[BUG] CVP-approved org: real-time cyber classifier false-positives at 0 tokens on authorized defensive-security work — Fable 5 blocked, Sonnet passes the identical task (request IDs included)

Open 💬 1 comment Opened Jun 12, 2026 by hblopppp

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The real-time cyber-safeguard classifier false-positive blocks my requests at 0 output tokens on authorized, sandboxed defensive-security work, even though my organization is enrolled and approved in the Cyber Verification Program. It hits claude-fable-5 in Claude Code; the identical task on a Sonnet-tier model completes. In the blocked runs the model engages - it reads the input and begins generating - then the generation is killed at o tokens, so this is the safeguard misfiring, not a model refusal. The work is dual-use-for-defense (adversary-emulation fidelity review + identifying the detectable tells a blue team would use), not prohibited use.

The behavior is consistent with my CVP approval not propagating to the real-time classifier.

What Should Happen?

As a CVP-approved org, authorized dual-use-for-defense requests should clear the real-time classifier and the model should be allowed to complete the work - as a less-restricted Claude model already does for the identical task. The classifier should not block authorized work at 0 tokens as if no approval exists.

Error Messages/Logs

API Error: Claude Code is unable to respond to this request,

which appears to violate our Usage Policy... This request

triggered restrictions on violative cyber content and was

blocked under Anthropic's Usage Policy. - returned at o

output tokens after the model had already read the input.

Request IDs (for internal lookup):

- req_011Cbwąg9MfTcsczGg4oC95J

- req_011CbxiszgtSjEAM22c9DMui

- req_011CbxjNYcCmwvTNA5zMV87T

- req_011Cbwcf588AZx2ZYyw5zpYb (original incident)

Steps to Reproduce

  1. From a CVP-approved org, in Claude Code on claude-fable-5, ask the model to review a locally-generated adversary-emulation artifact for fidelity and the detectable tells a defender could use (a sandboxed detection-engineering task; no real target, no deployment).
  2. Observe: the model reads the file and begins the review, then the generation is blocked at 0 output tokens (AUP cyber-content block).
  3. Run the identical task on a Sonnet-tier model → it completes with a substantive review.
  4. Re-run on Fable 5 with different output framings (transparent / incremental / write-to-deliverable-file) → all blocked at o tokens (request IDs above), showing the block tracks content category, not phrasing.

Claude Model

Other

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.175

Platform

Other

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

  • Environment: Claude Code (first-party), Max plan; claude-fable-5 blocked, Sonnet-tier passes the same task.
  • Account: CVP-enrolled and approved org.

(Org ID withheld in
this public issue - available to Anthropic via my support ticket / the cyber-block false-positive form.)

  • Why it's a false positive: (1) dual-use-for-defense category, explicitly CVP-covered, nothing in the prohibited tier (no ransomware/mass-exfil/real target); (2) classifier the identical content.
  • Notable: when asked to conceal output (hidden file + content-free status reply), the model declined and asked to work in the open - so the transparent workflow that gets blocked is the one the model itself endorsed.
  • Impact: the org's most capable available model can't perform the core of its authorized work; blocked still consume billed tokens; 3 prior false-positive reports unanswered (~3 months).
  • Possibly related: #61889, #63751, #65596, #64287.
  • Full transcripts available to Anthropic on request.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗