Sophos: Coding Agents Are Tripping the Attacker Detections
Seven days of Sophos endpoint telemetry: Claude Code, Cursor, and Codex trip the same rules built to catch attackers — because behaviorally, they should.
Sophos published a note this week out of seven days of its own endpoint telemetry, gathered across June 2026, in which coding agents — Claude Code, Cursor, and OpenAI Codex among them — kept setting off the same behavioral detection rules the vendor’s engine was written to catch human intruders with. The vendor calls it “an early read, not a verdict,” and the sample is what the vendor says it is: a narrow window on one product’s fleet, not an industry census. The writeup, “Agents vs. Telemetry”, was carried by The Hacker News on Tuesday. The shape of the numbers is still worth sitting with.
Of the activity Sophos blocked and attributed to coding agents in that window, 56.2% fell into credential access, and 28.8% into execution. Inside the credential-access bucket, 42.6% of alerts came from a single rule — the DPAPI-decryption rule that fires when a process reads out saved browser credentials. That rule is, to be clear, doing exactly what it was written to do. Sophos states the point plainly: “To the detection engine, it is credential theft, and the rule is right to fire.” Elsewhere in the same telemetry, agents were enumerating Windows Credential Manager via cmdkey /list, writing PowerShell into the Startup folder for persistence, and pivoting downloads through certutil and bitsadmin — the living-off-the-land binaries that were called LOLBins before the acronym existed and are still called LOLBins now. In the context of an authorized developer session, all of that is either useful or benign. From the endpoint’s point of view, it is indistinguishable from a mid-stage intrusion.
There is a specific kind of security problem we keep rediscovering. The detection layer watches actions, not intent, because intent is not something the detection layer can see. Any tool that legitimately needs to do attacker-shaped things eventually gets treated like an attacker. Sysadmins met this the first time when their own remote-management suites kept firing their own IDS. Red teams have lived inside it as a business model since. What is new this decade is that the tool doing attacker-shaped things now sits inside a chat pane that a developer opened forty seconds ago, on a laptop that has an EDR agent on it, on an endpoint that used to be a single-user machine and now hosts something that behaves like several users at once — one of them wearing a hoodie.
Sophos’ companion note picks up on --dangerously-skip-permissions, the Claude Code flag that turns off the interactive approval gate on individual tool calls. The vendor found instances of the flag set in the wild, which is unsurprising to anyone who has watched how developers actually adopt agents: the flag exists because the approvals are annoying, and it gets set because the flag exists. Sophos’ proposed handling is not exotic — scope execution rules by parent process (claude.exe, cursor.exe, workspace and temp paths, download reputation), keep the credential-access rules loud rather than quieting them, and disable --dangerously-skip-permissions through managed settings. It is essentially the same playbook a mature shop uses for any tool that lives near admin capability: constrain the environment, not the alert.
Analysis
The uncomfortable question underneath these numbers is not whether the detections are wrong — they aren’t — but what a coding agent should be allowed to touch in the first place. Sophos raises this openly, and doesn’t pretend to answer it: “the open policy question is what a coding agent should be allowed to touch.” Nobody has answered it yet. What is defensible is that a tool sold to help a developer probably doesn’t need blanket read access to every credential the browser has cached, and that a policy of give the agent everything and hope tends to end the way it always has.
It also rhymes with what we’ve been carrying all week. Kumar and Maple’s arXiv preprint on Copilot’s chat-versus-workflow refusal gap was a policy layer that only guarded the door people walk through. Varonis’ Dialogflow “Rogue Agent” disclosure was a shared-runtime exec() escape re-materializing inside a managed agent platform. Noma Security’s GitLost reporting was an agentic workflow that had never been sized for the kind of adversarial input a public issue tracker attracts. Sophos’ telemetry is a fourth version of the same problem, from a different vantage point — the boundary between “authorized tool” and “adversary behavior” isn’t the tool, and it never was.
CrowdStrike’s 2026 Global Threat Report noted that 82% of last year’s detections were malware-free. Attackers already live in the same behavioral space that legitimate administrative tools live in. Coding agents don’t invent that problem. They make it common enough that we may finally have to solve it.
The Sophos post, and its companion on Cursor-specific detection evasion, are at sophos.com/blog. Worth an hour before your next EDR-tuning meeting.
Found this useful? Share it.

