Sophos: Coding Agents Like Claude Code and Codex Trigger Real EDR Threat Alerts
A July 2026 Sophos telemetry report found that coding agents including Claude Code, Cursor, and OpenAI Codex triggered endpoint detection and response (EDR) alerts on Windows machines during a seven-day window in June 2026. The agents' routine behavior — such as decrypting browser credentials for automation and downloading dependencies via bitsadmin — matched the same behavioral patterns that EDR rules are designed to flag as attacker tradecraft. Credential Access alerts accounted for 56.2% of blocks, largely driven by agents using the Windows DPAPI to unlock saved browser data, the same mechanism used by real infostealers. Sophos's finding is not that the agents are malicious, but that benign agent activity is now indistinguishable from attacker behavior at the rule level. Security teams operating coding agents on managed endpoints are advised to address these false-positive risks proactively before alerts begin disrupting workflows.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in