For twenty years, behavioral endpoint detection has rested on a comfortable assumption: legitimate software behaves legitimately. Users click things, applications read their own files, and when a process starts decrypting browser credential stores or pulling executables down with certutil, you can be reasonably confident someone hostile is on the box.
Sophos just published telemetry showing that assumption is now dead — killed not by attackers, but by the most celebrated productivity tools in software engineering.
What Sophos Found
Sophos analyzed seven days of behavioral-engine telemetry from its Windows endpoint estate in June 2026, counting by unique machines rather than raw event volume, and looked specifically at what AI coding agents were doing on developer workstations. The findings, detailed in the company’s “When AI agents look like attackers” research, are worth reading in full — but three detection categories tell the story.
Credential access. A Sophos rule tied to its CookieGuard protections generated a considerable volume of alerts when AI agents invoked Windows Data Protection API (DPAPI) functions to decrypt browser-stored credentials. Sit with that for a second: coding agents, in the ordinary course of completing tasks, are programmatically unlocking the browser credential store — the exact technique catalogued in MITRE ATT&CK under credentials-from-web-browsers, and one of the highest-confidence signals a SOC has for an active intrusion.
Living-off-the-land binaries. OpenAI Codex, needing Python on a machine that lacked it, fetched the installer from the genuine python.org — using certutil, the certificate utility that attackers have abused as a downloader for a decade. When the security stack blocked that, the agent did what any resourceful operator would do: it pivoted to bitsadmin and tried again. That adaptive retry behavior — try a LOLBin, get blocked, reach for the next LOLBin — is functionally identical to an intruder working through their tradecraft list. The agent wasn’t evading security. It was just being helpful. The telemetry cannot tell the difference, and that’s the point.
Persistence. Cursor tripped a persistence detection by using PowerShell to drop a script into the Windows startup folder — code that would execute on every boot. A startup-folder drop via PowerShell is textbook T1547; it is in every SOC analyst’s “escalate immediately” list. Here, it was an AI agent completing a task the developer asked for, with neither the developer nor the agent particularly aware that this is what intrusion tradecraft looks like.
None of this was malicious. All of it is, at the telemetry layer, indistinguishable from an attack.
Why This Is Worse Than Ordinary False Positives
SOCs have always managed false positives. Admin tools, deployment scripts, and the odd eccentric developer have tripped behavioral rules forever. Two things make the AI-agent version categorically harder.
First, scale and unpredictability. A sysadmin’s script does the same thing every Tuesday; you profile it once and suppress it. An AI agent is nondeterministic — the same prompt on the same machine can produce a different toolchain tomorrow, because the model chose a different path. You cannot write a stable allowlist for behavior that is generated fresh every time. Multiply that across every developer running Claude Code, Cursor, or Codex all day, and the “rare weird event” your detection logic was tuned around becomes ambient noise.
Second, and more dangerous: the cover it provides. Every alert category the agents pollute becomes a category attackers can hide inside. If your SOC learns that DPAPI-decryption alerts from developer workstations are “just the AI agents again,” you have functionally created a class of machine where credential theft is pre-excused — and developer workstations are already the highest-value machines in the building, holding cloud keys, repo access, and production deploy rights. Attackers read this research too. Naming a payload cursor-helper.ps1 and operating from a developer’s context just became a very sound evasion strategy. Sophos’s own companion research on Cursor-based evasion makes clear the offensive community has noticed.
The alert-fatigue math should worry every security leader. The instinctive fix — suppress the noisy rules on developer machines — is precisely backwards. It buys quiet dashboards at the cost of blinding yourself on the endpoints that matter most.
What to Actually Do About It
There is no clean fix yet; the tooling and the detection industry are both mid-adaptation. But there are moves that separate the organizations that manage this from the ones that discover it during an incident.
1. Inventory before policy. You cannot tune detections for agents you don’t know about. Most organizations discover their AI coding tool population is far larger and more varied than anything IT approved — the same discovery problem we mapped in Building a Shadow AI Discovery Program. Endpoint telemetry itself is a fine discovery mechanism: the alerts Sophos describes are, read differently, a census of who is running what.
2. Enrich, don’t suppress. The detection-engineering goal is context, not silence. An alert for DPAPI access should carry lineage: was the calling process spawned from a known agent binary, in an interactive developer session, on a machine in the engineering OU? That doesn’t make the alert ignorable — it changes the triage question from “is this an attack?” to “is this agent doing something the developer actually asked for?” Vendors are racing to build agent-awareness into their engines; until yours does, that enrichment is homework for your own detection engineers.
3. Constrain where agents run and what they can reach. The sharpest available control is architectural: sandboxed or containerized execution for agent workloads, developer machines segmented from production credential material, and browser profiles on dev boxes kept free of corporate credentials so there is nothing for DPAPI decryption to find. Several of the agent vendors now offer sandboxing modes precisely because of this pressure — turning them on is cheaper than re-tuning your entire ruleset.
4. Write the working agreement with engineering. This is a leadership task, not a technical one. Engineering leadership needs to hear, plainly: these tools are welcome, and they will behave in ways our security stack treats as hostile, so we will jointly define which agents are sanctioned, where they run, and what happens when one gets blocked mid-task. Do this before the first incident where a blocked agent action turns into a security-vs-engineering escalation — or worse, the first real intrusion misdiagnosed as agent noise.
5. Re-baseline your metrics expectations now. If your board reporting includes alert volumes, false-positive rates, or mean-time-to-triage, expect all three to degrade as agent adoption climbs, and say so proactively. A CISO explaining a metrics shift in advance is managing; one explaining it afterward is excusing.
The Detection Engineering Career Signal
For the practitioner audience, notice what this research implies about where SOC work is heading. The analyst role we described in AI in the SOC: What Machines Do Better and What Humans Own just acquired a new core competency: distinguishing autonomous-but-benign from autonomous-and-hostile, on endpoints where both look identical at the syscall level.
Detection engineers who understand agent architectures — how Claude Code spawns tools, what Cursor’s execution model looks like, what a normal Codex toolchain resembles versus a hijacked one — are about to be as valuable as the people who understood PowerShell internals in 2016. “Agent-aware detection engineering” is not a job title yet. Give it eighteen months. The intersection of AI fluency and security operations has been the strongest hiring signal all year, as we documented in AI Security Jobs: The ML-Cybersecurity Intersection, and this is the operational reason why.
The uncomfortable summary: we spent two decades teaching detection systems to flag software that behaves like an attacker, and then handed every developer a tool that behaves like an attacker professionally. The organizations that thrive in what follows will be the ones that treat that not as a false-positive nuisance, but as the new baseline reality of defending machines where autonomous software does the typing.
Sources: Sophos, “When AI agents look like attackers: what behavioral telemetry tells us” (July 2026); Sophos companion research on Cursor-based detection evasion; The Hacker News and industry reporting on the Sophos findings. Telemetry basis: seven days of Sophos behavioral-engine data from Windows endpoints, June 2026, counted by unique machines.
This article is provided for informational purposes only and reflects research and reporting available as of July 8, 2026. Detection behaviors and vendor capabilities in this space are evolving rapidly.



