Sophos to acquire Arco Cyber: provides channel with enhanced GRC capabilities

Global security vendor Sophos has announced its intention to purchase cyber assurance specialist Arco Cyber in a move it says will help companies strengthen their cybersecurity strategy and overall governance. Sophos has positioned the acquisition as a key part of its “Sophos CISO Advantage” proposition, a set of capabilities it says will equip customers with security operations management using agentic AI, integrated platforms, and trusted human expertise delivered via its channel partner network. Assuming the acquisition closes, Sophos believes that agentic and AI-assisted systems now make it possible to deliver what it calls “real-time insight into control performance”, while retaining human oversight.

The planned purchase of Arco Cyber will mark Sophos’ first acquisition of 2026, but the company has completed more than 20 acquisitions since its foundation – most notably SecureWorks in Feb 2025 for $859 million, bolstering its MDR and XDR offerings. Other acquisitions prior to SecureWorks have been relatively small, although in 2008, Sophos bought Utimaco for $314 million and snapped up Rook Security in 2019, effectively making Sophos a player in the MDR market. Financial details of the proposed purchase of Arco Cyber have not been announced.

Why Arco Cyber?

UK-based Arco Cyber is a provider of cybersecurity assurance tools, with skills in compliance, advisory and consulting services. Founded in 2022 by former Softcat executives Matt Helling and Adam Louca alongside Datamango CEO Graham Sawell, Arco is a small vendor but says it has “more than 800 customers”. The company’s core offering is an agentless SaaS platform that Arco says provides real-time, data-driven insights to help CISOs and security teams measure, manage and reduce cyber risks. The company offers a “Free” version of its platform that has relatively limited functionality, as well as three additional paid tiers: “Core”, “Advanced” and “Enterprise”.

Arco Cyber’s “Origin Story” is rooted in what the founders observed as a need to tackle the increase in cyber risk facing companies. The management team points out the challenge of addressing real-time security issues, and the overload of data from multiple security dashboards. The problem as they see it has been the lack of an overarching context to advise on the questions of “what should we do?”, “how is my cybersecurity operation working?” and “where are the gaps?”.

Sophos: a legacy of security innovation

One of the big names in security globally, Sophos is a UK-based firm that has been around since the mid-1980s, initially developing and selling encryption and anti-virus tools. Today, Sophos has a broad range of products and services – particularly for MDR/XDR, incident response and endpoint security. Sophos has a channel-led sales model with a sizable partner program, and is well-known by MSPs, MSSPs and VARs in the cybersecurity industry. In 2015 the company was floated on the UK’s FTSE but became a private company again in 2020 when it was bought by Thoma Bravo for $3.9 billion. The return to private ownership seems to have suited the firm. Thoma Bravo has a strong interest in identity security - it also owns Darktrace, Proofpoint, Sailpoint, Ping and others - and more recently AI-driven security.

The Gist

Although it is only mid-February (at time of writing), acquisition activity in the cybersecurity market is already apace. With industry publication SecurityWeek cataloging thirty-four M&A deals in January 2026 - versus the forty-five reported in January 2025 - the year has started slightly slower, but indications are that the 400+ deals made in 2025 could be equaled or even exceeded.

Unlike its purchase of SecureWorks, the addition of Arco Cyber brings a much smaller but more strategic approach to Sophos’ portfolio of assurance, governance and risk offerings. As regulatory pressures increase, and reporting requirements become more complex, Sophos’ channel partners will benefit from an expanded platform of services it can bring to the table when strategic security discussions take place with customers. In particular, this addresses many of the challenges facing mid-market and sub-large enterprise firms: the relative rarity of the CISO role, with the majority of companies reliant on a non-C-level, IT management function. As such, the ‘virtual CISO’ role plays well with a partner-based route to market - taking the value proposition that MSPs and MSSPs can offer to a much higher level. If the deal closes, and the integration of Arco Cyber works out as planned, Sophos has the potential to show that small can also be mighty.