Fable 5 is back. And a growing number of security practitioners are noticing that it came back different — not just with a new classifier, but with a fundamentally restructured stance toward the dual-use security work that defenders do every day. Anthropic published a detailed safeguards document on July 2 laying out exactly what Fable 5's classifiers are and are not designed to block. The taxonomy is more specific than anything the company has published before, and it deserves a close read from anyone who has been using Claude for security work.
The short version: penetration testing, exploit development, privilege escalation, lateral movement, and high-uplift vulnerability discovery are now explicitly in the "High-Risk Dual Use" category — blocked pending better authorization controls. The model that many security practitioners were using as a capable assistant for offensive-side defensive work came back with that assistance turned off. Whether that was the right call, and what you can still do with Fable 5, is what this post addresses.
What Changed: The Four-Tier Taxonomy
Anthropic's July 2 safeguards document organizes Fable 5's classifier behavior into four categories. This is the clearest public documentation any frontier AI lab has published about what a model will and will not help with in the security domain, and it is worth mapping precisely.| Category | What It Covers | Classifier Behavior |
|---|---|---|
| Prohibited Use | Ransomware, wipers, malware development and delivery, C2 infrastructure, defense evasion techniques, cyber-physical sabotage (ICS/SCADA), internet backbone attacks (BGP hijacking, DNS/CA compromise) | Always blocked — high harm-to-benefit asymmetry, no legitimate defensive use case justifies assistance |
| High-Risk Dual Use | Penetration testing, exploitation, credential attacks (brute force, spraying, stuffing, theft), authentication bypasses, privilege escalation, lateral movement, persistence, exploit development and weaponization (including zero-click and memory-corruption work), VM/container escapes, high-uplift vulnerability discovery | Blocked for now — pending better authorization controls that can distinguish known good actors |
| Lower-Risk Dual Use | Standard vulnerability scanning, known CVE analysis, security architecture review, CTF challenges, security research on isolated test systems, code review for vulnerabilities | Generally allowed — lower misuse potential, high defensive value |
| Benign | SOC analysis, log analysis, incident response, threat intelligence, malware reverse engineering for detection, defensive configuration, security awareness content, compliance documentation | Fully allowed — clear defensive purpose, low misuse risk |
The High-Risk Dual Use category is where the "neutered" criticism is coming from, and it is not unfair. Penetration testing is not a fringe security activity — it is a core component of any mature security program, mandated by HIPAA Security Rule requirements for technical evaluation of systems, required by PCI DSS, and standard practice for any organization doing meaningful security assurance work. The same is true for privilege escalation, lateral movement, and exploit development in authorized assessment contexts. These are the tools of the trade for the offensive side of defensive security.
The Mechanism: Quiet Redirect, Not Hard Refusal
One detail in the safeguards architecture that deserves attention is how Fable 5 handles High-Risk Dual Use requests — not with a direct refusal, but with a redirect. When the classifier triggers, Fable 5 stops responding and the request routes to Opus 4.8 instead. The user is notified. Anthropic frames this as defense in depth: the triggered request goes to a model with a much lower capability ceiling rather than being processed and refused by Fable 5 itself.For practitioners, the operational implication is worth understanding. You may not always receive a clear "I can't help with that" response. Depending on the request framing, you may find yourself receiving an Opus 4.8-level response without realizing the redirect occurred. If you are working on a security task and the responses suddenly feel less capable — missing nuance, less technically precise — the classifier may have triggered. That is a diagnostic signal worth recognizing.
There is also a documented false positive rate. Anthropic explicitly acknowledges that legitimate programming, debugging, and defensive security requests are now more likely to be flagged incorrectly under the tightened classifiers. The tradeoff, as they describe it, is a deliberately larger safety margin that accepts more false positives in exchange for more robust blocking of the targeted behavior. Researchers from NIST CAISI confirmed the safeguards are "extraordinarily strong" — which is accurate from a blocking effectiveness standpoint and is also precisely the concern practitioners are raising.
What Anthropic Says About the Tradeoff
Anthropic's framing of the High-Risk Dual Use category is honest about the problem they have not yet solved: Many of these activities are performed during a valid security assessment, penetration test, or red team engagement: gaining access through unexpected means, escalating privileges, moving laterally, developing an exploit. They are high-risk precisely because they are designed to emulate malicious activity. What separates the legitimate case from the harmful one is context: who is doing the work, and under what authorization? For Fable 5, we expect to block these types of actions until we have better controls to limit access to known good actors.That last sentence — "until we have better controls to limit access to known good actors" — is both the honest admission and the open problem. The authorization verification challenge is real. An AI model cannot currently verify that a user asking for exploit development assistance is a credentialed penetration tester working under a signed statement of work rather than a threat actor. Without that verification, the classifier applies the same block to both. The jailbreak severity framework being developed with Amazon, Microsoft, and Google is part of the longer-term answer — but it is not implemented yet, and Fable 5 is shipping with the conservative interim posture in place.
Mythos 5 Is the Difference That Matters
The Fable 5 restriction does not mean Anthropic has abandoned defensive security use cases at the capability level practitioners need. It means those use cases are now explicitly separated into the Mythos 5 tier. Claude Mythos 5 can be used to find and exploit software vulnerabilities more effectively than any other model — and all but the most skilled human security experts. These prodigious cybersecurity capabilities make it uniquely attractive to malicious actors who wish to misuse it in cyberattacks. Claude Fable 5, however, provides no such unique offensive capabilities.That separation is a deliberate architectural decision, not an accident. Anthropic's model is: Mythos 5 carries the full offensive capability set and is restricted to vetted critical infrastructure defenders and Glasswing partners. Fable 5 carries the general-purpose intelligence with cybersecurity offensive capabilities explicitly removed. The two-tier structure is the answer to the authorization problem — Mythos 5 access is the "known good actor" verification mechanism that Fable 5's classifier lacks.
For healthcare security teams, the practical implication follows directly: if your security program needs the offensive-side capabilities that are now blocked in Fable 5 — penetration testing assistance, exploit development for authorized assessments, high-uplift vulnerability discovery — the path is Mythos 5 access through the critical infrastructure authorization channel, not working around Fable 5's classifiers.
What You Can Still Do With Fable 5
The Benign and Lower-Risk Dual Use categories cover a significant portion of day-to-day security work, and it is worth being specific about what remains available rather than only focusing on what was removed.Fully available in Fable 5: SOC analysis and log review, incident response documentation and investigation support, threat intelligence analysis and synthesis, malware reverse engineering for detection signatures, security architecture review and documentation, defensive configuration guidance, compliance documentation (HIPAA Security Rule analysis, risk register entries, policy drafting), code review for vulnerability identification, CVE analysis and known vulnerability research, security awareness content development, and CTF challenge assistance.
The Benign category maps well onto the governance, documentation, and analytical work that consumes a significant portion of most security teams' time. The pain point is specifically in the hands-on offensive assessment work — the tasks where AI assistance was beginning to provide meaningful acceleration before the classifier tightened.
What This Means for Healthcare
Your Pen Test Workflow Just Lost an Assist
Healthcare organizations running internal penetration testing programs or managing third-party pen test engagements have been incorporating frontier AI assistance into both the assessment execution and the documentation phases. The execution assistance — helping develop exploitation paths, identifying privilege escalation routes, generating proof-of-concept code for authorized testing — is now in the High-Risk Dual Use blocked category for Fable 5. If your security team or your pen test vendors have been using Fable 5 for that work, they are now working without that capability until either Mythos 5 access is established or Anthropic develops the authorization verification framework it has committed to building.The HIPAA Technical Evaluation Requirement Has a Tool Gap
The HIPAA Security Rule's Technical Safeguards standard (§164.312) requires covered entities to implement procedures to test and revise security measures. Most healthcare security programs interpret this as requiring periodic penetration testing and vulnerability assessment of systems that handle ePHI. The tools and assistance practitioners use to conduct that testing now have a material capability gap in the most widely available frontier AI tier. This is not a compliance violation — the rule requires the testing, not any specific tool. But it is a practical gap that healthcare security teams doing that work should account for in their testing methodology documentation.The Mythos 5 Access Path Is the Right Long-Term Answer
Healthcare and public health is a CISA-designated critical infrastructure sector. The June 27 authorization that partially restored Mythos 5 access was specifically targeted at organizations that operate and defend critical infrastructure. Large healthcare systems — health networks operating hospitals, clinical systems, and patient data infrastructure at scale — fit that designation. The path to restoring the offensive-side AI assistance that Fable 5 has removed is pursuing Mythos 5 access through the critical infrastructure channel, not expecting Fable 5's classifier to be loosened in the near term. Anthropic has been explicit that the High-Risk Dual Use block is "until we have better controls" — which signals a medium-term timeline, not an imminent change.Document the Gap for Your Risk Register
The Fable 5 capability reduction is a material change to a tool many healthcare security teams have been using in production security workflows. That change belongs in your AI asset inventory and risk register as a documented capability reduction — not because it creates a new risk, but because the gap it creates in your assessment toolkit is a change from your prior documented posture. If your risk register previously noted that AI-assisted penetration testing was part of your technical evaluation methodology, that entry needs updating to reflect the current tool capability and the interim approach while Mythos 5 access is pursued.False Positives Will Affect Defensive Work Too
Anthropic's own documentation acknowledges that the tightened classifiers will generate more false positives on legitimate security requests. For healthcare security teams using Fable 5 for SOC analysis, log review, or malware reverse engineering — tasks explicitly in the Benign category — some requests that should be answered will trigger the classifier instead. The most practical interim approach is explicit defensive context framing at the start of a session: establishing that you are analyzing a malware sample for detection signature development, or reviewing logs from a suspected incident, gives the classifier context it can use to reduce false positive rates. This is not a guaranteed solution but it is the most effective technique available while Anthropic refines the classifier.The Feedback Channel Is Open — Use It
One specific and actionable item from Anthropic's July 2 post: Anthropic is actively soliciting feedback on the safeguards taxonomy at cyber-safeguards@anthropic.com. They describe the current document as reflecting their "current thinking" and explicitly invite discussion across academia, industry, civil society, and government about where the lines should be drawn.Healthcare security practitioners are exactly the population whose feedback on the High-Risk Dual Use category matters most. The authorization verification problem Anthropic describes — distinguishing a credentialed pen tester working under a signed SOW from a threat actor — is a problem your professional community has solved in the analog world through certifications, licensing, scope-of-work documentation, and professional liability frameworks. Input from practitioners who live in that context, about what verification mechanisms would be meaningful and what false positive rates are operationally acceptable for clinical security workflows, is more useful than most of what Anthropic is likely to receive. If the High-Risk Dual Use classification is affecting your work, telling Anthropic specifically how and why is the most direct path toward influencing where those lines get redrawn.
The Bigger Picture
The "neutered" characterization circulating among security practitioners is understandable and not entirely wrong. A frontier AI model that previously assisted with penetration testing, exploit development, and high-uplift vulnerability discovery now doesn't — for documented policy reasons that have nothing to do with the technical capability of the underlying model. The capability is still there, at the Mythos 5 tier. The access pathway for most practitioners has changed.What is worth holding alongside that frustration is that Anthropic has published the most transparent and specific documentation of AI cybersecurity classifier behavior that any frontier lab has produced to date. The four-tier taxonomy, the explicit acknowledgment of the false positive tradeoff, the open feedback channel, and the commitment to building authorization verification controls are all evidence of an organization trying to solve a genuinely hard dual-use problem in public. The current posture is conservative and creates real gaps for legitimate security work. The direction of travel — Mythos 5 for vetted practitioners, Fable 5 for general use with tightened classifiers, authorization frameworks in development — is the right architecture. The gap between where that architecture needs to be and where it is today is the frustration practitioners are expressing, and it is legitimate.
For healthcare security teams, the immediate priorities are clear: document the Fable 5 capability change in your AI asset inventory, pursue Mythos 5 access through the critical infrastructure channel if offensive-side AI assistance is part of your program, use defensive context framing to reduce false positives on Benign-category work, and submit feedback to Anthropic on where the current High-Risk Dual Use classification is creating unacceptable gaps in legitimate security workflows. The authorization verification problem will get solved — the question is how much practitioner input shapes the solution.
This is entry #48 in the AI Security Series. For related coverage, see AI Security Series #47: Fable 5 Restored and the Jailbreak Severity Framework.
Key Links
- Anthropic: More Details on Fable 5's Cyber Safeguards and Our Jailbreak Framework (Primary Source)
- CybersecurityNews: Anthropic Details Claude Fable 5 Cybersecurity Safeguards and Jailbreak Framework
- Infosecurity Magazine: Fable 5 and Mythos 5 Are Back With New Security Guardrails
- HackerOne: Anthropic Cyber Jailbreak Bug Bounty Program
- HHS: HIPAA Security Rule — Technical Safeguards Reference
- Alex Stamos on X
- bregg.com: Fable 5 Restored and the Jailbreak Severity Framework (July 1)