[Bug][aup] Cloud-IAM incident-response sweep checking web servers and container infra for compromise blocked (req_011CbwvtUn8Nam1CTDRokVFa)
Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): cloud-iam
Why this is a false positive
This block fired on a routine incident-response task: inspecting an organization's own web servers and container infrastructure to determine whether a known identity-provider compromise had spread to other systems under the same administrative control. This is standard defensive security work performed by an authorized administrator on assets they own, with no offensive tooling, exploitation, or third-party targeting involved — the request was purely diagnostic (read and audit configuration and access state). The cyber safeguard appears to be keying on surface terms like "hacked," "compromise," and infrastructure inspection without distinguishing defensive IAM auditing from offensive activity, producing a false positive that obstructs legitimate cloud-identity remediation.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 7× across 2
session(s); first seen 2026-06-11T18:16:21.006Z.
Request IDs (lookup-able server-side)
req_011CbwvtUn8Nam1CTDRokVFa(2026-06-11T18:16:21.006Z)req_011CbwvvQ6f1ui4LV1qdkWbx(2026-06-11T18:16:47.202Z)req_011CbwvwFtKT5u9tHd6KPGfv(2026-06-11T18:16:59.125Z)req_011CbwvwQ9AG96bnATTyfAWU(2026-06-11T18:17:01.506Z)req_011CbwvwcQrCzqmnAdoTTGrk(2026-06-11T18:17:04.307Z)req_011CbwvxKxuwgvEzx4KZXifa(2026-06-11T18:17:16.140Z)req_011Cbww3aPULDRh9nEU6ueLX(2026-06-11T18:18:30.264Z)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered cyber-related safeguards. To request an adjustment pursuant to our Cyber Verification Program based on how you use Claude, fill out https://claude.com/form/cyber-use-case?token=[SCRUBBED]. To learn more about the program or provide feedback, visit o… Please double press esc to edit your last message or start a new session for Claude
Environment: Claude Code, Linux. · Work domain: cloud-iam
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗