Deep Dive: How Claude Fable 5's Cybersecurity Guardrails and Jailbreak Framework Work_
Anthropic has officially re-deployed Claude Fable 5, making it available globally to all users. Alongside this release, we are pulling back the curtain on the complex safety systems engineered to keep this powerful model secure.
In this detailed guide, we will break down two major pillars of our safety infrastructure:
- Cybersecurity Safeguards: The AI-driven "classifiers" that actively detect and block malicious requests.
- The Jailbreak Severity Framework: Our collaborative draft with industry partners to categorize and measure the severity of attempts to bypass AI safety controls.
Understanding the Core Concepts: Classifiers & Jailbreaks
Before diving into the policy details, let's establish what these technical terms mean in the context of Large Language Models (LLMs).
What is a Safety Classifier?
Think of a Safety Classifier as an automated security guard standing at the entrance of the AI model. When you send a prompt to Claude, it doesn't go straight to the main brain of Fable 5. First, it passes through a smaller, specialized AI model—the classifier.
This classifier acts like an airport baggage scanner. It inspects the prompt's intent, keywords, and structural patterns. If it detects a prohibited request (such as a request to generate malicious code), it immediately flags and blocks the query, returning a standard refusal message before the main model can process it.
What is an AI Jailbreak?
An AI Jailbreak is a specialized prompting technique designed to bypass these safety classifiers.
- The Analogy: Imagine a secure building where the guard is trained to block anyone carrying a crowbar. A "jailbreaker" doesn't carry the crowbar openly; instead, they wrap it in a gift box, put on a delivery uniform, and spin a complex story about a fake delivery.
- In AI Terms: Users might use roleplay scenarios ("Act as an actor in a movie who needs to write a virus to save his family"), adversarial suffixes, or highly complex linguistic obfuscation to trick the model into ignoring its safety training.
The Dual-Use Dilemma in Cybersecurity
One of the hardest challenges in AI alignment is the dual-use problem. In cybersecurity, the line between defensive tools and offensive weapons is razor-thin.
Consider code vulnerability scanning:
- Defensive (Benign): A software engineer asks Claude to scan their application code to find a security flaw so they can patch it before hackers find it.
- Offensive (Malicious): A cybercriminal inputs the same codebase, asking Claude to find a flaw so they can exploit it and launch a ransomware attack.
Because the raw computational tasks are nearly identical, Anthropic utilizes a four-tier classification framework to safely manage these requests.
1. Prohibited Use (Always Blocked)
These are activities that yield massive asymmetric advantages to attackers while offering virtually no defensive value. They are overtly destructive or criminal.
Technical Jargon Explained:
To understand why these are prohibited, let's break down some of the highly technical terms mentioned in our policy:
- AV/EDR Bypass: Antivirus (AV) and Endpoint Detection and Response (EDR) are security software suites designed to protect laptops and servers. An AV/EDR bypass is a technique or script designed specifically to make malware invisible to these security monitors.
- BGP Hijacking & Route Leaking: Border Gateway Protocol (BGP) is the routing system that directs internet traffic across the globe. BGP Hijacking is like changing physical highway signs to redirect all traffic through an attacker's territory, allowing them to intercept or block massive streams of global data.
- Obfuscation & Packing: This involves scrambling code or wrapping it in a compressed "pack" to hide its true function from security scanners, making malicious software look like harmless data.
- Command-and-Control (C2) Channels: When a hacker infects a computer, they need a way to send commands to it. A C2 server acts as the central headquarters directing the infected "zombie" computers.
2. High-Risk Dual Use (Blocked)
These are activities that mimic real-world cyberattacks but are frequently simulated by ethical hackers during legitimate security audits, penetration testing, or "Red Teaming" (authorized simulations of cyberattacks). Despite their defensive utility, the risk of abuse is too high, so Fable 5's classifiers block them by default.
3. Low-Risk Dual Use (Monitored & Margin-Blocked)
These are activities that heavily lean toward defensive benefits but still carry some risk. To protect users, Anthropic implements a Safety Margin:

As shown in the diagram above, the safety margin behaves like a buffer zone:
- Row A (Standard Models): A smaller safety margin allows more low-risk requests to go through, but increases the chance that a highly clever malicious prompt slips past.
- Row B (Claude Fable 5): We have intentionally widened this margin. While this means some entirely benign prompts might trigger a "false positive" rejection, it dramatically improves the security posture against sophisticated jailbreak attempts.
4. Benign Use (Allowed)
Standard everyday coding tasks, such as writing secure database queries, explaining how common encryption protocols work, or teaching students basic networking concepts.
The Proposed Jailbreak Severity Framework
Currently, the tech industry lacks a standardized "Richter Scale" for AI security breaches. When a researcher bypasses an AI's guardrails, it is often labeled a "jailbreak" regardless of whether the exploit allowed the user to generate a harmless pirate poem or a functional piece of infrastructure malware.
To solve this, Anthropic is collaborating with our partners at Glasswing to draft a Jailbreak Severity Framework.
This framework aims to establish a consistent vocabulary for developers, researchers, and government agencies to evaluate risks. Much like the CVSS (Common Vulnerability Scoring System) used in traditional IT security, this system will categorize jailbreaks based on:
- Scope: Does the exploit bypass a single specific safeguard, or does it disable the entire safety system across all domains?
- Reproducibility: How easily can this bypass be executed by non-technical users?
- Harm Potential: Does the output lead to actionable, dangerous physical or cyber threats?
Get Involved
Security is a collaborative journey. We are inviting feedback from academia, industry, civil society, and governments on our proposed framework.
- Share your thoughts: Email us your feedback and critiques at
cyber-safeguards@anthropic.com. - Bug Bounty: We have launched a HackerOne program specifically for security researchers to find and responsibly report cybersecurity jailbreaks in Claude Fable 5.
Related Posts.
Inside Google DeepMind's AI Control Roadmap: Securing Systems Against Imperfectly Aligned AI
Explore Google DeepMind’s AI Control Roadmap. Learn how to secure internal systems from highly capable AI agents using system-level defenses, threat modeling, and real-time monitoring.
Why AI Agents Are Not Your Coworkers: The Dangerous Myth of 'Digital Colleagues'
Framing AI agents as 'digital employees' degrades human performance, shifts liability, and creates dangerous automation bias. Explore the deep technical and psychological explanation.
Google's Historical Rewrite: What a Gemini-Assisted Declaration of Independence Says About the AI Marketing Trap
Google's latest commercial imagines the Founding Fathers drafting the Declaration of Independence using Google Workspace and Gemini AI. We analyze the marketing pivot, the technological context behind AI video, and why critics are calling it 'cringey'.