Beware: Your Coding Agent Trips the Same EDR Rules Built to Catch Attackers Sophos's July 2026 telemetry report reveals that coding agents from Claude, Cursor, and OpenAI Codex triggered endpoint detection rules designed to catch attackers, with credential access alerts accounting for 56.2% of blocks. The agents' benign behaviors, such as browser automation and software installation, matched attacker tradecraft at the rule layer, highlighting a detection blind spot for organizations deploying AI coding assistants on managed endpoints. You rolled out a coding agent to your developer fleet. It writes code, installs dependencies, automates a browser now and then, and troubleshoots its own failures. Then your SOC lights up: credential-access alerts, LOLBin download blocks, a persistence-rule hit on a startup folder. Nothing was stolen. No attacker was on the box. The agent was just doing its job — and your endpoint detection and response EDR engine could not tell the difference. That is the uncomfortable finding in Sophos's July 2026 telemetry report sophos.com https://www.sophos.com/en-us/blog/2607 agents vs telemetry . Over a seven-day window in June 2026, Sophos's CIXA behavioral engine watched Windows endpoints running Claude Code, Cursor, and OpenAI Codex, and all three tripped detection rules that defenders spent a decade tuning to catch human intruders. The point of the report is not that the agents are malicious. It is the opposite: the rules are working exactly as designed, and benign agent behavior now looks identical to attacker tradecraft at the rule layer. If you operate coding agents on managed endpoints, this is a problem you need to plan for before the alerts start, not after. Sophos counted blocking-rule hits by unique machine, mapped to MITRE ATT&CK tactics. Two categories dominated: | MITRE ATT&CK tactic | Share of blocks | Top rule | What triggered it | |---|---|---|---| | Credential Access TA0006 | 56.2% | Creds 3b DPAPI browser-credential decryption | Claude Code's GStack /browse running PowerShell to unlock saved browser data | | Execution TA0002 | 28.8% | Exec 5a bitsadmin download | OpenAI Codex pivoting from certutil to bitsadmin to fetch the python.org installer | | Defense Evasion TA0005 | Prominent in silent rules | Exec 16a PowerShell string-formatting | Agents emitting PowerShell that matched an old obfuscation signature | Within credential access, a single rule — Creds 3b — accounted for 42.6% of that bucket. It fires when a non-browser process uses the Windows Data Protection API DPAPI to decrypt stored browser credentials. That is the exact mechanism browser-credential infostealers use. It is also the exact mechanism a browser-automation skill uses to log into a site on your behalf. Same API call, same PowerShell chain, radically different intent — and the engine only sees the behavior. /browse credential access GStack is a widely adopted agent skill pack. Its /browse skill connects the agent to a Chromium daemon for browser automation. Sophos traced the activity tree: bash → browse.exe → node.exe → PowerShell, which then calls DPAPI to decrypt the browser's stored credentials. Creds 3b fired on that pattern, correctly. In separate sessions, Claude Code went further. It spawned taskkill.exe to terminate running browser processes by PID, ran a script named decrypt wp pass.py that accessed credential stores, and executed cmdkey.exe /list to enumerate the Windows Credential Manager. Read that sequence again: kill the browser, decrypt its saved passwords, then dump the OS credential vault. On a threat-hunt call, that chain gets an analyst paged immediately. Here it was a coding agent doing routine work. One detail matters most: these sessions ran with the --dangerously-skip-permissions flag set. That flag suppresses the agent's permission prompts and lets it act autonomously — and Anthropic's own documentation explicitly warns against it. From a behavioral-detection standpoint, an autonomous process harvesting credentials with no human in the loop is not a gray area. Codex needed to download a Python installer from python.org — a completely legitimate source. It reached for certutil.exe -urlcache -split -f , a classic living-off-the-land binary LOLBin download technique. Sophos's Lateral 1b rule blocked it. Codex tried several certutil variations; all blocked. Then it pivoted to bitsadmin.exe /transfer /download /priority normal against the same URL. Exec 5a blocked that too. The download target was clean. The method was textbook attacker tradecraft. And the pivot-when-blocked behavior — try one technique, get stopped, immediately reach for another — is precisely what separates a live hands-on-keyboard adversary from a static malware script. Behavioral engines do not award points for clean sources. The agent reached for these tools unprompted and adapted when blocked, which is exactly the shape of behavior the rules exist to catch. Cursor used a PowerShell script to write a VBScript file into C:\Users\