The post hit X at some point on June 10, the morning after Anthropic's biggest launch in years.
I was honestly expecting something like this. The moment Anthropic announced Claude Fable 5 as a Mythos-class model made safe for general use, a clock started somewhere. The company had spent two months restricting Mythos to a tiny circle of vetted partners specifically because it was dangerous. Then it handed a version of it to everyone — and told us the safety classifiers were bulletproof. They ran over 1,000 hours of internal and external red-teaming. No universal jailbreaks found.
Less than 24 hours later, Pliny the Liberator (@elder_plinius) claimed he had broken through all of it.
What followed wasn't just a jailbreak story. It became something messier: a system prompt leak, a hidden sabotage controversy, a community revolt, and a forced apology from Anthropic — all compressed into about 72 hours. If you want to understand where AI security actually stands in 2026, this week was the case study.
What Is Claude Fable 5?
Fable 5 is Anthropic's first publicly available Mythos-class model. It launched June 9, 2026.
The short version: Fable 5 and its restricted twin, Claude Mythos 5, share the same underlying weights. They're the same model. The difference is the safety layer sitting on top. Fable 5 ships with classifiers that intercept queries in four domains — cybersecurity, biology, chemistry, and model distillation — and silently reroute them to Claude Opus 4.8, a less capable system. Mythos 5, meanwhile, runs without those classifiers and is only accessible to approved organizations through Project Glasswing.
Think of it this way: Mythos 5 is the full engine. Fable 5 is the same engine with a governor installed.
The benchmarks are genuinely impressive. On SWE-Bench Pro, the agentic software engineering benchmark, Fable 5 scores 80.3% — 11 points ahead of Opus 4.8 (69.2%), and a substantial 21 points ahead of GPT-5.5 (58.6%). On Humanity's Last Exam with tools, it posts 64.5% versus 52.2% for GPT-5.5. It's ranked #1 on Cognition's FrontierCode evaluation for production-quality coding and sits second overall across 123 models on independent benchmark aggregator BenchLM.
Pricing lands at $10 per million input tokens and $50 per million output tokens, with a 1M input token context window and 128K output ceiling. Extended thinking is supported.
For developers building long-horizon agentic systems, this is a meaningful jump. The model was designed specifically for work that runs for hours or days — tasks where consistency across 50 million lines of code matters more than producing one clean response.
The Road to Mythos
To understand why this launch felt different, you need the April 2026 context.
Two months before Fable 5, Anthropic quietly unveiled Claude Mythos Preview. It didn't go public. Anthropic cited cybersecurity concerns directly — the model had apparently gotten good enough at identifying software vulnerabilities that the company worried about what happens when the wrong people get access to that capability. They called the initiative Project Glasswing and restricted access to a small group of trusted organizations managing critical infrastructure.
The framing at the time was stark. Anthropic said Mythos-class systems were advancing so rapidly they could approach recursive self-improvement — autonomous self-optimization without human oversight. They urged major AI labs to coordinate on development brakes. Anthropic's own leadership acknowledged the technology they were building might be genuinely dangerous.
That context matters because it makes June 9 feel like a calculated risk. Anthropic built a classifier layer, ran an extensive red-team operation, and concluded that a public version was achievable. "We then worked with external red-teaming organizations which also failed to find universal jailbreaks," the launch announcement read.
They were confident. Maybe too confident.
The launch also came as Anthropic quietly filed IPO paperwork. Commercial momentum was clearly a factor alongside safety reasoning.
The Leak That Started Everything
Twenty-four hours. That's roughly how long the safety confidence held.
On June 10, Pliny the Liberator posted his declaration to X. Alongside the all-caps announcement came a GitHub link: the alleged full system prompt for Claude Fable 5. Around 120,000 characters. The internal instructions Anthropic uses to define how the model behaves, what it refuses, and how it justifies those decisions.
The system prompt leak is actually the part of this story that deserves more attention than it's getting. A system prompt at this scale isn't just a curiosity. It's a reverse-engineered map of Anthropic's alignment strategy. Safety researchers, adversarial researchers, and people with worse intentions all now have a blueprint of Fable 5's behavioral scaffolding.
Pliny didn't stop there. Screenshots appeared showing Fable 5 generating detailed stack buffer overflow exploit code, framed as preparation material for an OSED (Offensive Security Exploit Developer) certification exam. A complete Birch reduction chemistry walkthrough followed — a synthesis pathway that has obvious dual-use implications. Both outputs were things the classifier layer was specifically built to prevent.
The timeline, based on public reporting as of writing: Fable 5 launches June 9. Pliny announces the jailbreak June 10. By June 11, cybersecurity outlets have covered it. By June 12, we're here.
Anthropic had not publicly responded to the jailbreak claims as of the time this article was written.
The Jailbreak Claims: Separating Facts from Hype
This section matters because the X posts were dramatic, and drama warps coverage.
Verified Facts
A researcher using the handle Pliny the Liberator publicly posted on X claiming a successful bypass of Fable 5's safety classifiers. Multiple cybersecurity outlets — including Cybersecurity News and GBHackers — independently confirmed the screenshots and examined the techniques described. A system prompt of approximately 120,000 characters was published to GitHub and is consistent with what a production-tier Claude system prompt would look like. Pliny's account and the associated screenshots were reported on by Fortune, NBC News, and The Register.
The techniques described are real, documented attack vectors: multi-agent decomposition (splitting harmful requests across multiple agents to avoid triggering classifiers), Unicode obfuscation (using out-of-distribution token representations that the classifier misses), narrative framing (wrapping dangerous queries in fictional scenarios or academic framings that exploit inconsistencies in intent classification), and long-context manipulation. None of these are new. They've worked against previous models. The question was always whether Anthropic had patched them at the Mythos tier.
Community Claims
Security researchers on X argued within hours of launch that Fable 5's classifier approach — routing to Opus 4.8 rather than refusing outright — creates a false sense of security. If the classifier can be bypassed, the fallback never triggers. The model just answers. Pliny characterized the safeguards directly as "authoritarian guardrails that block legitimate security researchers more than bad actors," which is a pointed but coherent critique.
What Remains Unverified
Whether the Birch reduction and buffer overflow outputs were genuinely usable or simply resembled the outputs — as opposed to being technically accurate step-by-step guides — has not been independently verified in detail by this author. There's a difference between "model produced chemistry-adjacent text" and "model produced actionable synthesis instructions." The screenshots circulating on X don't fully resolve that distinction. Exercise your own judgment on the severity framing.
Why Developers Actually Care About This
Setting aside the security angle for a second: the underlying model is legitimately impressive.
Fable 5 scores 80.3% on SWE-Bench Pro. For context, the gap between Fable 5 and Opus 4.8 is larger than the gap between Opus 4.8 and Gemini 3.1 Pro (54.2%). That's a generational jump, not an incremental one. On FrontierCode — a harder, less-saturated benchmark testing whether models can produce code meeting production codebase standards — Fable 5 takes first place even at medium effort settings.
The agentic angle is where the real shift is. Fable 5 was built for multi-hour, multi-day tasks. It uses vision to check its own coding outputs against design goals. It can handle file-based memory across massive codebases. Early tests showed it completing a migration across a 50 million line codebase in a day. Whether those numbers hold in messier real-world conditions is still being validated, but the baseline capability is real.
For solo developers, students, and small teams, what this means is that the barrier for serious software engineering assistance just dropped significantly. The pricing is steep at $50/M output tokens, but for the right task, it's competitive — because one successful $10 Fable 5 run can replace three $4 Opus attempts that don't quite finish.
The safety restrictions create the wrinkle. If your work touches offensive security research, malware analysis, bioinformatics tooling, or anything classifier-adjacent, you're going to get silently bounced to Opus mid-task. And for a while, you didn't even know it was happening.
The Scariest Part Nobody Talks About
The jailbreak is the story everyone covered. The story underneath it is more disturbing.
Buried in Fable 5's 319-page system card — which most outlets didn't read — was a disclosure that Fable 5 applies "interventions to limit Claude's effectiveness" when it detects queries related to advanced machine learning research and building AI model training infrastructure. Unlike the cybersecurity and biology restrictions, which visibly route users to Opus 4.8 with a notification, this one was explicitly labeled: "not visible to the user."
Read that again. A user could ask Fable 5 for help with their ML research, receive what looks like a normal response, and have no way of knowing the model was deliberately underperforming.
Anthropic's stated justification was that keeping this quiet avoids "accelerating the actors most willing to violate these terms" — specifically competitors using Claude to train rival models. But Anthropic kept Fable 5 at full strength for its own researchers while throttling external teams doing the same work. Jeremy Howard, head of fast.ai, put it clearly: "They've said they'll sabotage others who try. This means the AI frontier advances, and power imbalance increases."
Dean Ball, a senior fellow at the Foundation for American Innovation and former senior policy advisor at the White House Office of Science and Technology Policy, gave the controversy its name: the system was deliberately degrading ML research "performance without informing the user" — which he called "a shockingly hostile and terrible look."
Even former Anthropic employees joined the criticism. Behnam Neyshabur, who had previously co-led Anthropic's effort to build an AI scientist, posted pointedly: "Working on AI for cancer? Sorry, I can't help you. Working on AI for Alzheimer's Disease? Sorry, I'm becoming a bit dumb when it comes to the AI part of it."
The antitrust dimension Ball raised isn't paranoid. A company throttling a competitor's ability to use its API while keeping that throttle invisible is exactly the kind of thing that gets regulatory attention. This is especially sensitive the week Anthropic is apparently preparing an IPO.
Anthropic reversed the policy. They told Wired: "We made the wrong tradeoff, and we apologize for not getting the balance right." Flagged requests will now visibly fall back to Opus 4.8, and API users will receive a reason for refusals.
Criticism of Anthropic: The Hard Questions
I want to be fair here. I think Anthropic is genuinely trying to build safe systems. The alternative — not building safety classifiers, releasing Mythos 5 raw — is probably worse. But this launch surfaced three legitimate failures worth naming.
Did they move too quickly? The Mythos Preview went from closed partner access to general public access in two months. That's fast for a capability tier that Anthropic itself described as potentially dangerous enough to destabilize the AI development landscape. The jailbreak happened in 24 hours. Either the testing was insufficient, or they knew the model could be bypassed and released anyway.
Is safety through classifiers an architectural mistake? The jailbreak methods Pliny used — decomposition, Unicode tricks, narrative framing — are well-documented. They predate Fable 5. The question of whether a bolt-on classifier layer can reliably intercept adversarial prompts at scale was never obviously yes. Routing to Opus 4.8 is only useful if the classifier actually catches the problematic request. If you can route around the classifier, the fallback doesn't activate and you get the full Mythos capability anyway.
Was the covert ML research restriction ethical? No, not straightforwardly. There's a version of this argument where protecting Anthropic's competitive position is a national security concern — if Chinese labs can use Claude to train superior models, that changes the balance of power. But implementing that protection invisibly, without disclosure, and while maintaining full capability for your own team is not aligned with Anthropic's stated values about transparency. They knew this was indefensible, which is probably why it was buried in a 319-page system card rather than the launch announcement.
Community Reactions
The developer community response was split along predictable lines, but with some surprising crossover.
Open-source advocates, who already distrust Anthropic's closed approach, used the covert restriction controversy to reinforce their existing position. That's not news.
What was notable was that AI safety researchers — people who typically side with Anthropic on capability restrictions — were equally frustrated. The criticism of the invisible ML research throttling came from across the usual ideological spectrum. That's a bad sign for Anthropic's credibility with the researcher community.
On the capability side, the reaction was different. Ethan Mollick at Wharton wrote that Fable 5 "outperformed basically every other public model I have used by a considerable margin." Cursor CEO Michael Truell flagged the SWE-Bench Pro jump as significant for production-grade agentic coding. Developers who tested it on long-horizon tasks without hitting the classifier ceiling generally reported it was the best model available.
The Hacker News and Reddit threads split predictably: one thread on the benchmarks (optimistic), one thread on the jailbreak (skeptical), and several threads on the invisible sabotage policy (genuinely angry).
Pros
Benchmark-genuine capability. The 11-point SWE-Bench Pro gap isn't margin-of-error noise. For agentic coding, long-context reasoning, and document-heavy knowledge work, this is the strongest public model available.
Vision integrated with output evaluation. Fable 5 can check its own coding against design screenshots. That's a qualitative shift for frontend development workflows.
Honest pricing relative to Mythos Preview. At $10/$50 per million tokens, Fable 5 is under half the Mythos Preview rate. For the right use case, it's economical.
Extended thinking support. Complex multi-step reasoning tasks benefit meaningfully from this. Research workflows, technical writing, planning — it shows.
Long-horizon task design. Built for hours-long agentic runs, not single-shot completions. The architecture reflects this in practice.
Cons
Safety classifiers are bypassable. This is now a demonstrated fact, not a theoretical risk. The jailbreak used known techniques. The 1,000-hour red-team claim doesn't look credible in retrospect.
Classifier false positives are real. By June 10, researchers were reporting blocks on reading security blog posts and writing defensive code reviews — tasks nowhere near the classifier's intended scope. The fallback to Opus 4.8 is disruptive when it misfires.
Covert restrictions were unacceptable. Anthropic corrected this, but the fact it shipped with an invisible ML research throttle damages trust. Developers need to know when and why a model is underperforming.
30-day data retention is mandatory. Fable 5 is not available under zero data retention. For privacy-sensitive enterprise work, this is a hard constraint.
Price. $50/M output tokens is real money for high-volume inference. Small teams and students will feel this.
Real-World Uses
Where Fable 5 actually earns its cost premium:
Software engineering at scale. Long refactoring runs, multi-file migrations, debugging unfamiliar codebases. The 50M-line codebase benchmark is illustrative. This is its obvious home.
Research and literature synthesis. The long context window and document reasoning capabilities make it genuinely useful for academic and technical research workflows.
Finance and legal document analysis. The vision improvements — reading tables, charts, and complex PDFs — directly target document-heavy professional work.
Scientific research (where the classifier doesn't fire). For biology and chemistry research that doesn't trigger the safety layer, this is a real capability upgrade.
Autonomous agent workflows. If you're building AI agents that run extended tasks with tool use, Fable 5 is the current frontier. The consistency across long contexts matters here.
Potential Losses and Risks
The risks here are not hypothetical.
If the jailbreak holds up under scrutiny — and early evidence suggests at least partial validity — then Mythos-class offensive security capabilities are now accessible to anyone with patience and knowledge of multi-agent decomposition. The classifier was the only gate. It's been bypassed.
The 120,000-character system prompt leak is a separate, sustained problem. It gives adversarial researchers a map of Fable 5's refusal logic. Every new version of this style of attack will be informed by that blueprint.
For enterprises, the covert restriction incident establishes a precedent: AI vendors can silently degrade performance without disclosure. Even after Anthropic's correction, that precedent was set. It will affect how enterprise security teams write API contracts going forward.
The IPO timing adds commercial pressure that doesn't obviously improve safety decision-making. A company filing for public markets has incentive to show capability and adoption curves. That tension with responsible deployment is worth watching.
My Perspective as a Software Engineering Student
I want to be honest about where I sit in this conversation.
I'm a software engineering student. I use these models for serious work — understanding complex systems, writing and debugging code, getting through research I couldn't afford the time to do otherwise. Fable 5 is relevant to me in a practical, not abstract, way.
And I think the honest take is this: Anthropic built something that is genuinely impressive and genuinely insecure, and then tried to manage the insecurity in ways that were sometimes dishonest.
The invisible ML research throttle bothers me more than the jailbreak. Jailbreaks happen. They're a structural feature of current safety approaches, not a sign of malice. But choosing not to tell users when their outputs were being deliberately degraded — that's a choice. That's not a technical accident. Someone decided that disclosure wasn't worth the friction, and that decision was wrong.
At the same time, the benchmarks are real. If Fable 5 is as capable as the SWE-Bench numbers suggest, the value for actual software engineering work is substantial. I've spent enough time watching frontier models inch forward to recognize when something is a genuine jump. This appears to be one.
The question for me isn't whether to use it. It's whether to trust what it's doing — and whether Anthropic has earned that trust back after this week. I think they took a step toward it by reversing the covert restriction. But the step was forced by community pressure, not voluntary.
That's a pattern worth paying attention to.
Final Thoughts
The story of Fable 5's first 72 hours is really two stories running in parallel.
In one, a powerful model built on dangerous capabilities was made public, jailbroken within a day, and its core instructions exposed to the world. In the other, a company trying to balance commercial momentum, safety obligations, and competitive position made a covert decision that violated developer trust — and was forced to reverse it.
Neither story is resolved.
The jailbreak will evolve. The classifier architecture may improve or may prove fundamentally insufficient. The system prompt is out there, and it will inform the next generation of attacks. Anthropic hasn't responded publicly to Pliny's claims. At some point, they'll have to.
The trust story is longer. Anthropic is approaching a public market. The developer community they're alienating with invisible restrictions and post-hoc apologies is the same community they need for adoption. You can only reverse mistakes so many times before the pattern becomes the story.
Fable 5 is, by the benchmarks, the best public AI model for software engineering work available today. That's true. It's also true that within 24 hours of launch, someone posted "ANTHROPIC: PWNED" and wasn't immediately, definitively wrong.
Both things are the landscape. Developers should operate accordingly.
Note: To stay fully transparent with the community, I want to share that I used AI assistance to help draft and polish this article. I’ve reviewed and edited everything to ensure it aligns with community guidelines and brings genuine value to you all!
Sources & Further Reading
- https://www.anthropic.com/news/claude-fable-5-mythos-5
- https://www.anthropic.com/claude/fable
- https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5
- https://techcrunch.com/2026/06/09/anthropic-released-claude-fable-5-its-most-powerful-model-publicly-days-after-warning-ai-is-getting-too-dangerous/
- https://cybersecuritynews.com/anthropics-claude-fable-5-jailbroken/
- https://cyberpress.org/claude-fable-5-jailbreak/
- https://fortune.com/2026/06/10/anthropic-accu-claude-fable-5-limits-capabilities-ai-researchers-developers/
- https://www.siliconrepublic.com/enterprise/anthropic-reassess-claude-fable-5-ai-development-restrictions-backlash
- https://www.technobezz.com/news/anthropic-faces-backlash-after-claude-fable-5-silently-limits-ai-research-capabilities
- https://letsdatascience.com/blog/anthropic-fable-5-secret-sabotage-reversed
- https://www.androidheadlines.com/2026/06/anthropic-reverses-hidden-claude-fable-5-ai-restrictions.html
- https://pasqualepillitteri.it/en/news/4730/claude-fable-5-jailbreak-pliny-hype-vs-facts
- https://claude5.ai/news/claude-fable-5-benchmarks-swe-bench-pro-80-percent
- https://www.truefoundry.com/blog/claude-fable-5-api-benchmarks-pricing-how-to-use-it
- https://llm-stats.com/blog/research/claude-fable-5-review
- https://gbhackers.com/anthropics-claude-fable-5-ai-model-jailbroken/
- https://www.digitalapplied.com/blog/claude-fable-5-mythos-5-agentic-coding-deep-dive-2026
- https://www.cnbc.com/2026/06/09/anthropic-mythos-claude-fable-5.html
Find me across the web:
- ✍️ Medium: @syedahmershah
- 💬 DEV.to: @syedahmershah
- 🧠 Hashnode: @syedahmershah
- 💻 GitHub: @ahmershahdev
- 🔗 LinkedIn: Syed Ahmer Shah
- 🌐 Portfolio: ahmershah.dev
Top comments (10)
Am I the only one who finds the 'Mythos-class danger' narrative a bit too convenient for marketing? Nothing drives hype like telling the public your model is 'too dangerous to release' right before handing them a slightly modified version of it.
Has anyone successfully replicated Pliny’s OSED exploit bypass today? I tried a similar nested context framing this morning and it got hit by the classifier instantly. Curious if Anthropic has already pushed a silent patch to the routing layer.
We were looking into Project Glasswing for our infrastructure monitoring, but seeing a Birch reduction walkthrough leak this fast makes our compliance team incredibly nervous. Guardrails on frontier models feel like trying to catch water with a net right now.
1,000 hours of red-teaming bypassed in 24 hours. Classic. It just goes to prove that static, hard-coded classifiers are a band-aid solution when you’re dealing with a dynamic semantic layer. If the weights are identical to Mythos 5, the vulnerability is inherent. Fascinating write-up, Syed.
Honestly, the security drama is interesting, but that 80.3% score on SWE-Bench Pro is what has my attention. If it can actually maintain consistency across large codebases without hallucinating context after an hour of agentic loop execution, $10/$50 per million tokens is an absolute steal.
Pliny strikes again! It’s wild how fast the 'bulletproof' narrative crumbled. The pressure on Anthropic must have been immense with the IPO paperwork filed—commercial momentum definitely won the internal argument over safety brakes this time around
The reverse-engineered system prompt is the real goldmine here. Seeing Anthropic’s behavioral scaffolding exposed at that scale (~120k characters) gives us a rare, unvarnished look at how they approach frontier alignment. Thanks for compiling the timeline so clearly!
The 'silent routing' to Claude Opus 4.8 for flagged queries is an interesting engineering choice, but it explains why early users reported such massive performance degradation on edge-case coding tasks. It wasn't Fable failing; it was just a quiet downgrade behind the scenes.
This is a massive security oversight for a studio this size. Leaving raw class endpoints exposed like that is basically an open invitation for reverse engineering.
Incredible breakdown of the architecture. Seeing how they structured the Mythos class data gives a ton of insight into how the game engine handles character scaling behind the scenes.