Cyber protection specialists Halcyon and Sophos have teamed up to develop a new threat intelligence sharing joint venture that will see the two companies swap data on critical metrics such as indicators of compromise (IoCs), known adversary behaviours, and attack patterns.
Announced at the annual Black Hat USA event in Las Vegas, the partnership will see two of the most experienced teams working today to address the ransomware threat pool their resources in the service of helping speed up detection, enhance protection, and improve response capabilities.
“Ransomware tools and tactics are evolving constantly, and the best defense is timely, relevant intelligence that enables defenders to act quickly and with confidence,” said Simon Reed, chief research and scientific officer at Sophos.
“By sharing insights with Halcyon, we’re improving signal fidelity and accelerating detection across our systems, which strengthens protection for all the organisations we serve.”
Halcyon CEO and co-founder Jon Miller added: “Halcyon is honored to partner with Sophos. Over the last four years, based on our telemetry, Sophos has time and time again proven to be one of the most effective endpoint security platforms we have encountered, reliably performing and disrupting attackers at a level that simply outperforms the majority of the players in the next-generation antivirus and endpoint detection and response (EDR) space.
“Their dedication to innovate and roll out industry-leading and unique features continues to put their customers at an everyday advantage over the most sophisticated attacks affecting enterprises today.”
Expanding operations
The tie-up follows Halycon’s establishment of a community-centric Ransomware Research Centre – as well as Sophos’ recent acquisition of its own threat hunting capabilities through its purchase of Secureworks.
From a technological perspective, the duo said the partnership will better inform both party’s solutions, including Sophos Endpoint, Managed Detection and Response (MDR) and XDR, and Halcyon’s Anti-Ransomware Platform.
More broadly, Sophos said the collaboration would enhance its own strategy to expand the reach and speed of its threat intel response through partnerships. Its X-Ops cross-functional unit will be working closely with Halcyon’s research and engineering team to share ransomware insights across various attack surfaces, and turn these into operational benefits.
No fiddling please
As a sidenote, Halcyon and Sophos are also planning to implement mutual anti-tampering protections in their platforms that enable both parties to monitor and safeguard each other’s agents when active in customer environments.
The logic behind this is to ensure that joint customers – where they exist – not only benefit from added resilience and reduce the risk of ransomware interfering with their defences, but also preserve, and even enhance, the integrity of their wider cyber protection strategies.
Malicious quartile
Meanwhile, Halcyon this week released its quarterly Malicious Quartile ransomware report covering the second calendar quarter to the end of June 2025.
The report explores several trends in the ransomware ecosystem, notably the increasing profile of the Akira cyber crime crew, which has become a leading actor thanks to its high operational tempo, adaptive nature, and strategic targeting of victims. Also on the rise is the increasingly disciplined and ‘mature’ SafePay gang, which made headlines in the IT channel in July after an audacious attack on the systems of sector mainstay, tech distributor Ingram Micro.
Halcyon also found that the so-called Bring-Your-Own-Vulnerable-Driver (BYOVD) technique – whereby ransomware gangs introduce their own legitimate, signed drivers with known vulnerabilities into target systems in order to achieve unauthorised kernel-level access – is now becoming a key attack vector.
And it highlighted a broader trend – observed by others over the past year and continuing to gain in scale – of ransomware gangs bypassing encryption lockers and moving to a pure data theft and extortion model.
Such attacks leave IT systems relatively intact and require less technical work on the part of the cyber criminals, but for victims this hardly counts as a blessing.