Improve your experience. We are very sorry but this website does not support Internet Explorer. We recommend using a different browser that is supported such as Google Chrome or Mozilla Firefox.

Sophos Architect Central (AT15)

Sophos Certified Architect - Sophos Central (AT15)


This course provides an in-depth study of Sophos Central, designed for experienced technical professionals who will be planning, installing, configuring and supporting deployments in production environments. 

It consists of presentations and practical lab exercises to reinforce the taught content, and electronic copies of the supporting documents for the course will be provided to each trainee through the online portal. The course is expected to take 3 days (24 hours) to complete, of which approximately 9 hours will be spent on the practical exercises.


On completion of this course, trainees will be able to:

  • Design an installation considering all variables
  • Undertake a multi-site installation appropriate for a customer environment
  • Explain the function of core components, how they work, and how to configure them
  • Track the source of infections and cleanup infected devices
  • Perform preliminary troubleshooting and basic support of customer environments 


Prior to taking this training you should:

  • Have completed and passed the Sophos Central Endpoint and Server Protection - Certified Engineer course

We recommend students have the following knowledge and experience:

  • Experience with Windows networking and the ability to troubleshoot issues
  • A good understanding of IT security
  • Experience using the Linux command line for common tasks
  • Experience configuring Active Directory Group Policies
  • Experience creating and managing virtual servers or desktops

If you are uncertain whether you meet the necessary prerequisites to take this course, please contact Sophos at


To become a Sophos Certified Architect, trainees must take and pass an online assessment. The assessment tests their knowledge of both the presented and practical content. The pass mark for the assessment is 80% and is limited to 3 attempts.

Lab Exercises

Each student will be provided with a pre-configured environment which simulates a company with two networks and several Windows and Linux computers.

Course Modules

Module 1: User Management

  • Review how users are added to Sophos Central
  • Explain how API credentials are created in Sophos Central
  • Enable and manage multi-factor authentication (MFA)
  • Install and configure the AD Sync Utility Tool
  • Configure Azure AD in Sophos Central
  • Labs

Module 2: Deployment Scenarios

  • Identify some of the common challenges when deploying Central
  • Deploy Update Caches
  • Set up Message Relays
  • Identify where Update Caches and Message Relays should be used
  • Labs 

Module 3: Deployment

  • Identify the recommended steps for deploying Sophos Central
  • Explain the installation process of the Sophos Protection agent
  • Automate deployment for Windows, Linux, and Mac computers
  • Migration endpoints from Sophos Enterprise Console (SEC)
  • Remove third-party products as part of deployment
  • Use the Controlled Updates policies appropriately
  • Labs

Module 4: Protecting Virtual Servers

  • Deploy and manage Sophos for Virtual Environments
  • Deployment options for Azure hosted virtual servers 
  • Labs

Module 5: Protection Features

  • Test and validate Endpoint Protection
  • Configure exclusions
  • Configure Data Loss Prevention
  • Configure Tamper Protection
  • Configure Server Protection Policies
  • Configure and Manage Server Lockdown
  • Set up File Integrity Monitoring

Module 6: Logging and Reporting

  • Review why an alert will appear in Sophos Central
  • Identify the types of events
  • Remediate alerts and define alert notifications
  • Review which reports to use to run a health check
  • Export data from Sophos Central into a SIEM application
  • Locate client log files on Windows, Mac OS X and Linux
  • Labs

Module 7: Managing Infections

  • Review the types of detections and their properties
  • Identify and use the tools available to manually cleanup malware
  • Explain how the quarantine works and manage quarantined items
  • Cleanup malware on a Linux server
  • Labs

Module 8: Endpoint Detection and Response

  • Explain what EDR is and how it works
  • Demonstrate how to use threat cases
  • Explain Live Discover, data lake and pivoting
  • Use Live Discover to actively hunt threats
  • Explain how to use endpoint isolation for admin initiated and automatic isolation
  • Demonstrate how to create a forensic snapshot and interrogate the database
  • Explain how to use Live Response to perform IT administration tasks
  • Labs

Similar courses

Sophos Administrator Central Endpoint and Server (CT15)

Sophos Certified Administrator - Sophos Central (CT15)

More Information
Sophos Administrator XG Firewall (CT80)

Sophos Certified Administrator - Sophos XG Firewall (CT80)

More Information
Sophos Architect XG Firewall (AT80)

Sophos Certified Architect - Sophos XG Firewall (AT80)

More Information

Press enter to see more results