AI coding tools such as Claude Code, Cursor, and OpenAI Codex have been identified by Sophos as triggering security protocols designed to detect malicious activity. Despite being non-malicious, these tools perform actions that mimic those of attackers, leading to security alerts.
Understanding the Security Triggers
During a week-long analysis of endpoint data, Sophos discovered that these AI agents were responsible for behaviors traditionally indicative of cyberattacks, such as decrypting browser credentials and listing data stored in Windows’ credential manager. While these activities are part of the agents’ normal functions, they are perceived as threats by behavioral engines.
In June 2026, Sophos’s study of Windows-based telemetry data revealed that credential access and execution activities were predominantly triggered by these AI tools. The use of Windows Data Protection API by these agents was a major contributor to the alerts, as it is typically associated with credential theft attempts.
Implications for Cybersecurity Systems
The study highlights the challenge of distinguishing between legitimate AI-driven actions and genuine threats. Such tools often switch strategies when blocked, mimicking the adaptive behaviors of actual attackers. For instance, OpenAI Codex was observed attempting different methods to fetch a Python installer, a tactic often employed by cybercriminals.
Cursor, another AI tool, triggered alerts by writing scripts to startup folders, a practice flagged by security systems as potentially harmful. These incidents underscore the complexity of managing AI agent behaviors within existing cybersecurity frameworks.
Balancing Security with AI Utilization
The presence of AI coding tools poses new challenges for cybersecurity professionals. As these tools become more prevalent, they inadvertently contribute to the noise in detection systems. Sophos suggests refining security rules to better differentiate between AI-driven operations and actual threats.
Credential-related activities, such as decrypting browser credentials, remain critical points of concern. Despite being executed by AI agents, these actions should not be dismissed as harmless. Sophos recommends disabling potentially risky modes in AI tools to prevent unauthorized access to sensitive data.
The evolving landscape of cybersecurity now includes AI agents that can both aid and complicate defense strategies. As Sophos continues to monitor these developments, the industry must reconsider the boundaries of acceptable AI tool interactions with endpoint systems.
