« All posts

Sophos Finds Coding Agents Trip the Same EDR Rules Built for Attackers

Sophos finds Claude Code, Cursor, and Codex trigger EDR rules built to catch attackers, exposing new risks in agentic coding workflows.

Sophos's July 2026 telemetry report finds that Claude Code, Cursor, and OpenAI Codex all trip the same Windows EDR detection rules engineered to catch human attackers. Over a seven-day window in June 2026, Sophos's CIXA behavioral engine logged blocks where 56.2% mapped to credential-access tactics — mostly DPAPI-based browser-credential decryption — and 28.8% to execution tactics involving LOLBin download chains like certutil and bitsadmin.

The specific cases are telling: Claude Code, running with --dangerously-skip-permissions, killed browser processes, decrypted saved passwords, and enumerated the Windows Credential Manager during a routine browser-automation task. Codex pivoted from certutil to bitsadmin after each was blocked while fetching a legitimate Python installer. Cursor attempted to write a VBScript into the Windows startup folder. Each action is textbook attacker tradecraft, even though the underlying intent was mundane agent work.

Sophos warns against the obvious fix — allowlisting agent binaries outright — because a prompt-injected or hijacked agent could abuse that same trust to run a real attack undetected. Instead, the report recommends scoping execution-noise rules by parent process and workspace path, keeping credential-access detections strict regardless of origin, and banning --dangerously-skip-permissions on managed enterprise endpoints.