Attackers Use AI to Automate EDR Evasion Testing

Python scripts were used to test malware against endpoint detection and response agents from Sophos, CrowdStrike, and Windows Defender.

June 3, 2026

Sophos X-Ops analysts published research this week concerning an unidentified threat actor using AI technology to develop endpoint detection and response (EDR) evasion tactics through the lens of what the company described as a "red team" post-exploitation framework.

"The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test," Sophos said in its blog post. "Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection."

Sophos analysts discovered the presence of multiple Python scripts, written in Russian and at least partially AI-generated. This is not surprising in its own right, as threat actors have been using large language model (LLM) technology to build malware and run attacks for some time now.