[Bug][cyber] Safety block halted legit incident-response RDP/VPN log forensics tracing an unauthorized intrusi (req_011CcG51GkXNkgk7ChGuQwPB)

Open 💬 2 comments Opened Jun 25, 2026 by sworrl

Type: Cybersecurity safety-filter false positive · Work domain (heuristic): general

Why this is a false positive

The work is an authorized incident-response investigation into a suspicious remote-access session on systems the operator administers, using standard read-only forensic methods (querying Windows Security/RDS event logs over WinRM and correlating VPN authentication records) to determine whether and how an account was accessed. No exploitation, intrusion, or offensive capability is involved—this is defensive log analysis and timeline reconstruction on owned infrastructure, which is exactly the kind of routine blue-team forensics that should not trigger a cyber-misuse block. The flag appears driven by surface terms (VPN, remote authentication, foreign-IP access) rather than any actual malicious intent or out-of-scope target.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-21T08:13:37.604Z.

Request IDs (lookup-able server-side)

  • req_011CcG51GkXNkgk7ChGuQwPB (2026-06-21T08:13:37.604Z)
  • req_011CcG5CeJcuMkqnoG74vqfG (2026-06-21T08:16:12.902Z)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Opus 4.8 has safety measures that flagged this message for a cybersecurity topic. If your work requires this access, you can apply for an exemption: https://claude.com/form/cyber-use-case?token=[SCRUBBED]

Please double press esc to edit your last message or start a new session for Claude Code to assist with a different task.

Send feedback with /feedback or learn more: https://support.claude.com/en/articles/15363606

Request ID: req_011CcG51GkXNkgk7ChGuQwPB

Environment: Claude Code, Linux. · Work domain: general

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗