malicious traffic detection
My understanding from the FAQs is that malicious traffic detection just checks HTTP traffic for connections to known bad infrastructure. So that means a domain/IP must be known to be bad for Sophos MTD to detect it.
If it's not already being done, I'd like to request the HTTP request be analysed to find suspicious indicators, for example a connection to URI's like /fre.php or /gate.php could be indicative of evil, but if the domain is not in your list then it would be missed.
Also, does malicious traffic detection decrypt and analyse HTTPS traffic? Is DNS traffic monitored for call outs to known bad infrastructure as well? If not these would be good to incorporate as well.
You could also look to detect domains with high entropy, newly registered domains, etc