
Workspace Protection
If you want Protected Browser plus Endpoint, Mobile, ZTNA, DNS, and Email Monitoring under one license, the bundle is usually cheaper than buying separately.
Sophos Protected Browser runs web content in an isolated cloud browser and streams only safe pixels back to the user. Malware, drive-by exploits, and phishing kits never touch the endpoint - even when the user clicks the link.
Users keep using the browser they already know. Sophos quietly routes risky sessions through the isolation layer when policy says to. No new browser to install, no extension to push.
Web pages render in a disposable cloud browser. Only rendered pixels and safe DOM stream back to the user’s actual browser. Active content never reaches the endpoint.
Define which URL categories trigger isolation: unknown / uncategorized, social media, file-share, gambling, adult, anything else you choose. Other traffic browses directly.
Lock down what isolated sessions can do: disable clipboard, prevent downloads, block printing, allow read-only mode. Right-size the controls per category or per user group.
No new browser, no extensions, no kernel hooks. Existing Chrome, Edge, Firefox, or Safari sessions are routed through isolation transparently when policy applies.
Protected Browser works on managed and BYOD devices alike. You get isolation for risky URLs even on personal devices you can’t enroll in UEM.
Policies, alerts, and session reporting live in Sophos Central alongside endpoint, network, and email events. One console for the whole stack.
Most web-borne malware works the same way: the user’s browser fetches the page, the page’s active content (JavaScript, embedded objects, downloads) runs locally, and the payload finds a vulnerability or social-engineers a click. Isolation breaks step two.
Isolation is overkill for everything; right-sized for some things. These are the patterns we see customers deploy most.
Personal mail, social media, file-share, and uncategorized sites - the categories where most drive-by malware lives. Isolate those by default, let everything else browse normally.
Lower attack surface, no UX hitDevices you can’t enroll in endpoint management. Isolation gives you a way to enforce safe browsing even on machines outside your fleet.
Posture without enrollmentExecutives, finance, IT admins, anyone with elevated access. Isolation everywhere for these users gives a strong second layer against targeted phishing.
VIP-grade protectionProtected Browser is most effective alongside the other workspace controls that decide WHICH URLs to isolate in the first place.

If you want Protected Browser plus Endpoint, Mobile, ZTNA, DNS, and Email Monitoring under one license, the bundle is usually cheaper than buying separately.

The natural pair: DNS Protection blocks domains outright; Protected Browser isolates the rest. Together they form a layered safe-browsing posture.

Last-line defense if anything slips past isolation: the same Intercept X agent catches whatever lands on the endpoint, isolated or not.
Request per-user pricing for Protected Browser, or talk to our team about which URL categories make the most sense to isolate first in your environment.