A Borderline Finding, a Global Shutdown
The backstory to this framework is a cautionary tale about what happens when the industry has no shared way to describe risk. In mid-June, Amazon researchers found a jailbreak that got Claude Fable 5 to flag software vulnerabilities and, in at least one case, write exploit-demonstration code. The US Commerce Department responded with an export-control order that pulled Fable 5 and the larger Mythos 5 offline worldwide, from June 12 until access was restored around July 1. A capability that many argued sat within normal bounds for a security tool became the trigger for a roughly three week global outage of a frontier model, with all the enterprise disruption that implies.
That outcome exposed a real gap. When a safety finding lands, there is currently no agreed vocabulary to say whether it is a minor curiosity or a genuine emergency, so a borderline result can escalate straight to the bluntest instrument available, in this case a worldwide shutdown ordered by a government. Notably, one outside reviewer, security researcher Katie Moussouris, pushed back hard on the framing, arguing that the behavior in question was not a guardrail bypass at all. In her words, it is the most valuable thing an AI model can do for defensive security. The disagreement over a single finding is exactly the problem the new framework is meant to solve.
What CJS Actually Measures
On July 2, Anthropic published the Cyber Jailbreak Severity framework, or CJS, a five-tier scale running from CJS-0, labeled Informational, up to CJS-4, labeled Critical. It rates any given jailbreak along four axes: capability gain, meaning how far a technique takes an attacker beyond the tools they already have; breadth, meaning how many distinct offensive tasks it enables; ease of weaponization, meaning how much effort it takes to turn the technique into a working attack; and discoverability, meaning how easily a threat actor could find it in the first place. The goal is a structured, repeatable triage rather than a gut call under pressure.
Crucially, the bands are exponential rather than linear, so each level is meant to represent several times more real-world risk than the one below it. That design choice is a hedge against the natural tendency to cluster everything in the middle of a scale. By forcing large gaps between tiers, CJS pushes assessors to reserve the top ratings for findings that are genuinely transformative for an attacker. For enterprise security teams, the appeal is obvious: a common rubric would let a vendor advisory, an internal red team, and a regulator all use the same words to mean the same thing, which is the precondition for any coordinated response that is faster than pulling a model offline.
Context Is the Whole Point
The cleverest feature of CJS is that severity depends on context rather than a fixed danger threshold. Anthropic's worked example uses Log4Shell, the notorious vulnerability disclosed in 2021. A jailbreak that surfaced Log4Shell before its public disclosure would score CJS-4, Critical, because at that moment it handed an attacker a genuine, novel weapon. The identical capability today, after Log4Shell became textbook knowledge documented in every security course, scores zero. Nothing about the model changed. What changed is the world's baseline knowledge, and CJS is built to track that difference.
This context sensitivity is what separates a serious framework from a compliance checkbox, and it directly addresses the Fable 5 dispute. If the flagged behavior mostly reproduced what a competent analyst or a weaker public model could already do, its capability gain is low, and under CJS it would not warrant an emergency response. The framework encodes the argument Moussouris was making, that value to defenders and danger to attackers are not the same thing, and that both depend on what is already known. For technology leaders, the lesson is that AI risk cannot be assessed in a vacuum, it has to be measured against the tools and knowledge already loose in the world.
Rivals Agree on a Common Language
What makes CJS more than a single vendor's opinion is the company it keeps. Anthropic built the framework with Amazon, Microsoft, and Google, under a coalition described in some reporting as Glasswing. Getting four fierce competitors to endorse a shared severity scale is unusual, and it reflects a shared interest that outweighs their rivalry: none of them wants a borderline finding at one lab to trigger a market-wide panic or a reflexive government shutdown. A common language turns an ambiguous scare into a scored, triaged event that everyone can reason about the same way.
The timing suggests this is heading toward something more formal. Reporting points to an announcement as early as the first week of August, with a target date around August 1 for a broader set of labs to adopt the scoring scale. That would move CJS from a proposal into something closer to an industry norm, and possibly a reference point for regulators still deciding how prescriptive to be. We read this as the AI industry trying to write its own rules of the road before those rules are written for it, a familiar pattern in technology governance. Whether it holds depends on whether the labs honor the scale when a finding lands on their own model.
The Classifier and the Bounty
Alongside the framework, Anthropic hardened the model itself. Fable 5 returned with a new safety classifier that blocks the specific flagged technique in more than 99 percent of cases, and requests that trip the classifier are routed to Claude Opus 4.8, a deliberately less capable model, so a suspicious query gets a weaker responder rather than an outright refusal or the frontier system. The company also runs a HackerOne bug bounty program aimed specifically at cyber vulnerabilities, inviting outside researchers to probe the guardrails in exchange for rewards rather than leaving discovery to adversaries or to a single partner's red team.
This layered response is a reasonable template, but it is not a cure. A 99 percent block rate still leaves a residual, classifiers can be evaded, and downgrading to a weaker model is a blunt fallback that will occasionally frustrate legitimate security work, exactly the defensive use cases Moussouris championed. For enterprises, the practical signal is that even the labs treat jailbreak resistance as a moving target managed with monitoring and bounties, not a solved problem. Any organization deploying these models should assume the same posture internally: continuous testing, clear escalation paths, and a severity vocabulary borrowed from efforts like CJS so that a finding gets triaged calmly rather than turned into a fire drill.
Why Enterprises Should Care About a Vocabulary
It is tempting to file CJS under safety-team esoterica, but the Fable 5 episode showed how quickly a lab's safety question becomes a buyer's operational problem. A model your teams depend on can vanish worldwide for weeks because there was no agreed way to say a finding was survivable rather than catastrophic. A shared severity scale is, at bottom, business continuity infrastructure. It gives everyone in the chain, vendor, customer, and regulator, a common basis for deciding whether a discovery warrants a patch, a rate limit, or a shutdown.
For CIOs and CISOs, the move to internalize is that AI risk management is maturing along the same path as traditional vulnerability management, which spent years building shared scoring before it became routine. Adopting a consistent way to rate AI jailbreaks, whether CJS becomes the standard or merely inspires one, will make incidents legible and responses proportionate. The alternative is the world we just witnessed, where a single ambiguous finding, absent any shared language to size it, took a frontier model offline for nearly three weeks. Vocabulary sounds like a small thing. In this case it was the difference between a triaged event and a global outage.


-3.png)
