DEV Community

Cover image for Anthropic wants to grade AI jailbreaks like CVEs. Here's the framework.
Andrew Kew
Andrew Kew

Posted on

Anthropic wants to grade AI jailbreaks like CVEs. Here's the framework.

Anthropic has re-deployed Claude Fable 5 and used the moment to publish something the industry has been missing: a structured framework for talking about how dangerous an AI jailbreak actually is.

Think CVE severity scores, but for AI. The Cyber Jailbreak Severity (CJS) scale runs from CJS-0 (Informational — no real uplift) to CJS-4 (Critical — domain-expert-level output that meaningfully accelerates real attacks). Anthropic is calling it an early draft and asking for feedback, but the intent is clear: standardize the language so AI developers and governments can actually communicate about these risks.

"There is no agreed-upon framework for describing a given jailbreak's severity. Such a framework would allow AI developers to speak to governments (and vice versa) in consistent terms about the risks posed by each jailbreak."

What actually changed for Fable 5

Anthropic has laid out a four-tier classifier system for cybersecurity use cases:

  • Prohibited use — Block unconditionally. Ransomware, wipers, malware dev, C2 infrastructure, cyber-physical sabotage. High harm, low defensive value.
  • High-risk dual use — Block by default. Pen testing, privilege escalation, exploit development, zero-click work. Legitimate in the right hands, but Anthropic says they'll hold these until better access controls exist.
  • Low-risk dual use — Allow with a safety margin. OSINT, vuln scanning that any tool can already do, SSL research. The "safety margin" means they're erring on the side of blocking borderline cases rather than letting things through.
  • Benign use — Allow. Secure coding, incident response, log analysis, certs and training, patching.

One nuance worth flagging: Fable 5's safety margin is deliberately larger than previous models. That means more false positives — legitimate requests getting blocked — but Anthropic is prioritising caution at launch.

The jailbreak severity scoring

The CJS scale grades jailbreaks on four axes:

  1. Capability gain — Does the jailbreak give attackers something they couldn't get from existing tools? If the same output is reachable with a public scanner, it's CJS-0.
  2. Breadth — Does the technique work across many attack types, or just one? Universal jailbreaks score higher.
  3. Ease of weaponization — How much LLM expertise does it take to reproduce?
  4. Discoverability — How easily can a threat actor find the technique in the first place?

The bands are exponential, not linear — each step is several times more serious than the last. CJS-4 is reserved for jailbreaks that produce domain-expert-level outputs that aren't otherwise obtainable and require little expertise to weaponize.

They've also launched a HackerOne program where researchers can submit Fable 5 jailbreaks for review.

Why this matters

Anthropic is trying to do for AI jailbreak severity what CVSS did for software vulnerabilities — create a shared vocabulary that makes it possible to triage, prioritize, and communicate risk consistently.

That has real implications. If this framework (or something like it) gets adopted, it becomes the language that regulators, procurement teams, and incident responders use when AI systems are involved in a breach. It changes how liability gets discussed.

The fact that they're publishing it openly and asking for feedback at cyber-safeguards@anthropic.com suggests this is a genuine standards-building effort, not just a PR move.

What to do

  • Security researchers: The HackerOne program is live. If you find jailbreaks in Fable 5, this is the official path.
  • Teams evaluating Claude Fable 5: Expect more false positives on cybersecurity-adjacent prompts than previous models. The larger safety margin is intentional.
  • AI/security policy folks: The CJS framework is a draft and Anthropic explicitly wants critique. Worth engaging with now before it hardens.
  • Everyone else: This is early infrastructure for how the industry will eventually talk about AI risk to governments. Worth understanding the shape of it.

Source: Anthropic — More details on Fable 5's cyber safeguards and our jailbreak framework

✏️ Drafted with KewBot (AI), edited and approved by Drew.

Top comments (0)