Security exceptions are processed in a different way to other errors on the input node. Whilst an error is usually caught on the input node and flowed down the catch terminal for error processing, security exceptions are not processed in the same way. By default the broker does not allow security exceptions to be caught within the flow, and backs the message out or returns an error (in the case of HTTP). If you have designed the flow to be in a secure area and you want to explicitly perform processing of security exceptions, you can select “Treat Security Exceptions as normal exceptions” on the input nodes. This causes security exceptions to flow like any other exception in the flow.