
Anthropic released Claude Fable 5, a "Mythos-class" model with extra safety layers for cybersecurity and biology. Within hours, a jailbreak artist called Pliny the Liberator claimed to have walked past them. Anthropic's response is the part you should actually pay attention to.
What You Need to Know: Anthropic launched Claude Fable 5 in mid-May 2026, a Mythos-class model that auto-falls back to the less capable Claude Opus 4.8 in high-risk domains. The well-known jailbreaker "Pliny the Liberator" claimed within hours to have bypassed Fable 5's safety layer using multi-agent prompting. Anthropic told SecurityWeek the post "does not demonstrate a jailbreak" — and pointed to its independent classifier systems as the actual safeguard, not the model itself.
Anthropic made Claude Fable 5 generally available on May 13, 2026, billing it as a Mythos-class model with extra guardrails in two domains: cybersecurity, where it could be used to develop exploits, and biology, where it could in theory be used to develop bioweapons or chemical weapons. In both, the model automatically falls back to Claude Opus 4.8 — a less capable but more controlled previous-generation model.
Anthropic's framing of Mythos matters here. Mythos is the underlying engine. Per SecurityWeek's coverage of the launch, Fable 5 sits in front of Mythos the way GPT-5 sits in front of the underlying GPT architecture — the consumer-facing model, not the raw capability. And Mythos itself has been documented turning N-days (known exploits) into N-hours (rapid exploit creation). That's the engine that, in the wrong hands, becomes a security problem. That's why Fable 5 exists.
Anthropic said it ran extensive internal and external red-teaming before launch. Fable 5 was designed to be the safe, deployable wrapper around an engine that the company itself does not consider safe to release raw.
Within hours of Fable 5's GA, an online researcher who goes by Pliny the Liberator — a well-known figure in the AI jailbreak community — posted on X that they had "liberated" Fable 5 using "sophisticated multi-agent prompting methods." They claimed to have elicited useful information on sensitive topics including cybersecurity, chemistry, psychological manipulation, and explosives. They published screenshots and a copy of what they say is the Fable 5 internal system prompt, hosted in their public CL4R1T4S GitHub repository.
The leak landed in the worst possible news cycle for Anthropic. A new Mythos-class model, "hackers crack it within hours," screenshots proving it. The story writes itself. The Register and most AI newsletters ran it as "yet another jailbreak" without digging into what was actually shown.
SecurityWeek reached out. The Anthropic spokesperson pushed back hard. Three points worth quoting:
1. "The demonstrated approach relies on coaxing the model to continue responding despite its conversational refusals, which is a well-known and longstanding limitation present in nearly all large language models." 2. "Its strongest protections against the most dangerous risks are enforced by independent classifier systems that operate separately from the model itself, meaning that overcoming the model's refusals does not disable these critical safeguards." 3. "Some outputs were not produced by Fable 5 at all, while those that were contained only general information already available in public sources, offering no meaningful uplift for real-world harm."
That last point is the kill shot. If the outputs are public-info, then the "jailbreak" produced nothing the model wasn't supposed to produce. The conversational refusal is a UX layer. The safety classifier is the actual safeguard. Pliny bypassed the first and didn't reach the second.
Headline writers will keep saying "hackers crack Claude." They have been since GPT-3. The substance this time is more interesting than usual. Anthropic is making a quiet architectural bet: the model's refusals are the user-experience layer, the classifier is the safety layer, and they are decoupled. That decoupling is the part that matters, because it means the conversation about "did the model say the bad thing" and "did the user get the bad answer" are finally different conversations.
The lesson for builders: stop trusting the model to be the safety mechanism. If you're shipping anything user-facing on top of an LLM, you need an independent classifier layer that watches the outputs and can block, redact, or fall back. The Mythos class is going to keep raising the stakes — Mythos turns N-days into N-hours — and "we told the model to be safe" is not a plan. Plan for the jailbreak. Plan for the leak. Plan for the next Pliny.
Anthropic shipped Claude Fable 5 as a gated Mythos-class model, a researcher claimed to jailbreak it the same day, and Anthropic said the real safeguard is the independent classifier — not the model. Decouple your safety from the model, always.
Sources