Sophos Central MCP Server
for AI Agents

Q: What AI frameworks and AI clients does the StackOne Sophos Central MCP server support?

The StackOne Sophos Central MCP server supports both. MCP clients (paste-and-go apps): Claude Desktop, Claude Code, Cursor, VS Code, Goose. Agent frameworks (code SDKs you build with): OpenAI Agents SDK, Anthropic, Vercel AI, Google ADK, CrewAI, Pydantic AI, LangChain, LangGraph, Azure AI Foundry.

Production-ready Sophos Central MCP server with 54 extensible actions — plus built-in authentication, security, and optimized execution.

Start Free Book Demo Read Docs →

Sophos Central MCP Server

Built by

StackOne

Coverage

54 Agent Actions

Create, read, update, and delete across Sophos Central — and extend your agent's capabilities with custom actions.

MCP Actions → Create Actions →

Authentication

Agent Tool Authentication

Per-user OAuth in one call. Your Sophos Central MCP server gets session-scoped tokens with zero credentials stored on your infra.

Agent Auth →

Security

Agent Protection

Every Sophos Central tool response scanned for prompt injection in milliseconds — 88.7% accuracy, all running on CPU.

Prompt Injection Defense →

Performance

Max Agent Context. Min Cost.

Free up to 96% of your agent's context window to enhance reasoning and reduce cost, on every Sophos Central call.

Tools Discovery →

What is the Sophos Central MCP Server?

A Sophos Central MCP server lets AI agents read and write Sophos Central data through the Model Context Protocol — Anthropic's open standard for connecting LLMs to external tools. StackOne's Sophos Central MCP server ships with 54 pre-built actions, fully extensible via the Connector Builder — plus managed authentication, prompt injection defense, and optimized agent context. Connect it from MCP clients like Claude Desktop, Claude Code, Cursor, Goose, and VS Code, or from agent frameworks like OpenAI Agents SDK, LangChain, and Vercel AI SDK.

All Sophos Central MCP Tools and Actions

Every action from Sophos Central's API, ready for your agent. Create, read, update, and delete — scoped to exactly what you need.

Admins

Create Admin
Promote an existing user to tenant admin with role assignments
List Admins
Retrieve a paginated list of tenant administrators from Sophos Central
Get Admin
Retrieve details of a specific tenant administrator by ID
Delete Admin
Remove an admin (demote user back to regular user)

Alerts

List Alerts
Retrieve a paginated list of alerts from Sophos Central
Get Alert
Retrieve details of a specific alert by ID
Search Alerts
Search alerts using POST body for advanced filtering

Endpoint Groups

Create Endpoint Group
Create a new endpoint group
List Endpoint Groups
Retrieve a paginated list of endpoint groups
Get Endpoint Group
Retrieve details of a specific endpoint group by ID
Update Endpoint Group
Update an endpoint group's name or description
Delete Endpoint Group
Delete an endpoint group (endpoints are not deleted)

Endpoints

List Endpoints
Retrieve a paginated list of endpoint devices from Sophos Central
Get Endpoint
Retrieve details of a specific endpoint device by ID
Delete Endpoint
Delete an endpoint device from Sophos Central

IAM Groups

List IAM Groups
List Sophos Central directory user groups mapped to the StackOne IAM unified group schema. Returns id, name, description, and timestamps. Type is pinned to "group" (Sophos has one flat group concept).
Get IAM Group
Retrieve a single Sophos Central directory user group by ID, mapped to the StackOne IAM unified group schema.

IAM Roles

List IAM Roles
List all Sophos Central tenant roles (predefined and custom) mapped to the StackOne IAM unified role schema. Returns role name, description, and type synthesized from the role name.
Get IAM Role
Retrieve a single Sophos Central role by ID, mapped to the StackOne IAM unified role schema.

IAM Users

List IAM Users
List Sophos Central directory users mapped to the StackOne IAM unified user schema. Returns identity fields (id, name, email) and timestamps. Roles are not available on the directory endpoint and are intentionally omitted; groups membership is not returned inline.
Get IAM User
Retrieve a single Sophos Central directory user by ID, mapped to the StackOne IAM unified user schema. Supports expand=groups to include group membership inline.

Policys

Create Policy
Create a new security policy
Get Policy
Retrieve details of a specific policy by ID
Update Policy
Update an existing policy's settings, assignments, or metadata
Delete Policy
Delete a security policy

Roles

List Roles
Retrieve all tenant roles from Sophos Central
Get Role
Retrieve details of a specific role by ID

User Groups

Create User Group
Create a new user group in the Sophos Central directory
List User Groups
Retrieve a paginated list of user groups from Sophos Central
Get User Group
Retrieve details of a specific user group by ID
Update User Group
Update an existing user group's details
Delete User Group
Delete a user group from the Sophos Central directory

Users

Create User
Create a new user in the Sophos Central directory
List Users
Retrieve a paginated list of directory users from Sophos Central
Get User
Retrieve details of a specific directory user by ID
Update User
Update an existing directory user's details
Delete User
Delete a user from the Sophos Central directory

Other (17)

Add Endpoints To Group
Add one or more endpoints to an endpoint group
Add Users To Group
Add one or more users to a user group
Add User To Groups
Add a user to one or more user groups
List Endpoints In Group
Retrieve all endpoints belonging to a specific endpoint group
Get Endpoint Isolation Status
Get network isolation status for a specific endpoint
Get IAM Credentials (Me)
Retrieve the current Sophos Central service principal identity via the whoami endpoint. Returns auth type (service_user) and the tenant/partner/org ID. OAuth scopes are not applicable — Sophos uses role-based access on service principals.
List Policies
Retrieve all security policies configured for the tenant
List Permission Sets
Retrieve all available permission sets
List Users In Group
Retrieve all users belonging to a specific user group
List Groups Of User
Retrieve all user groups that a specific user belongs to
Remove Endpoints From Group
Remove one or more endpoints from an endpoint group
Remove Users From Group
Remove one or more users from a user group
Remove User From Groups
Remove a user from one or more user groups
Assign Role To Admin
Assign a role of principal type "user" to a tenant admin (overrides any existing assignment)
Revoke Role From Admin
Revoke a role assignment from an admin
Act On Alert
Perform an action on a specific alert
Trigger Update Check
Force an endpoint to check for agent updates

Set Up Your Sophos Central MCP Server in Minutes

One endpoint. Any framework. Your agent is talking to Sophos Central in under 10 lines of code.

MCP Clients

Agent Frameworks

Claude Desktop-

JSON

Browse Claude Desktop MCP Docs

{
  "mcpServers": {
    "stackone": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://api.stackone.com/mcp?x-account-id=<account_id>",
        "--header",
        "Authorization: Basic <YOUR_BASE64_TOKEN>"
      ]
    }
  }
}

More developer MCP Servers

PingOne

113+ actions

All developer MCP Servers →

Sophos Central MCP Server Resources

MCP Code Mode: Keeping Tool Responses Out of Agent Context

Anthropic's code_execution processes data already in context. Custom MCP code mode keeps raw tool responses in a sandbox. 14K tokens vs 500.

11 min

Comparing BM25, TF-IDF, and Hybrid Search for MCP Tool Discovery

Benchmarking BM25, TF-IDF, and hybrid search for MCP tool discovery across 916 tools. The 80/20 TF-IDF/BM25 hybrid hits 21% Top-1 accuracy in under 1ms.

10 min

Indirect Prompt Injection Defense for MCP Tools: A Technical Guide

MCP tools that read emails, CRM records, and tickets are indirect prompt injection vectors. Here's how we built a two-tier defense that scans tool results in ~11ms.

12 min

Sophos Central MCP Server FAQ

Sophos Central MCP server vs direct API integration — what's the difference?

A Sophos Central MCP server and direct API integration serve different use cases. Direct API integration is for software-to-software — backend code calling Sophos Central. A Sophos Central MCP server is for AI agents — MCP clients like Claude and Cursor, plus framework agents built with OpenAI, LangChain, or Vercel AI — discovering and calling Sophos Central at runtime. StackOne provides both.

How does Sophos Central authentication work for AI agents?

Sophos Central authentication for AI agents works through a StackOne Connect Session. Create one via the dashboard or the SDK — you get an auth link and ready-to-paste config for Claude Desktop, Cursor, and other MCP clients. Your user authenticates their own Sophos Central account; StackOne handles token exchange, storage, and refresh. Credentials never reach the LLM, and each user is isolated via origin_owner_id.

Are Sophos Central MCP tools vulnerable to prompt injection?

Yes — Sophos Central MCP tools can be vulnerable to indirect prompt injection. Any tool that reads user-written content — documents, messages, tickets, records, or free-text fields — is a potential vector. StackOne Defender scans every tool response before it enters the agent's context — regex patterns in ~1ms, then a MiniLM classifier in ~4ms. 88.7% accuracy, CPU-only.

What is the context bloat of a Sophos Central agent and how do I avoid it?

Context bloat happens when Sophos Central tool schemas and API responses eat your Sophos Central agent's memory, preventing it from reasoning effectively. A single Sophos Central query can return a massive JSON response, and connecting multiple tools compounds the problem. Tools Discovery and Code Mode reduce context bloat — loading only relevant tools per query and keeping raw responses out of the agent's context.

Can I limit which actions my Sophos Central agent can access?

Yes — you can limit which actions your Sophos Central agent can access directly from the StackOne dashboard. Toggle actions on or off, or restrict them to specific accounts, with no code changes to your agent. Session tokens can be scoped to exact actions so if one leaks, exposure stays contained.

Can I create custom agent actions for my Sophos Central MCP server?

Yes — you can create custom agent actions for your Sophos Central MCP server using Connector Builder. It's an integration agent your coding assistant (Claude Code, Cursor, or Copilot) can invoke to research Sophos Central's API, generate production-ready connector YAML, test against the live API, and validate before you ship.

When should I NOT use a Sophos Central MCP server?

Skip a Sophos Central MCP server if your integration is purely software-to-software — direct Sophos Central API integration is simpler when no AI agent is involved. For deterministic, compliance-critical operations (financial transactions, regulatory reporting), direct API gives you predictable behavior without agent-driven decision-making. MCP shines when AI agents need to dynamically discover and call Sophos Central actions at runtime.

What AI frameworks and AI clients does the StackOne Sophos Central MCP server support?

The StackOne Sophos Central MCP server supports both. MCP clients (paste-and-go apps): Claude Desktop, Claude Code, Cursor, VS Code, Goose. Agent frameworks (code SDKs you build with): OpenAI Agents SDK, Anthropic, Vercel AI, Google ADK, CrewAI, Pydantic AI, LangChain, LangGraph, Azure AI Foundry.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.

Start Free Book Demo

Sophos Central MCP Serverfor AI Agents