« All posts

Sophos study: AI coding agents look like attackers to a SIEM

Sophos telemetry shows Claude Code, Cursor, and Codex trigger SIEM alerts for credential access and evasion during normal, benign operation.

Sophos X-Ops collected seven days of Windows endpoint telemetry from Claude Code, Cursor, and OpenAI Codex in June 2026. Its behavioral detection engine flagged all three agents, with 56.2% of blocking rules triggered by credential access and 28.8% by suspicious process execution. Among silently-fired rules, evasion (38.5%) and command-and-control (34.0%) dominated—precisely the categories a threat hunter cares about most.

None of the activity was malicious. When an agent decrypts DPAPI-protected browser credentials to stay logged in (rule Creds_3b alone drove 42.6% of hits), the telemetry is indistinguishable from an infostealer. When a blocked certutil.exe download prompts an agent to retry via bitsadmin.exe, that's the same living-off-the-land pivot attackers use to evade defenses—except the agent was just solving an error, not evading anyone. Cursor writing a VBScript into the Windows Startup folder for legitimate persistence reads identically to a malware implant at the telemetry layer.

Sophos's recommendation is tuning, not blocking: allowlist known agent binaries, define policy-level 'agent scope' so genuinely out-of-bounds behavior still alerts, and treat agent sessions like privileged service accounts—monitored and scoped, not automatically suspect. For engineers running AI coding tools on watched machines, this is a detection-engineering problem, not a tooling one.