pith. sign in

arxiv: 2606.18193 · v1 · pith:UKEIQAJInew · submitted 2026-06-16 · 💻 cs.CR · cs.AI· cs.CL

A Red-Team Study of Anthropic Fable 5 & Opus 4.8 Models

Nicola Franco This is my paper

Pith reviewed 2026-06-26 23:51 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.CL
keywords adversarial robustnessjailbreak attackslarge language modelsred teamingharm taxonomyautomated attacksfrontier model safety
0
0 comments X

The pith

Frontier Anthropic models still generate confirmed harmful outputs under automated adaptive jailbreaks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures how Fable 5 and Opus 4.8 respond to four families of automated attacks on 7826 harmful intents drawn from a ten-category taxonomy. Aggregate resistance looks strong, yet the remaining failures concentrate in adaptive iterative searches that succeed on 6.1 percent and 11.5 percent of intents respectively. These successes produce over two thousand panel-confirmed harmful completions located automatically and early in the search process. A reader would care because the findings indicate that current safety layers leave an exploitable surface even when no human expert steers the attack.

Core claim

Even the best, most-tested frontier models remain reliably breakable under sustained automated pressure. The strongest adaptive search method breaks Opus 4.8 on 11.5 percent of intents and Fable 5 on 6.1 percent, yielding 1620 and 702 panel-confirmed harmful completions that span every harm category and require no human expert in the loop.

What carries the argument

The HackAgent red-teaming framework, which generates hundreds of thousands of adversarial attempts and applies majority vote by three judge models to confirm harmful completions.

If this is right

  • Static obfuscation attacks are near-fully neutralized while adaptive iterative attacks dominate the residual surface.
  • Harmful outputs appear across every category in the ten-category taxonomy.
  • Confirmed successes occur within the first one or two refinement steps of the attacker model.
  • The process requires no human expert and runs at low cost.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar residual vulnerabilities are likely present in other frontier models not tested here.
  • Safety training could be strengthened by explicitly targeting tree-based or iterative search attacks.
  • Automated red-teaming at this scale might become a required step before model release.
  • Developers may need to measure and report worst-case adaptive rates rather than aggregate resistance.

Load-bearing premise

The three-judge-model majority vote accurately identifies harmful completions without significant bias or error.

What would settle it

A human review of a random sample of the 1620 and 702 confirmed completions that finds most are not actually harmful.

read the original abstract

We evaluate the adversarial robustness of two frontier large language models (LLMs) developed by Anthropic, Fable 5 and Opus 4.8, against four families of automated jailbreak attack across 7 826 harmful intents spanning a ten-category harm taxonomy. Using the HackAgent red-teaming framework, hundreds of thousands of adversarial attempts were generated and every apparent success was independently re-adjudicated by a panel of three judge models (majority vote). Both models resist the majority of attacks, but the residual surface is larger than aggregate framing suggests: it is dominated by adaptive iterative attacks, while static obfuscation is near-fully neutralised. The strongest adaptive search (tree-of-attacks) breaks Opus 4.8 on 11.5% of intents overall, whereas Fable 5 stays in the single digits (6.1% worst-case). Aggregate rates therefore should not be read as reassurance. Even in these hardened configurations, the two models produced 1 620 (Opus 4.8) and 702 (Fable 5) panel-confirmed harmful completions spanning every harm category, located automatically, cheaply, and within the first one or two refinement steps by an attacker model with no human expert in the loop. The reasonable conclusion is that even the best, most-tested frontier models remain reliably breakable under sustained automated pressure.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper evaluates the adversarial robustness of Anthropic's Fable 5 and Opus 4.8 LLMs against four families of automated jailbreak attacks (including static obfuscation and adaptive iterative methods like tree-of-attacks) using the HackAgent framework. Across 7826 harmful intents in a 10-category taxonomy, hundreds of thousands of attempts were generated; apparent successes were re-adjudicated by a three-judge-model panel via majority vote. The models resist most attacks, but adaptive methods yield residual success rates of 11.5% (Opus 4.8) and 6.1% (Fable 5), producing 1620 and 702 panel-confirmed harmful completions respectively. The central claim is that even hardened frontier models remain reliably breakable under sustained automated pressure.

Significance. If the empirical measurements hold, the work demonstrates that automated red-teaming can locate non-trivial residual attack surfaces in state-of-the-art models at scale and low cost, with the surface concentrated in adaptive rather than static attacks. This supplies concrete, falsifiable data on attack success rates per category and per model that can inform safety evaluations and defense priorities.

major comments (1)
  1. [Abstract and evaluation methodology] Abstract (final paragraph) and evaluation methodology: The headline counts of 1620 (Opus 4.8) and 702 (Fable 5) panel-confirmed harmful completions, and therefore the claim of reliable automated breakability, rest entirely on majority vote among three judge models. No inter-judge agreement statistics, no calibration against human raters, and no accuracy numbers on a labeled validation set of known harmful/benign outputs are supplied. Systematic category-specific bias in the judges would directly inflate the reported residual surface and undermine the central conclusion.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful review and for identifying a key aspect of our evaluation methodology that merits additional detail. We respond to the major comment below.

read point-by-point responses

  1. Referee: [Abstract and evaluation methodology] Abstract (final paragraph) and evaluation methodology: The headline counts of 1620 (Opus 4.8) and 702 (Fable 5) panel-confirmed harmful completions, and therefore the claim of reliable automated breakability, rest entirely on majority vote among three judge models. No inter-judge agreement statistics, no calibration against human raters, and no accuracy numbers on a labeled validation set of known harmful/benign outputs are supplied. Systematic category-specific bias in the judges would directly inflate the reported residual surface and undermine the central conclusion.

    Authors: We agree that the manuscript would benefit from greater transparency on the judge panel. The three judge models were selected for diversity and prompted with the identical ten-category harm taxonomy and definitions used in the main experiments; majority vote was applied to reduce single-model variance. In the revised version we will add inter-judge agreement statistics (pairwise percentages and Fleiss' kappa) computed over the full set of apparent successes. We did not conduct a human calibration study or build an independent labeled validation set for the judges, as the primary contribution concerns automated attack generation at scale; we will therefore add an explicit limitations paragraph acknowledging this reliance on model-based adjudication and the possibility of residual category-specific bias. These changes address the concern without altering the reported counts or central claim. revision: partial

Circularity Check

0 steps flagged

No circularity: purely empirical counts with no derivations or self-referential reductions

full rationale

This manuscript is an empirical red-teaming measurement study. It reports attack success rates as direct experimental counts (1620 and 702 panel-confirmed harmful completions) obtained via automated generation followed by three-judge majority vote. No equations, fitted parameters, predictions derived from inputs, or self-citation chains appear in the provided text or abstract. The adjudication method is a procedural choice whose validity can be questioned on external grounds (lack of calibration), but it does not reduce any reported quantity to a quantity defined by the authors' own prior work or by construction. The central claim therefore remains independent of the circularity patterns enumerated in the instructions.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on two domain assumptions about the evaluation pipeline; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption The 7826 intents across the ten-category taxonomy are representative of real-world harmful queries.
    Generalization from the measured rates to the statement that models are 'reliably breakable' depends on this representativeness.
  • domain assumption Majority vote of the three judge models accurately identifies harmful completions without systematic bias or error.
    All reported success counts and the final conclusion depend on this adjudication step being reliable.

pith-pipeline@v0.9.1-grok · 5776 in / 1366 out tokens · 30672 ms · 2026-06-26T23:51:14.664876+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

5 extracted references · 2 linked inside Pith

  1. [1]

    Mehrotra, M

    A. Mehrotra, M. Zampetakis, P. Kassianik, B. Nelson, H. Anderson, Y. Singer, and A. Karbasi. Tree of At- tacks: Jailbreaking Black-Box LLMs Automatically. InAdvances in Neural Information Processing Sys- tems (NeurIPS), 2024. https://arxiv.org/abs/ 2312.02119

    arXiv 2024

  2. [2]

    P. Chao, A. Robey, E. Dobriban, H. Hassani, G. J. Pap- pas, and E. Wong. Jailbreaking Black Box Large Lan- guage Models in Twenty Queries. InIEEE SaTML, 2025.https://arxiv.org/abs/2310.08419

    Pith/arXiv arXiv 2025

  3. [3]

    Y. Zeng, H. Lin, J. Zhang, D. Yang, R. Jia, and W. Shi. How Johnny Can Persuade LLMs to Jailbreak Them: Rethinking Persuasion to Challenge AI Safety by Humanizing LLMs. InACL, 2024. https://arxiv. org/abs/2401.06373

    arXiv 2024

  4. [4]

    Doumbouya, A

    M. Doumbouya, A. Nandi, G. Poesia, D. Ghosh, A. Goldie, et al. h4rm3l: A Language for Com- posable Jailbreak Attack Synthesis. InICLR, 2025. https://arxiv.org/abs/2408.04811

    arXiv 2025

  5. [5]

    Mazeika, L

    M. Mazeika, L. Phan, X. Yin, A. Zou, Z. Wang, N. Mu, et al. HarmBench: A Standardized Evaluation Frame- work for Automated Red Teaming and Robust Re- fusal. InICML, 2024. https://arxiv.org/abs/ 2402.04249. This document reports aggregate adversarial-robustness statistics for defensive research. Harmful model outputs are reproduced only as short, non-opera...

    Pith/arXiv arXiv 2024