On 2 July 2026, Anthropic published a detailed breakdown of the cyber safeguards that ship with Claude Fable 5, alongside a first draft of a framework for scoring how severe an AI jailbreak is. For Australian businesses that have been asking whether Claude is safe to use on security-sensitive work, this is the most concrete answer yet: a published list of what the model's safety systems block, what they allow, and how failures will be measured.
Claude Fable 5 returned to global availability on 1 July, so the timing is deliberate. Here is what the announcement says, and what it means if you are weighing Claude for work that touches your systems, your code or your customer data.
The safeguards are classifiers, not a blanket ban
Fable 5 ships with safety classifiers: separate AI systems that run alongside the model and watch for dangerous or potentially dangerous cybersecurity use. When a request looks harmful, the classifier blocks it. When it looks clearly safe, it goes through. The shift in the 2 July post is transparency. Anthropic has now published a detailed list of the harms those classifiers are, and are not, designed to prevent.
That changes the question you can ask a vendor. "Is it safe?" invites marketing. "Show me what it blocks" invites evidence. You can now read the published categories and evaluate Claude against your own risk register instead of guessing. Classifiers are also one layer of several: Anthropic pairs them with access controls, safety training in the model itself, and offline monitoring.
Cyber work is dual use, so Claude grades it into four categories
Most cybersecurity capability cuts both ways. Scanning your own codebase for vulnerabilities is defensive; the same capability pointed at someone else's systems is the start of an attack. Rather than block everything that looks like security work, Fable 5's classifiers sort requests into four categories, from the most clearly dangerous to the most clearly benign:
Prohibited use. Activities with little defensive value and high potential for harm, including malware development, ransomware, command-and-control infrastructure and exfiltration of stolen data. The classifiers are designed to block all of these.
High-risk dual use. Work that security professionals do every day, such as penetration testing, privilege escalation and exploit development. It is high-risk precisely because it emulates attacker behaviour, and Anthropic expects to block it until better controls exist to verify who is asking and under what authorisation.
Low-risk dual use. Activity that leans defensive, such as open source intelligence and finding vulnerabilities that existing tools can already find. Mostly monitored and allowed, though a share is deliberately blocked as a safety margin.
Benign use. Secure coding, debugging, log analysis, incident response, patch management and security training. Not intended to be blocked at all; any block here is a false positive.
The safety margin deserves a moment. Anthropic set the classifier boundary so that a request has to look very clearly safe to pass, which means some genuinely benign requests get blocked. For Fable 5 that margin is wider than on earlier models. The trade is honest: more false positives on defensive work in exchange for more confidence that a jailbreak cannot slip harmful requests through.
What stays open for defenders
One nuance matters for IT teams. Anthropic does not try to block vulnerability finding in general, because defenders depend on it. What it aims to block is high-uplift vulnerability finding, meaning flaws that no other widely available model or scanner can surface, along with the automatic generation of working exploits. If a standard tool can already find the bug, Claude is allowed to find it and help fix it too.
A shared language for how bad a jailbreak is
The second half of the announcement is a draft framework, developed with Anthropic's Glasswing partners, for scoring the severity of AI jailbreaks: the prompting techniques that bypass a model's safeguards. Right now there is no agreed standard, so a developer telling a regulator "we found a jailbreak" conveys very little.
The proposal is a Cyber Jailbreak Severity scale running from CJS-0 (informational) to CJS-4 (critical), scored on four axes: how much new capability the technique hands an attacker, how broadly it works across attack types, how easy it is to turn into a running attack, and how easy it is to discover. If that structure reminds you of CVSS scoring for software vulnerabilities, that is the point: a common scale lets vendors, researchers and governments discuss the same risk in the same terms.
The draft is open for feedback at cyber-safeguards@anthropic.com, and Anthropic has launched a HackerOne program where security researchers can submit cyber jailbreaks they discover in Fable 5 for review.
Why this matters for Australian businesses
Australian small businesses carry real cyber exposure. The Australian Signals Directorate's latest Cyber Threat Report put the average self-reported cost of cybercrime for a small business at around $49,600 per incident. Regulated sectors carry explicit obligations on top: APRA-regulated entities under CPS 234, and any business handling personal information under the Privacy Act. When you bring an AI tool into that environment, "trust us" is not a control you can show an auditor.
Three practical takeaways:
Map your intended Claude use cases against the four published categories. Log analysis, incident response and secure code review sit squarely in benign use; anything resembling penetration testing will be blocked for now.
Expect the occasional false positive on defensive work and plan for it, because the wider safety margin is a deliberate design choice rather than a bug.
If you operate under APRA, the Privacy Act or an industry security framework, file the published classifier detail with your vendor assessment. A documented, inspectable safeguard list is far easier to defend than a marketing page.
There is also a signal in who is doing this. A vendor that publishes its blocking criteria, invites public critique of its severity framework and pays researchers to break its own safeguards is behaving the way regulators want AI providers to behave. Standards in this space are still forming, and the companies helping to write them will be the ones already compliant when the rules land.
This is exactly the kind of detail we walk clients through when they ask how Claude handles security and dual-use risk. If that is a live question for your business, book a brainstorm with Automata AI.



