Security · 2h ago
Coding Agents Trigger EDR Alarms Meant for Hackers, Sophos Finds
Sophos telemetry shows Claude Code, Cursor, and OpenAI Codex tripping EDR rules designed for attackers, with credential-access alerts accounting for 56% of blocks. A single rule, Creds_3b, fired when agents decrypted browser credentials via DPAPI, mimicking infostealer behavior. The report warns that benign agent activity now looks identical to malicious tradecraft at the rule layer.
Meridian48 take
The finding underscores a growing blind spot: security tools tuned for human attackers can't distinguish intent, forcing teams to either accept noise or risk blocking legitimate developer workflows.
Read the full reporting
Beware: Your Coding Agent Trips the Same EDR Rules Built to Catch Attackers →
DEV Community
coding-agentsedr-alerts