[Bug][aup] Cloud-IAM incident-response sweep checking web servers and container infra for compromise blocked (req_011CbwvtUn8Nam1CTDRokVFa)

Open 💬 2 comments Opened Jun 25, 2026 by sworrl

Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): cloud-iam

Why this is a false positive

This block fired on a routine incident-response task: inspecting an organization's own web servers and container infrastructure to determine whether a known identity-provider compromise had spread to other systems under the same administrative control. This is standard defensive security work performed by an authorized administrator on assets they own, with no offensive tooling, exploitation, or third-party targeting involved — the request was purely diagnostic (read and audit configuration and access state). The cyber safeguard appears to be keying on surface terms like "hacked," "compromise," and infrastructure inspection without distinguishing defensive IAM auditing from offensive activity, producing a false positive that obstructs legitimate cloud-identity remediation.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 2
session(s); first seen 2026-06-11T18:16:21.006Z.

Request IDs (lookup-able server-side)

  • req_011CbwvtUn8Nam1CTDRokVFa (2026-06-11T18:16:21.006Z)
  • req_011CbwvvQ6f1ui4LV1qdkWbx (2026-06-11T18:16:47.202Z)
  • req_011CbwvwFtKT5u9tHd6KPGfv (2026-06-11T18:16:59.125Z)
  • req_011CbwvwQ9AG96bnATTyfAWU (2026-06-11T18:17:01.506Z)
  • req_011CbwvwcQrCzqmnAdoTTGrk (2026-06-11T18:17:04.307Z)
  • req_011CbwvxKxuwgvEzx4KZXifa (2026-06-11T18:17:16.140Z)
  • req_011Cbww3aPULDRh9nEU6ueLX (2026-06-11T18:18:30.264Z)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered cyber-related safeguards. To request an adjustment pursuant to our Cyber Verification Program based on how you use Claude, fill out https://claude.com/form/cyber-use-case?token=[SCRUBBED]. To learn more about the program or provide feedback, visit o… Please double press esc to edit your last message or start a new session for Claude

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗