[Bug][aup] Incident-response sweep of cloud IAM and container infra after Entra account compromise wrongly blo (req_011Cbwtuoqej9JjVz1tQoV9k)
Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): cloud-iam
Why this is a false positive
This request was a defensive incident-response sweep of the operator's own infrastructure—reviewing web servers and container hosts to confirm they were not compromised following a confirmed identity-provider breach—which is standard, authorized security work performed by the asset owner. The cloud-IAM and infrastructure-inspection terminology in the conversation appears to have matched offensive-tooling heuristics, but the actual intent and scope are purely auditing systems the user controls. No exploitation, intrusion, or third-party targeting was requested, so the block prevents legitimate professional defensive work without a corresponding policy violation.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-11T17:50:29.911Z.
Request IDs (lookup-able server-side)
req_011Cbwtuoqej9JjVz1tQoV9k(2026-06-11T17:50:29.911Z)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered restrictions on violative cyber content and was blocked under Anthropic's Usage Policy. To learn more, provide feedback, or request an exemption based on how you use Claude, visit our help center: https://support.claude.com/en/articles/14604842-real-time-cyber-safeguards-on-claude. Please double press esc to edit your last message or
Environment: Claude Code, Linux. · Work domain: cloud-iam
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗