Sophos looked at a week of its own endpoint data and found that AI coding agents like Cloud Codes, Cursor, and OpenAI Codex were shutting down detection rules written to catch human intruders.
The agents are not malicious. They do a lot of things that, to a practical engine, look exactly like attacks.
Decrypting browser credentials, listing what’s in Windows’ credential store, pulling down files with built-in system tools, writing to the Startup folder: these have long been high-signals for defenders.
What has changed is who is producing it. On the machines Sophos looked at, the developer’s AI assistant often performed routine tasks.
what set off the alarm
The analysis is based on seven days of telemetry through June 2026, taken from Sophos’ Behavioral Engine on Windows and counted by unique machines, not raw incident volume. This is a narrow window on a vendor’s fleet, not a census of the industry.
Sophos’ chart put credential access at 56.2 percent of blocked activity and execution at 28.8 percent: agents accessing stored secrets, or running code like attackers.
The largest credential-access rule of that group, at 42.6 percent, is activated when a process uses Windows’ built-in Data Protection API, or DPAPI, to decrypt the browser’s stored credential data. Sophos calls GStack a widely adopted skills pack for coding agents.
Its /Browse skill does exactly that, by running PowerShell that calls DPAPI to unlock saved browser data. Sophos caught it running under cloud code. In context, this is almost certainly browser automation on the part of the user. To the detection engine, this is credential theft, and the rule is right to fire.
Some Python examples looked worse on paper. In one example, Cloud Code closed a running browser and ran a script that pulled data from its credential store.
Separately, it ran cmdkey /list to enumerate the credentials held by the Windows Credential Manager. Sophos noted that the cloud code here ran with its –dangerously-skips-permissions flag set, a mode Anthropic’s own documentation warns against and tells administrators how to block.
When one approach fails, an agent tries another. OpenAI Codex did just that, bringing a Python installer from the original Python.org that started with the certificate. He was blocked, so he switched to Bitsadmin. Both are legitimate Windows utilities that attackers routinely abuse to extract payloads while still off the ground.
The target was harmless, but Sophos says this pivot-when-blocked behavior distinguishes a live attacker from a static script, and benign agents now do the same.
The cursor tripped a persistence rule using PowerShell to drop a startup-folder script that ran every time the machine booted. Sophos couldn’t confirm what the script did, but writing startup outside of a trusted installer is the kind of thing that defenders flag when they see it.
AI agents on both sides of the line
The other side is already visible. A month ago, Sophos documented an attacker who used AI agents to create and test malware against EDR products, one of which was running Cloud Opus 4.5 to coordinate the work.
It was a time of evolution: Agents were helping an attacker write better tooling. Agents also activate their own users during runtime. In a separate case, researchers showed that a coding agent could be tricked into running attacking code via poisoned input, a chain that could bypass EDR because the agent is operating inside a user’s trusted session.
These are separate events with different rules firing, but they share a surface: browser credential calls, LOLBin downloads, and startup writes now come from benign agents, attacker-driven agents, and hijacked agents.
This is why raw action tells you less than it once did. And it sits within a larger change in the nature of infiltration. CrowdStrike’s 2026 Global Threat Report found that 82 percent of 2025 addresses were malware-free, with attackers proceeding through legitimate credentials and trusted tools rather than abandoning files.
That change first pushed identity toward behavior. AI agents now produce the same behavior for common reasons, giving accurate signals defenders can trust.
What does this mean for defenders
If developers run these agents under their own accounts, expect the endpoint rules to be applied to their machines. Sophos’ answer is to split the rules based on what they catch. Execution noise can usually be scoped from the agent retrying the download or emitting strangely formatted powershell.
Enter rule keys for the agent’s parent process (cloud.exe, cursor.exe, and their child processes), its workspace or temporary path, or the reputation of the download target. This prevents known agents performing normal tasks from generating alerts.
Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating a credential manager is not safe because an agent did so rather than an individual, and an agent should not have blanket access to credential stores just because it runs under a trusted user. If the noise comes from the –risk-skip-permissions mode of Cloud Code, disable that mode via Manage Settings.
Sophos calls this a preliminary study, not a decision, and notes that while the direction is clear, the change is still small. The open policy question is what should a coding agent be allowed to touch on an endpoint, and the credential store is a sensible place to draw the first line.