what can be trusted, and how quickly the organization can resume normal operations without restoring the attacker’s mess along with the data.
Microsoft 365 Became Too Important to Treat as Someone Else’s Problem
Microsoft 365’s success created a strange complacency. Because the service is cloud-hosted, highly available, and run by Microsoft, many organizations still blur the line between platform resilience and customer data recoverability. The distinction is easy to ignore until an admin account is compromised, retention settings are changed, files are purged, or a malicious actor uses legitimate access to cause damage that does not look like a traditional infrastructure failure.Microsoft keeps the service running. That is not the same thing as guaranteeing that every tenant can roll back every business-impacting mistake or malicious change on the customer’s preferred timeline. Retention policies, recycle bins, legal holds, versioning, and native recovery features all have value, but they are not a universal substitute for an independent, tested backup and restore strategy.
Sophos and Rubrik are exploiting that gap, but the gap is real. The more deeply Microsoft 365 becomes embedded in daily work, the more the recovery conversation shifts from “Can we get the file back?” to “Can we reconstruct a trusted operating state?” That is a harder problem, especially when attackers arrive through identity rather than malware alone.
The press release leans on familiar threats: ransomware, account compromise, insider threats, and accidental deletion. The interesting part is that all four can look similar from a recovery perspective. Whether the damage came from a criminal, a disgruntled employee, a misconfigured retention policy, or a well-meaning user with too much access, the business still needs clean data restored quickly and precisely.
The Partnership Has Been Moving Toward This Since Black Hat
The June 2026 general availability follows the strategic partnership Sophos and Rubrik announced in August 2025 at Black Hat USA. At the time, the pitch was that Sophos would offer a Microsoft 365 backup and recovery add-on powered by Rubrik, optimized for Sophos MDR and XDR customers and integrated into Sophos Central. Now that promise has moved from roadmap language into a product customers can activate through Sophos partners or sales representatives.The timing is worth noting. Sophos has spent years pushing Sophos Central as more than a dashboard, presenting it as the connective tissue across endpoint, cloud, network, identity, email, and business application telemetry. Rubrik, meanwhile, has been recasting backup as cyber resilience: not just storing copies, but helping organizations survive data attacks, recover cleanly, and understand blast radius.
The companies are meeting in the middle because the old division of labor is increasingly artificial. Security teams identify compromised accounts, suspicious behavior, malicious inbox rules, mass deletions, abnormal file activity, and lateral movement. Backup teams restore mailboxes, sites, channels, and drives. During an incident, however, the business experiences all of this as one event.
That is the operational promise of the Sophos-Rubrik integration. If the security console already knows which user account was compromised, which endpoint was involved, which mailbox showed suspicious activity, and which cloud resources were accessed, then recovery should not begin with a separate team manually translating incident notes into restore jobs. It should begin with context.
The Console War Comes for Backup
Every security vendor wants to own the console. Every platform vendor wants to reduce the number of panes of glass. Every administrator has heard those promises before and has the browser tabs to prove they rarely come true.Still, the Sophos-Rubrik move reflects a real market pressure. Mid-market organizations, managed service providers, and lean IT teams often do not have separate departments for endpoint detection, Microsoft 365 administration, identity governance, backup operations, and incident response. The same small group may be triaging alerts in the morning, restoring SharePoint files at lunch, and explaining risk posture to executives by the afternoon.
For those teams, integration is not a luxury. It is how work gets done under pressure. A backup product that requires separate authentication, separate policy management, separate investigation, and separate reporting may be technically strong but operationally slow. In a ransomware or identity compromise event, slow is expensive.
Sophos Central already has a large installed base. The company says it defends more than 600,000 organizations worldwide, and the earlier partnership announcement emphasized more than 75,000 MDR and XDR customers as a natural audience for the Rubrik-powered add-on. That gives Rubrik a distribution path into organizations that might not be shopping for a standalone enterprise backup platform but are already buying managed detection and response.
The flip side is lock-in by gravity rather than contract. Once recovery workflows sit inside the security platform, moving away from that platform becomes more complicated. That may be good business for Sophos and Rubrik, but customers should recognize the architectural trade: unified operations can reduce friction, but it can also concentrate operational dependency.
Immutable Backups Are Now Table Stakes, Not Magic
The feature list reads like modern backup marketing because modern backup marketing has been shaped by ransomware. Sophos and Rubrik promise isolated Microsoft 365 backups using air-gapped architecture, WORM-locked immutability, and customer-controlled encryption. The idea is simple: even if an attacker compromises credentials in the production environment, protected backup data should remain tamper-resistant.That is important, but it should not be treated as a spell. Immutability reduces a major class of risk, especially when attackers try to delete or corrupt backups before detonating ransomware. It does not eliminate the need for careful identity design, least privilege, multifactor authentication, restore testing, retention planning, or incident playbooks.
The phrase air-gapped also deserves scrutiny in cloud services. In traditional infrastructure, an air gap evoked physical or network separation. In SaaS backup, it usually means logical isolation, separate control planes, restricted access paths, and architectural barriers designed to prevent production compromise from becoming backup compromise. Those controls can be strong, but customers should still ask exactly how isolation works, who can administer it, how encryption keys are controlled, and what happens if Sophos Central access itself is abused.
WORM locking is similarly valuable but not self-explanatory. Write once, read many controls are meant to prevent alteration or deletion during a defined retention period. That helps against malicious tampering, but it also requires policy discipline. Keep too little, and you may miss the clean restore point. Keep too much, and costs, compliance obligations, and e-discovery exposure can grow.
Rubrik’s involvement gives the offering credibility because this is its home turf. Sophos gains a recovery engine without reinventing one; Rubrik gains a front door inside active security operations. Customers gain a more coherent workflow, assuming the integration is deep enough to matter in real incidents rather than simply embedding backup screens in a familiar shell.
Granular Recovery Is Where the Product Will Prove Itself
The most important capability may not be immutability. It may be granular restore at scale. The announcement says teams can search and restore emails, files, mailboxes, OneDrive accounts, SharePoint sites, and Teams data to original or alternate users, including inactive accounts.That sounds mundane until you imagine a real Microsoft 365 incident. A compromised account might delete or alter files across multiple SharePoint sites. A malicious inbox rule might redirect sensitive mail. A Teams channel might contain files stored in SharePoint, conversations stored elsewhere, and permissions inherited through group membership. A departing employee’s inactive account might suddenly become relevant because it holds the last clean copy of a critical conversation or file history.
Restoring all of Microsoft 365 to yesterday is rarely the right answer. Restoring one message, one mailbox, one folder, one site, one channel, or one user’s OneDrive may be the difference between a contained incident and a business-wide interruption. The practical value is not just whether the data exists in backup; it is whether the team can find the right object, identify a clean restore point, and put it back without breaking something else.
That is where security context matters. If Sophos Central can help map suspicious activity to recovery scope, then recovery becomes less of a guessing game. If it cannot, the integration risks becoming cosmetic: useful for procurement, less transformative during an attack.
The announcement’s language about understanding what was affected and restoring clean, trusted data is therefore the center of the story. The hard part is not saying “restore clean data.” The hard part is determining what clean means when identity, permissions, mail flow, files, and collaboration history are all entangled.
Automated Protection Addresses the Problem Nobody Wants to Own
The offering also promises automated discovery of new users, sites, and workloads, with policy-driven protection using Entra ID-based controls. That is less flashy than ransomware recovery, but it may be the feature that saves administrators from the most common failure mode: drift.Microsoft 365 environments do not sit still. Users join and leave. Shared mailboxes appear. Teams are created for temporary projects and then become permanent repositories. SharePoint sites multiply. OneDrive becomes the default dumping ground for work-in-progress documents. If backup coverage depends on someone remembering to add every new object manually, gaps are inevitable.
Policy-based automation is the right direction because identity and group structure already define much of the Microsoft 365 operating model. If backup follows those controls, organizations can reduce the lag between business creation and data protection. That matters especially for MSPs and mid-sized IT teams managing many tenants or fast-changing environments.
But automation also inherits the quality of the identity design beneath it. If Entra ID groups are messy, roles are overbroad, naming conventions are inconsistent, and lifecycle management is weak, policy-driven backup can protect broadly but not necessarily elegantly. The integration may reduce manual effort, but it will not rescue a tenant from years of governance neglect.
This is where the announcement intersects with a broader truth about Microsoft 365 administration. Security, compliance, backup, and collaboration are all downstream of identity hygiene. A recovery product can help restore data after a bad day. It cannot fully compensate for an environment where no one knows who owns a Team, which sites are business critical, or why a former contractor still has access.
Sophos Is Selling Resilience to the Mid-Market’s Real Staffing Model
The customer implied by this product is not a Fortune 50 enterprise with a dedicated cyber recovery team, a separate Microsoft 365 governance office, and a 24-hour security operations center. It is more likely a school district, a manufacturer, a legal practice, a regional healthcare provider, a local government, or a fast-growing business whose Microsoft 365 tenant is more complex than its staffing model can comfortably support.That is Sophos’ sweet spot. The company’s MDR and XDR business has long appealed to organizations that need security operations capability without building everything themselves. Adding Microsoft 365 recovery to that operational model is a logical extension. If Sophos or a Sophos partner is already helping detect and respond to threats, the customer may reasonably ask why recovery is still in a disconnected tool.
Rubrik gets something equally valuable: a route into the mid-market without forcing every customer through a standalone enterprise data protection sales motion. Its brand is strong among larger organizations and security-conscious buyers, but Microsoft 365 backup is crowded with specialists, MSP-oriented platforms, and Microsoft’s own native backup offering. Being embedded in Sophos Central gives Rubrik a differentiated channel.
The phrase “available as an add-on” is doing a lot of work. It signals that this is not a free entitlement and not a replacement for Microsoft 365’s native features. Customers will need to evaluate licensing, retention needs, protected workload scope, restore performance, administrative roles, and how the integration fits existing backup contracts.
That evaluation should include the uncomfortable question of whether the organization has ever tested a Microsoft 365 restore under realistic conditions. Many have not. They have retention policies, assumptions, and vendor brochures. They do not have measured restore times, documented authority to approve restores, or a rehearsed process for recovering after an identity-led attack.
Microsoft’s Own Backup Push Changes the Competitive Context
This announcement also lands in a market Microsoft itself has entered more directly. Microsoft 365 Backup gives customers a native, pay-as-you-go backup option for certain Microsoft 365 workloads, with Microsoft emphasizing fast restore and data kept within the tenant boundary. That changes the conversation for third-party vendors.The old third-party pitch was straightforward: Microsoft provides the platform, but you need someone else for backup. The new pitch has to be sharper. If Microsoft offers native backup, partners must explain why their recovery workflow, isolation model, security context, retention flexibility, cross-workload visibility, or operational integration is superior for the customer’s risk model.
Sophos and Rubrik appear to be answering with workflow rather than raw backup capability alone. Their case is that recovery belongs next to detection and response, not merely inside the Microsoft admin ecosystem. For organizations already using Sophos Central as their security operating layer, that may be persuasive.
Microsoft still has structural advantages. It owns the platform, the APIs, the tenant boundary, the product roadmap, and the customer relationship at massive scale. Native backup can be simpler to justify for organizations standardizing on Microsoft tools, especially those that prefer fewer vendors and tight alignment with Microsoft 365 administration.
But third-party recovery still has a strong argument in cyber incidents. Independence matters when the tenant itself is compromised. So do immutable controls, externalized recovery workflows, and vendor diversity. The best choice will depend less on brand loyalty than on threat modeling: what kind of failure are you trying to survive, and who has authority when the failure occurs?
The Real Test Is Not the Press Release, but the Restore Drill
The phrase cyber resilience has become a vendor favorite because it sounds broader and more strategic than backup. It is also easy to abuse. A product is not resilient because the marketing team says so; it is resilient if it shortens downtime, reduces uncertainty, and gives administrators confidence during an ugly incident.For Sophos and Rubrik, the product’s credibility will depend on how well it performs in drills and real events. Can a customer identify all affected Microsoft 365 objects tied to a compromised account? Can they restore a mailbox or SharePoint library to a clean point without overwriting legitimate recent work? Can they recover Teams-related data in a way users understand? Can delegated admins perform the right tasks without being granted dangerous levels of access?
The managed service provider angle is equally important. Sophos’ channel ecosystem is large, and many customers will experience this offering through a partner rather than directly through either vendor. That means documentation, role-based access, multi-tenant management, alerting, billing clarity, and support escalation will shape the product’s real-world reputation as much as the underlying Rubrik technology.
There is also a cultural issue. Security teams often think in incidents, indicators, containment, and threat actor behavior. Backup teams think in restore points, retention windows, recovery objectives, and data integrity. Putting the tools in one console does not automatically merge those disciplines. Organizations still need runbooks that say who declares an incident, who freezes retention changes, who authorizes restore, who validates data cleanliness, and who communicates with users.
If the product encourages those conversations, it will have value beyond the restore button. If it lets organizations pretend that buying an add-on is the same as building resilience, it will become another checkbox in a long line of security purchases that looked better in procurement than in practice.
Windows Shops Should Read This as an Identity Story
For WindowsForum readers, the Microsoft 365 angle is obvious, but the deeper issue is identity. Modern Windows environments increasingly revolve around Entra ID, conditional access, cloud mail, Teams, SharePoint, OneDrive, endpoint management, and SaaS integrations. The old perimeter has dissolved into account privileges, tokens, session controls, device posture, and cloud data permissions.That makes recovery harder because the attacker may not need to deploy malware in the classic sense. A compromised account can search mail, alter forwarding rules, delete files, modify sharing links, create persistence, and exploit trust relationships. The damage can be subtle, distributed, and perfectly valid from the platform’s point of view.
Backup and recovery products must therefore adapt to identity-led incidents. Restoring data is only one part of the response. Administrators must also revoke sessions, reset credentials, rotate secrets, review app consents, inspect mailbox rules, audit sharing, examine Teams and SharePoint permissions, and determine whether restored data will be exposed again the moment it comes back.
Sophos has an advantage if it can connect endpoint and identity signals to Microsoft 365 recovery decisions. Rubrik has an advantage if its recovery model can preserve clean copies even when the production tenant is under duress. The integration’s value lies in whether those advantages actually reinforce each other.
This is why the announcement is more interesting than a simple “backup now available” headline. It reflects a shift in how the industry talks about Microsoft 365 risk. The question is no longer whether cloud collaboration needs backup. The question is whether backup can keep up with cloud-native attacks.
The Restore Button Is Now Part of the Incident Timeline
The practical lesson from Sophos and Rubrik’s launch is that Microsoft 365 recovery should be planned as part of security operations, not discovered during a crisis. The product may not be right for every tenant, but the assumptions behind it are increasingly hard to dispute.- Sophos Backup and Recovery Powered by Rubrik Cyber Resilience is now generally available as an add-on for Sophos customers through Sophos partners or sales representatives.
- The offering protects Microsoft 365 data across Exchange Online, OneDrive, SharePoint, and Teams from within Sophos Central.
- Rubrik supplies the underlying SaaS-based backup and recovery capabilities, including immutable, isolated backups and granular restore options.
- The integration is aimed at incidents where ransomware, account compromise, insider activity, or accidental deletion affects Microsoft 365 data.
- Customers should test restore workflows, validate administrative roles, and confirm retention policies before treating the product as operational insurance.
- The competitive question is not whether Microsoft 365 needs recovery, but whether recovery is more effective inside the security workflow, inside Microsoft’s native tooling, or in a separate backup platform.
References
- Primary source: GlobeNewswire
Published: Mon, 01 Jun 2026 13:00:00 GMT
Sophos and Rubrik Make Microsoft 365 Backup and Recovery, Powered by Rubrik Cyber Resilience, Available to Sophos Customers Worldwide
New offering connects threat detection and data recovery in a single platform, enabling organizations to detect, respond, and restore faster...www.globenewswire.com
- Related coverage: sophos.com
Cybersecurity as a Service Delivered | Sophos
We Deliver Superior Cybersecurity Outcomes for Real-World Organizations Worldwide with a Broad Portfolio of Advanced Security Products and Services.www.sophos.com
- Related coverage: news.sophos.com
Loading…
news.sophos.com - Related coverage: msspalert.com
Sophos and Rubrik Launch Integrated Microsoft 365 Backup and Recovery for MDR Customers
Sophos and Rubrik bring Microsoft 365 recovery into Sophos Central, uniting threat detection and data restoration in one console.www.msspalert.com
- Related coverage: avepoint.com
The Microsoft 365 Shared Responsibility Model Explained: Who Is Responsible for Your Data? | AvePoint
The shared responsibility model is a framework that divides security and data protection duties between a cloud provider and the customer. In Microsoft 365, Microsoft covers physical infrastructure, platform uptime, and service-level security.
www.avepoint.com
- Related coverage: community.sophos.com
Loading…
community.sophos.com
- Official source: learn.microsoft.com
Loading…
learn.microsoft.com - Related coverage: windowsforum.com
Loading…
windowsforum.com - Official source: microsoft.com
Loading…
www.microsoft.com - Related coverage: xen.com.tr
Microsoft 365 Backup: The 2026 Shared Responsibility Guide | Xen Bilişim
Last week an Istanbul accounting office called: an intern accidentally deleted the entire team's OneDrive folder, can we restore it? "We use Microsoft 365, surely there's an automatic cloud backup?" No, there isn't. Microsoft promises uptime — not backup.
www.xen.com.tr
- Related coverage: rubrik.com
Loading…
www.rubrik.com - Official source: adoption.microsoft.com
Loading…
adoption.microsoft.com
