AI coding agents are increasingly performing actions that corporate security systems interpret as signs of cyberattacks. A new study found that their behavior is becoming more similar to that of real threat actors, even though the tools themselves are not malicious.
Researchers at Sophos X-Ops analyzed seven days of telemetry from popular AI coding agents, including Claude Code, Cursor, and Codex. During the study, security systems repeatedly detected activity matching techniques from the MITRE ATT&CK framework, particularly those involving command execution, credential access, and defense evasion.
Commenting on the findings, one engineer said:
“Your endpoint security tool doesn’t care whether a risky command was issued by an AI. Claude Code, Cursor, and Codex have already been observed performing browser authorization, cmdkey, certutil, and bitsadmin operations. It’s better to make the agent ask for permission first.”
The researchers stress that this does not mean AI agents behave like malware. The real issue is that, from a behavioral detection standpoint, many of their actions are nearly indistinguishable from those of a real attacker.
According to Sophos, endpoint behavioral detection engines cannot reliably tell the difference between some AI-driven activity and the techniques commonly seen during real-world cyberattacks.
During normal operation, AI agents routinely perform tasks that have long been considered potentially suspicious, including:
Launching terminal sessions
Executing PowerShell commands
Installing software packages
Modifying large numbers of files
Authenticating with cloud services
Accessing credentials
All of these activities are legitimate parts of AI-assisted software development. However, they are also commonly used by threat actors during the early stages of cyberattacks. As a result, detection rules that once primarily identified malicious behavior are increasingly being triggered by legitimate AI workflows. Sophos notes that while the trend is still relatively small, it is becoming increasingly apparent.
Scott Mizerendino, Chief Technology Officer at DataBee, said the findings were not surprising. According to him, EDR vendors have long dealt with legitimate software that behaves similarly to malware, relying on a combination of process tracking, behavioral analysis, and allowlisting to reduce false positives.
In his view, the bigger challenge is whether security vendors will be able to keep their detection rules up to date as AI agents become increasingly capable. At the same time, organizations will need to define exactly what AI agents are allowed to do on endpoints and what technical controls should enforce those policies.
Despite the challenges, experts also see a potential upside. Even if organizations eventually allowlist trusted AI agents, their behavioral patterns could become a valuable source of telemetry for security teams. This could help identify AI usage even when users or threat actors attempt to conceal it.
Sophos believes threat detection systems will need to evolve alongside autonomous AI agents. Some detection rules should be adjusted to account for the known behavioral signatures of these tools, while others should remain unchanged, even if doing so increases the number of false positives.
The researchers also emphasize that certain activities remain inherently risky regardless of who performs them. Decrypting browser credentials with PowerShell, dumping Credential Manager data, writing to startup folders, or cycling through LOLBin loading techniques should continue to be treated as suspicious behavior. The fact that an AI agent performs these actions does not make them safe.