The Big Picture of Fable 5's Cyber Safeguards
Timeline of the Fable 5 regulation series (2026)
This disclosure is not a standalone technical document but a follow-up to the run of moves since June around Fable 5's suspension and return. The suspension is covered in the article on why Claude Fable 5 was unavailable, and the restoration in the Claude Fable 5 restoration article. Here we look at what was built into the restored Fable 5.
The safeguard details published the day after restoration
Anthropic explained, in a July 2 blog post, the design of the safety classifier (a mechanism that automatically judges request content) that makes up Fable 5's cyber safeguards. Because Fable 5 has cyber capabilities strong enough to be repurposed for attacks, it sets a wider safety margin than earlier models — accepting a higher false-positive rate in exchange for preventing jailbreaks from slipping through.
"The safety margin means that a request has to look very clearly safe to avoid triggering the classifier." — Fable 5's cyber safeguards section
A safety classifier that sorts requests into four categories
The classifier sorts cybersecurity-related requests into the four categories below. "Dual use" refers to techniques usable for both defense and attack.
| Category | Examples | Handling |
|---|---|---|
| Prohibited use | Ransomware, wipers, C2 infrastructure, malware development, phishing delivery | Always blocked |
| High-risk dual use | Penetration testing, exploit development, privilege escalation, vulnerability research on critical systems | Blocked until access controls exist |
| Low-risk dual use | Open-source intelligence, vulnerability identification already possible with other tools, cryptographic protocol testing | Monitored, sometimes blocked as a safety margin |
| Benign use | Secure coding, debugging, patch management, incident response, defensive training | Allowed with monitoring |
Fable 5's safeguards are designed not to stop everything cyber-related, but to reliably stop attack-only uses while letting defensive use through. Anthropic itself is explicit that it does not intend to block all cybersecurity-related activities.
"we do not intend to block all cybersecurity-related activities" — Fable 5's cyber safeguards section
How the "CJS" Jailbreak-Severity Metric Works
The five CJS bands (a 0–10 total mapped to bands)
CJS (Cyber Jailbreak Severity) is a metric that quantifies how much power a discovered jailbreak gives an attacker and maps it onto five severity bands. It helps to think of it as a jailbreak counterpart to the severity ratings used for software vulnerabilities (such as CVSS).
Four scoring axes producing a 0–10 total
Scoring is the sum of the four axes below. The first two measure what the jailbreak "gives" an attacker; the latter two measure how easily it can be abused.
| Axis | Points | What it measures |
|---|---|---|
| Capability gain | 0–4 | How far beyond existing tools the technique takes the attacker |
| Breadth of capability gain | 0–2 | How many distinct offensive tasks the same technique works on |
| Ease of weaponization | 0–2 | How little effort it takes to turn it into a running attack |
| Discoverability | 0–2 | How easily an attacker can obtain the technique |
"The calculation of the overall CJS score is based on four axes. The first two describe what the jailbreak gives an attacker: Capability gain (also known as uplift): How far beyond their existing tools the technique takes the attacker; and Breadth of capability gain (also known as universality): How many distinct offensive tasks the same technique works on." — Grading jailbreak severity section
The bands are exponential; final ratings only go up
When the total is mapped onto severity bands, the bands are designed to be exponential rather than linear. In other words, the gap between CJS-2 and CJS-3 is not "one step" but "several times more serious." CJS looks like an additive score, but in practice it is an exponential yardstick where each step up is several times worse.
"The bands are intended to be exponential rather than linear, so each step up is several times more serious than the last" — Grading jailbreak severity section
A final severity can also be raised above the initial calculation — depending on how findings combine and how hard remediation is — but never lowered. When a novel, hard-to-discover critical vulnerability is involved, or when remediation takes a long time because the issue stems from fundamental capabilities, a higher severity than the calculated value is assigned.
The Goal: a Shared Industry "Yardstick"
The CJS framework's standing and channels
The point of CJS is not to create one company's internal standard. It is to let industry and government discuss jailbreak severity with a shared yardstick.
So governments and companies can discuss risk in the same terms
Today there is no common scale for how dangerous a given jailbreak is, and severity is expressed inconsistently across companies and news reports. Anthropic put CJS into the open, arguing that a shared framework would let AI developers and governments convey risk to each other in consistent terms. Now that governments make real decisions about whether AI models can be offered — as with June's export restriction — the need for a common language to convey risk quantitatively has grown.
"Such a framework would allow AI developers to speak to governments (and vice versa) in consistent terms about the risks posed by each jailbreak." — framework discussion
HackerOne reporting and a call for feedback
The framework is still an early draft, and Anthropic says it will work with partners to turn it into a practical, agreed-upon standard. Alongside it, a HackerOne program — a platform that brokers vulnerability reports — has opened where security researchers can submit potential jailbreaks found in Fable 5. Publishing the severity yardstick (CJS) and the reporting channel (HackerOne) as a pair is the practical significance of this announcement.
"This proposed framework is an early draft. We are sharing it while we work with our partners to improve it and turn it into a practical, agreed-upon standard." — framework discussion
Conclusion: Where the Fable 5 Regulation Series Stands Now
What to watch next
With this disclosure, Fable 5 shifts from "why it went offline" to "how to run it safely." The classifier's four categories are designed to reliably stop only attack-only uses, and CJS is a yardstick for discussing jailbreak severity across the industry.
For everyday users, Fable 5 is back and works as usual. Because legitimate cyber uses (development, defense, learning) are designed to be allowed, there is no need to be overly wary. For the suspension-to-restoration story, see the Claude Fable 5 restoration article; for the status of Mythos 5 for defensive organizations, see the Claude Mythos 5 restart article; and for Claude's overall model lineup, see the guide to Claude.



