Sophos acquires Arco Cyber to scale CISO expertise through agentic AI

Sophos has announced the acquisition of Arco Cyber, a UK cybersecurity assurance firm, in a move aimed at strengthening its governance and risk capabilities across India and global markets. The deal adds AI-driven security validation and compliance insight to the Sophos platform, with a focus on helping organisations that operate without a full-time Chief Information Security Officer (CISO).

The company plans to integrate Arco Cyber’s technology and team into Sophos Central, its unified security platform.

Bridging the cybersecurity leadership gap

Globally, there are an estimated 359 million organisations. Fewer than 32,000 have a CISO. That gap is not small. It leaves many firms running advanced security tools but without senior leadership to measure risk, validate controls, or report clearly to boards and regulators.

Sophos is positioning the acquisition as a response to that imbalance.

The company refers to its broader strategy as Sophos CISO Advantage. The framework combines agentic Artificial Intelligence (AI), integrated security platforms, and human expertise delivered through Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).

Joe Levy, CEO of Sophos, said the market does not lack security tools. Instead, many organisations struggle to govern those tools and confirm whether controls are working as intended.

“What’s missing for most organisations is the ability to govern those tools, understand whether controls are actually working, and make informed decisions about risk,” Levy said. He added that Arco Cyber brings clarity, accountability, and proof to security operations.

From alerts to assurance

As cybersecurity programs mature, the conversation is shifting. It is no longer just about detecting threats. Boards, regulators, and insurers increasingly want evidence that investments reduce risk.

Phil Harris, Research Director for Governance, Risk, and Compliance Solutions at IDC, noted that organisations are focused on proving impact rather than activity. According to Harris, platforms that combine detection and response with assurance and risk measurement better reflect how companies operate today.

The integration of Arco Cyber supports that direction. Its platform enables continuous validation of security controls, alignment with risk and compliance frameworks, and executive-ready reporting. In simple terms, it helps translate technical signals into boardroom language.

Expanding the partner-led model

A key element of Sophos CISO Advantage is its partner ecosystem. Many organisations depend on MSPs and MSSPs to manage daily security operations and provide strategic advice.

By adding AI-driven governance and continuous assurance capabilities, Sophos aims to strengthen the advisory role of these partners. Instead of acting only as technology operators, partners can offer structured risk insights and ongoing validation of control effectiveness.

Matt Helling, CEO and co-founder of Arco Cyber, said the company was founded to help organisations move “from assumption to proof” in cybersecurity. He said joining Sophos will allow that mission to reach a broader customer base.

For organisations with an existing CISO, the combined platform promises integrated risk tracking and clearer reporting. For those without one, Sophos is effectively offering CISO-level guidance delivered through software, AI systems, and trusted partners.

In a market crowded with tools but short on governance, this acquisition signals a shift. The focus is moving from adding more alerts to delivering measurable control over cyber risk.