AI agents are behaving more like hackers. Security teams say that's just the beginning
Welcome to the next AI-fueled detection challenge.

Image by Cybernews.
- AI coding agents are increasingly triggering security detections because they behave like human attackers.
- Experts say the bigger issue is telling trusted AI agents apart from human intruders.
- As AI agents become more autonomous, security tools will rely more on context and intent than behavior alone.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
AI coding agents are increasingly behaving like human attackers – triggering security alerts on enterprise systems designed to catch malicious intruders.
Researchers at Sophos X-Ops set out to test their theory and found AI coding agents – including Claude Code, Cursor, and Codex – are increasingly setting off endpoint detection and response (EDR) alerts because many of the tasks they perform resemble attacker tradecraft.
In a blog post published Wednesday, Sophos said the team analyzed seven days of telemetry and found that the agents routinely triggered detections tied to techniques in the MITRE ATT&CK framework, particularly in execution, credential access, and defense evasion.
“Your endpoint tool doesn't care that the risky command came from AI. Sophos saw Claude Code, Cursor, and Codex trip detections for browser creds, cmdkey, certutil, and bitsadmin. Make the agent ask first,” one engineer commented about the report on X.
AI agents are starting to resemble attackers
Although the findings don't prove AI tools are malicious, Sophos says the detections aren't necessarily false positives, but instead, reflect a genuine behavioral overlap between autonomous AI agents and attacker activity.
“From the perspective of an endpoint behavioral engine, some of that activity is indistinguishable from typical activity seen on customer networks – or, in some cases, from actions that might be undertaken by an active adversary,” the blog states.
Sophos identified multiple tasks that can look suspicious depending on who – or what – is behind them:
- Launching terminals
- Executing PowerShell commands
- Installing software packages
- Modifying large numbers of files
- Authenticating to cloud services
- Accessing credentials
These tasks are commonly used in legitimate AI-assisted development, but they’re also commonly used in the early stages of many cyberattacks, the research points out.
Rules that previously fired almost exclusively on malicious activity are now triggering on benign agent behaviour. The shift is not large yet, but the trend line is clear,Sophos says.
The real challenge is proving intent
Scott Miserendino, Chief Technology Officer at DataBee, says he wasn't surprised by the findings and expects the industry will likely see many more examples in the future.
“Endpoint detection vendors have long dealt with legitimate software that behaves similarly to attackers, using combinations of process tracking, behavioral analysis, and whitelisting to reduce false positives,” Miserendino tells Cybernews.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The bigger challenge for defenders, Miserendino says, is whether security vendors can keep pace as AI agents become more capable.
"The question becomes how aggressively the EDR community can keep up and maintain these rules and detection tweaks to achieve acceptable false positive rates," he says.
“The broader question for customers deploying AI agents is one of 'What should an agent be permitted to do on an endpoint? What boundaries should be enforced?'”Sophos asks.
On a positive note, the rise of AI agents may also create an unexpected opportunity for defenders, says Miserendino.
Even if organizations eventually whitelist trusted AI agents, the CTO says their behavioral patterns could become useful telemetry for security teams.
"One potential beneficial side-effect of identifying these subtle behavioral patterns of AI agents is it provides a signal of AI use even when users (or attackers) may be trying to obfuscate the use of AI to avoid policy enforcement," he said.
AI leaves its own fingerprints
Sophos sees a future in which security teams will need to adapt alongside detection engineering – monitoring and assessing AI behavior, as well as tuning rules “to account for known-good agent signatures.”
The research also says that other rules, even if they produce a barrage of false positives, need to be in place because certain activity, whether it comes from a legitimate AI task or authorized administrative work, should and needs to be labeled as risky.
Has your password leaked?
Providing a range of examples for security teams to build on, Sophos says organizations must first define what AI agents should be allowed to do – and then determine which technical controls should enforce those policies.
“Some of the activity is genuinely suspicious regardless of who initiated it. PowerShell decrypting browser credentials, dumping Credential Manager entries, writing to startup folders, cycling through LOLBin download methods – these are things defenders flag for good reason. The fact that an AI agent did them does not make them safe,” Sophos said.