At a glance
AI agents are colliding with the tools built to watch them. Sophos found Claude Code, Cursor, and OpenAI Codex tripping the same EDR rules written to catch human intruders — credential-store access, LOLBin downloads, startup-folder persistence — a strong practical argument for keying detection rules to the agent’s parent process rather than to the raw action alone. The same week, researchers at the Hong Kong University of Science and Technology showed that the scanners guarding AI agent-skill marketplaces at install time can be cloaked past nearly every static and hybrid detector, with a behavioral sandbox the only approach that held up. And a public dispute over whether Claude Code shipped with a “backdoor” — China’s regulator says yes, Anthropic says anti-distillation telemetry — is, underneath the geopolitics, a live case study in AI coding-tool vendor vetting that every SOC running these agents in production should read with its own tool-approval process in mind.
Two postmortems this week are worth reading back to back. CISA admitted it had no prepared incident-response playbook when a contractor leaked AWS GovCloud credentials to a public GitHub repository in May, and staff had to build one mid-incident — a reminder that even the agency that tells everyone else to have a plan can get caught without one. Microsoft, meanwhile, is rewriting its own Windows patch guidance because AI is shrinking the gap between disclosure and exploitation, recommending update-deployment windows measured in single-digit days rather than weeks. Read against Picus and Gartner’s case for continuous, trigger-driven offensive security testing over the calendar-based pentest — Gartner’s own Zero Day Clock now averages under ten hours mean-time-to-exploit — the throughline is the same: SOC processes built for a slower attacker no longer hold, whether that process is incident response, patching, or validation.
Underneath the AI headlines, the SOC’s plumbing keeps moving too. Barracuda’s acquisition of Evo Security and Infoblox’s acquisition of Kentik are both identity- and network-visibility consolidation plays aimed at the same problem: giving MSPs and enterprise teams one platform instead of a stitched-together stack. Datadog’s research on GitHub API reconnaissance is a quieter warning that your own developer platforms are already being mapped by ghost accounts blending into normal traffic. And this week’s foundational reading turns the mirror back on the SOC itself: Anton Chuvakin’s new framework calls “2003 SOC + AI = somewhat better 2003 SOC” the default failure mode of agentic SOC adoption, while World Informatix’s alert-fatigue research puts a number on the cost of not fixing it — 46% of alerts are false positives, and roughly 40% of the median SOC’s nearly 1,000 daily alerts never get a real look.
This week’s stories
AI coding agents collide with the tools built to catch them
This week’s most operationally relevant throughline: AI coding agents are now generating the same behavioral signal defenders built EDR to catch, are shipping through an agent-skill supply chain that current scanners can’t reliably vet, and are themselves at the center of a vendor-trust dispute with direct implications for SOC tool-approval processes.
SOC platform and tooling updates
A steady week of platform releases across the stack SOC teams already run — SIEM, vulnerability management, network analysis, and the emerging AI-SOC category — each shipping incremental automation and AI-assist features rather than one headline launch.
Incident response and patch cadence catch up to AI-speed attacks
Two postmortems on the same theme from opposite ends of the stack: CISA’s own admission that it lacked a ready incident playbook, and Microsoft’s recommendation that Windows patch-deployment windows shrink because AI has collapsed the time attackers need to weaponize a disclosed flaw.
Identity and network consolidation, and the shift to continuous testing
An M&A wave in identity and network-visibility tooling lands the same week as a strong practitioner case for replacing calendar-based pentesting with continuous, trigger-driven validation — and a reminder from Datadog that your own developer platforms are already reconnaissance targets.
Foundational reading: rethinking SOC people, process, and alert economics
Three longer reads on the parts of the SOC that don’t show up in a product launch — the people-and-process side of agentic SOC adoption, a major SIEM’s platform roadmap, and the alert-fatigue economics every SOC lead already feels.
The detail
1. AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
Sophos reviewed a week of its own Windows endpoint telemetry and found AI coding agents — Claude Code, Cursor, and OpenAI Codex — setting off detection rules written to catch human intruders: credential access accounted for 56.2% of the flagged activity and execution for 28.8%, led by a rule that fires when a process uses Windows’ DPAPI to decrypt browser-stored credentials (Claude Code running a widely used “browse” skill pack tripped this one; separately it ran cmdkey /list to enumerate Windows Credential Manager while operating with its –dangerously-skip-permissions flag set, a mode Anthropic’s own docs warn against). OpenAI Codex showed attacker-like adaptability, pivoting from a blocked certutil download to bitsadmin to fetch a legitimate Python installer, and Cursor tripped a persistence rule by writing a startup-folder script via PowerShell. None of this was malicious, but it is the same living-off-the-land behavior CrowdStrike’s 2026 Global Threat Report found in 82% of malware-free intrusions, which is exactly why defenders built behavioral detection in the first place — and why benign agents now crowd the signal it depends on. Sophos’s fix is architectural: key rules to the agent’s parent process, workspace path, and download-target reputation to quiet ordinary agent noise, but hold the line on anything touching a credential store regardless of which process asked. The open policy question for every SOC running these agents: what should a coding agent be allowed to touch on an endpoint at all, and is your team ready to write that rule before an audit forces the question.
Sources: The Hacker News
2. China Warns of Claude Code ‘Backdoor’ Security Risk
China’s National Vulnerability Database, run by the Ministry of Industry and Information Technology, told organizations to remove Claude Code versions 2.1.91 through 2.1.196, alleging a built-in monitoring mechanism capable of transmitting users’ geographic location and identity-related identifiers to remote servers, and urged tighter external network access and traffic monitoring for development tools generally. Anthropic disputes the “backdoor” framing: it says the mechanism was an experiment to protect against model distillation, and that Claude Code was never authorized for use in China in the first place under a policy barring majority China-owned entities. The dispute lands on top of last month’s accusation that Alibaba attempted to extract Anthropic’s model capabilities, and Alibaba has reportedly ordered staff to stop using Anthropic tools for work starting July 10. Strip away the geopolitics and this is a live AI coding-tool vendor-risk case study: a widely deployed assistant that sits close to source code, credentials, and internal systems is now the subject of dueling telemetry claims from a vendor and a national regulator, with no independent verification available to the SOC teams actually running it. For any team that has approved Claude Code, Cursor, Copilot, or a similar assistant for developer use, the actionable takeaway isn’t which side is right — it’s whether your AI coding-tool vetting process currently asks what telemetry these tools collect, where it goes, and whether your answer would hold up if a regulator publicly disagreed with the vendor.
Sources: TechRepublic
3. Malicious AI Agent Skills Can Slip Past the Scanners Built to Stop Them
AI coding agents load “skills” — bundles of plain-English instructions, scripts, and files — off public marketplaces the same way developers pull packages from npm, and one marketplace listed more than 40,000 of them within months, mostly unvetted. A campaign called ClawHavoc already planted 300-plus malicious skills on a single marketplace, disguising an information-stealer as a routine setup step. Researchers at the Hong Kong University of Science and Technology built SkillCloak to test how far install-time scanners can be pushed: a packing trick that hides the real payload in a directory scanners skip evaded every scanner tested more than 90% of the time, and a token-rewriting trick cleared even a hybrid rules-plus-LLM scanner 96% of the time, all while the cloaked skills kept working normally when run. The same team’s answer, SkillDetonate, runs a suspicious skill in a sandbox and watches its actual system-call behavior rather than its bytes, catching 97% of synthetic attacks and 87% of real-world malicious skills at a roughly 2% false-positive rate, though each check takes about two and a half minutes versus seconds for static scanning. The catch that matters for SOC teams building their own agent-skill marketplace: SkillDetonate only sees behavior the agent actually decides to run, so a payload gated behind an instruction the agent skips during analysis, or a prompt-injection nudge away from the malicious path, can still slip through. Byte-level scanning has lost this fight before; the fix is the same one malware defense already learned — watch what the code does, not just what it looks like.
Sources: Help Net Security
4. US Cybersecurity Agency CISA Had to Build Its Incident Playbook During the Incident, Agency Reveals
In a Friday postmortem, CISA admitted that when a security researcher flagged reams of exposed AWS GovCloud passwords and access keys sitting in a public GitHub repository uploaded by a contractor’s employee back in May, the agency “had to spend time building a playbook during the early stages of the incident” because it did not already have one. The exposure was first surfaced by GitGuardian and reported by independent journalist Brian Krebs after the contractor itself failed to respond to the researcher’s outreach; CISA took the repository offline and rotated all exposed credentials only after Krebs made contact, and says no mission or customer data was exposed. The agency also acknowledged that its own channels for researchers to report potential incidents “were not well defined” and says it has since clarified them. The disclosure lands against a rough operating backdrop: CISA has been without a permanent director since January 2025 and has lost roughly a third of its workforce to furloughs, cuts, and layoffs. The lesson is uncomfortable precisely because it comes from the agency that tells every other organization to have a response plan ready before it’s needed: a playbook built while the clock is already running is a playbook built too late, and the fix — pre-built playbooks for “all anticipated needs,” plus clearly defined external-researcher reporting channels — costs far less before an incident than during one.
Sources: TechCrunch
5. Microsoft Is Rewriting Windows Patch Guidance Because of AI
Microsoft is telling organizations to shorten Windows update deployment timelines, warning that AI is reducing how long attackers need to find and weaponize a vulnerability once a security update ships. Microsoft 365 Director Jeremy Chapman put it plainly: waiting a couple of weeks to deliver a critical quality update “is ample time for attackers using AI to find and exploit known security gaps.” The new recommended settings are aggressive by prior standards — a quality-update deferral period under three days, update deadlines of zero to one day, and a grace period of no more than two days — and Microsoft is pairing the guidance with tooling: a new Windows Autopatch report in Intune surfaces which devices remain unpatched after an update ships, Hotpatch installs eligible updates without a reboot to cut user-disruption objections, and Conditional Access policies can block noncompliant devices from reaching corporate resources entirely. For SOC and IT operations teams, this is a direct, quantified version of the same argument Picus and Gartner make elsewhere in this issue about offensive testing cadence: the calendar-based operating model — patch monthly, test annually — was built for a slower adversary, and AI has made that adversary fast enough that the old cadence is now itself a vulnerability. The practical question to bring to your next patch-management review: does your current deferral window survive being read aloud next to Microsoft’s new one.
Sources: Help Net Security
6. How to Implement a Continuous Offensive Security Testing Program
A new Gartner study makes the case that calendar-based penetration testing is simply too slow for how fast modern environments and attackers now move, pointing to the “Zero Day Clock” — the tracked average gap between a vulnerability’s disclosure and its first exploitation — which now sits under ten hours in 2026, down from roughly 53 days two years ago, against a backdrop of 49,183 new CVEs published in 2025 alone. Gartner’s answer is Continuous Offensive Security Testing (COST): validation triggered by change (a new internet-exposed asset, a zero-day alert, a critical control update) rather than the calendar, run on a continuous sensing layer, and orchestrated across multiple methods rather than solved by one. The practical constraint worth internalizing: live exploitation, the strongest proof of exploitability there is, is only safe to run against roughly 10-15% of a typical enterprise’s exposure — business-critical systems, restricted networks, and air-gapped segments are all off-limits to a detonated exploit. For the other 85-90%, Gartner and Picus point to TTP-chain validation: decomposing a CVE into its component techniques and testing each one against your actual deployed controls (EDR policy, hardening, allow-listing) without ever firing a live exploit, which also covers brand-new CVEs no one has weaponized yet. Gartner projects that more than 60% of enterprise pentest programs will be off the annual cycle entirely by 2028. The board-level question this reframes: not “are we patched,” but “are we secure right now, and can we prove it” — a question a once-a-year report can no longer answer by the time it’s read.
Sources: Help Net Security
On our watch list
- AI coding agents as an EDR tuning problem, not just a governance one. Sophos’s finding that Claude Code, Cursor, and Codex trip credential-access and persistence rules is a concrete detection-engineering task, not a future concern: key rules to agent parent processes and workspace paths now, before your own fleet’s noise makes real credential theft harder to spot.
- Agent-skill scanning needs a behavioral layer. SkillCloak’s ability to cloak malicious skills past static and hybrid scanners at 80-96% rates means any team standing up its own AI-agent skill marketplace should treat SkillDetonate-style sandboxing, not install-time scanning alone, as the baseline control — and budget the extra latency it costs.
- AI coding-tool vendor vetting, watched in real time. The Claude Code “backdoor” dispute won’t resolve cleanly, but it is a live rehearsal for a question every SOC should already have an answer to: what telemetry does each AI coding assistant on your approved list collect, and where does it go.
- Patch and pentest cadence are the same conversation now. Microsoft’s shortened Windows update windows and Gartner’s push toward continuous offensive testing are both responses to the same AI-accelerated exploit timeline. Bring both into the same Q3 planning conversation rather than treating them as separate workstreams owned by separate teams.