diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index 9b26093..83d0be7 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -715,6 +715,11 @@ func (p *processor) integrity(
 				"Extracting 'tlp level' from %s failed: %v", u, err)
 		} else {
 			tlpe := extractTLP(tlpa)
+			// If the client has no authorization it shouldn't be able to access TLP:AMBER or TLP:RED advisories
+			if !p.opts.protectedAccess() && (tlpe == "AMBER" || tlpe == "RED") {
+				p.badAmberRedPermissions.use()
+				p.badAmberRedPermissions.error("Advisory %s of TLP level %v is not access protected.", u, tlpe)
+			}
 			// check if current feed has correct or all of their tlp levels entries.
 			if p.labelChecker != nil {
 				p.labelChecker.check(p, tlpe, u)