Intermediate

Security Hot Takes: Why Fable Is the Most Dangerous AI Model You Can Almost Use

Fable 5 is presented in this briefing as the public release of a frontier model (Mythos) whose underlying capability was deliberately withheld from general availability because it can aut...

Table of Contents

Module 1: The Fable 5 Access Crisis

Breaking News: The Suspension of Fable 5 and Mythos 5

On June 12th, the United States government issued an export control directive requiring the model developer (referred to throughout this discussion by its product names, Fable and Mythos) to suspend access to Fable 5 and Mythos 5 for any foreign national, whether located inside or outside the United States.

Because the vendor has no reliable way to verify a user’s nationality at scale, the practical response was to disable both models for all customers entirely, not just foreign nationals. The stated trigger for the directive was a jailbreak technique (covered later in this briefing) that the government reviewed and used as the basis for invoking national security authorities. The vendor has publicly disagreed with the decision, calling it a disproportionate response to a narrow finding.

This briefing continues to cover Fable 5 in detail because:

  • The suspension may not be permanent, and access could be restored.
  • Even if access is never restored, the underlying capability now exists and the threat model has already shifted as a result. The guardrail design, the access-tier structure, and the defender/attacker asymmetry discussed here remain relevant regardless of the model’s current availability.

From Mythos to Fable: Context and Naming

A prior briefing covered Mythos, the vendor’s frontier model that was described as “too dangerous to release publicly.” This briefing covers Fable, the public-facing version of that same underlying technology. The titling of the two discussions is deliberate and telling:

  • “Why Mythos Is the Most Dangerous AI Model You Can’t Have”
  • “Why Fable Is the Most Dangerous AI Model You Can Almost Use”

The shift from can’t have to can almost use signals the entire story: Fable 5 is the public version of Mythos. It is the same underlying model, with a different safety layer bolted on top. The distance between “can’t have” and “can almost use” is precisely the guardrail system examined in this briefing.

flowchart LR
    M[Mythos 5<br/>Frontier model<br/>too dangerous to release publicly] -->|Same weights,<br/>same architecture| F[Fable 5<br/>Public release<br/>different safety layer]
    F --> Q["Can almost use" - the guardrails<br/>determine how much capability<br/>actually reaches the user]

The Capability Behind the Guardrails: Mythos Preview’s Agentic Hacking

To understand what the guardrails are restricting, it is necessary to understand the capability sitting underneath them. Earlier in the year, the vendor published a research disclosure on Mythos Preview alongside an announcement referred to as “Glasswing.” The disclosure was published because the underlying capability was considered alarming enough that the industry needed to start preparing for it.

The system card for Mythos Preview describes the model autonomously finding and exploiting zero-day vulnerabilities across every major operating system and browser — not merely assisting a human researcher, but independently discovering and weaponizing the vulnerability itself.

A published comparison illustrates the scale of the shift, using Firefox’s JavaScript engine as the target:

ModelWorking Exploits ProducedAttempts
Opus 4.6 (prior-generation model)2Several hundred
Mythos Preview181Same attempt set

This is not a story about a model occasionally succeeding with heavy human guidance. It is a story about a model that consistently runs its own reconnaissance, its own vulnerability discovery, and its own exploit development, with minimal human direction at each step. The vendor refers to this capability as agentic hacking: the model sets its own subgoals, selects its own tools, and iterates autonomously until it produces a working result.

flowchart TD
    A[Model given high-level objective] --> B[Model sets its own subgoals]
    B --> C[Model selects its own tools]
    C --> D[Model performs reconnaissance]
    D --> E[Model discovers candidate vulnerability]
    E --> F[Model develops exploit code]
    F --> G{Exploit works?}
    G -->|No| B
    G -->|Yes| H[Working exploit produced<br/>with minimal human direction]

Fable 5: Same Model, Different Safety Layer

Fable 5 was released on June 9th. It uses the same underlying model weights and architecture as Mythos, but with a distinct safety layer sitting in front of it. That safety layer — how it functions, who it helps, and who it frustrates — is the central subject of this briefing.

How the Classifier and Routing Mechanism Work

Before a user’s query reaches Fable 5, a classifier inspects it. If the classifier determines the request touches cybersecurity, biology and chemistry, or model distillation, it reroutes the request to an older, less capable model (Opus 4.8) instead. The user receives no error and no notice — the response simply does not come from the model they believed they were querying.

The vendor states that this rerouting happens in fewer than 5% of sessions on average. That average, however, obscures a much higher rate for a specific population: security practitioners.

  • A Chief AI Officer at a well-known security training institute reported that routine defensive work was being rerouted during initial testing — incident response queries, detection workflows, and basic forensics, not offensive prompts.
  • The head of offensive security research at a major enterprise security vendor was similarly direct about observing the same pattern.

The reason this happens is structural: the classifier keys on subject matter, not intent. A defender asking how to detect a just-in-time heap spray and an attacker asking how to build one are, from the classifier’s point of view, the same topic. The classifier currently does not distinguish between them. This is not described as a tuning defect — it is a design choice.

sequenceDiagram
    participant U as User (defender or attacker)
    participant C as Classifier
    participant F as Fable 5
    participant O as Opus 4.8 (older, less capable)

    U->>C: Submit query
    alt Query touches cybersecurity, biology/chemistry, or model distillation
        C->>O: Reroute silently
        O-->>U: Response from older model, no notice given
    else Query is general / non-sensitive
        C->>F: Pass through
        F-->>U: Full-capability response
    end
    Note over C: Classifier keys on topic, not intent -<br/>defensive and offensive queries on the<br/>same subject are treated identically

The Hidden Degradation Controversy

The routing mechanism was only part of the launch-day problem. For at least one specific category of queries, the vendor was not rerouting to Opus 4.8 at all — it was doing something less visible, and it took users discovering the behavior to bring it into the open.

For that flagged category, the vendor used hidden prompt edits and steering vectors to silently degrade Fable 5’s own responses. There was no error message and no fallback notice — the user simply received a quietly worse answer from what appeared to be the same model. This mechanism was disclosed only inside the system card, buried within 319 pages of documentation. The stated rationale was that visible rules are easier for adversaries to probe and circumvent than invisible ones.

The backlash to this discovery was immediate. Within days, the behavior was reversed: flagged requests now produce an explicit message and a visible fallback notice pointing to Opus 4.8, rather than a silent degradation. That reversal is important context, but it does not change the fact that the default launch behavior was to hide the intervention from the user entirely.

flowchart TD
    Q[User query flagged as sensitive] --> Original[Original launch behavior]
    Original --> H[Hidden prompt edits + steering vectors<br/>silently degrade Fable 5's own response]
    H --> U1[User receives quietly worse answer<br/>with no error or notice]
    U1 --> Discovery[Users discover the behavior<br/>and it becomes public]
    Discovery --> Backlash[Immediate backlash]
    Backlash --> Fixed[Reversed within days]
    Fixed --> New[New behavior: explicit message +<br/>visible fallback to Opus 4.8]

    style H fill:#f8d7da,stroke:#c0392b
    style New fill:#d4edda,stroke:#2e7d32

Paths to Elevated Access: Cyber Verification Program and Project Glasswing

Given a classifier that cannot separate offensive from defensive intent, and that catches legitimate security work in the same net as genuinely dangerous queries, two routes exist to elevated access. Neither is available to everyone, and neither is free of a significant catch.

Path 1 — The Cyber Verification Program (CVP), for individuals:

  • A free application aimed at penetration testers, red teamers, and incident responders.
  • Review turnaround is approximately two days.
  • Approved applicants receive fewer restrictions on cybersecurity queries.
  • Significant constraint: organizations on a Zero Data Retention (ZDR) agreement are not currently eligible for the CVP. This is a meaningful exclusion, because enterprise security teams — the organizations most likely to need this access — are precisely the ones most likely to already have a ZDR agreement in place. For those organizations, the path to elevated access runs through the vendor’s sales representative, not the public application.

Path 2 — Project Glasswing, for vetted organizations:

  • Provides full Mythos 5 access with cybersecurity restrictions lifted entirely, for vetted organizations operating in critical infrastructure.
  • Approximately 200 organizations across 15 countries are currently enrolled.
  • This is where the capability ceiling comes off entirely — the closest thing to unrestricted access that exists.

Practitioners who do not qualify for either path are left working with a tool that may silently downgrade their security queries, while their adversaries face no equivalent constraint whatsoever.

flowchart TD
    Start[Security practitioner needs<br/>full-capability access] --> Q1{Is your organization on a<br/>Zero Data Retention agreement?}
    Q1 -->|No| CVP[Apply to the Cyber<br/>Verification Program]
    CVP --> CVP2[Free web-form application:<br/>account details + description<br/>of security work + intended use]
    CVP2 --> CVP3[Approximately 2-day review turnaround]
    CVP3 --> CVP4[Approved: fewer restrictions<br/>on cybersecurity queries]

    Q1 -->|Yes| Q2{Does your organization operate<br/>in critical infrastructure and<br/>can it be vetted?}
    Q2 -->|Yes| GW[Project Glasswing:<br/>full Mythos 5 access,<br/>cybersecurity restrictions lifted]
    Q2 -->|No / not yet vetted| Sales[Contact the vendor's<br/>sales representative directly -<br/>ZDR orgs excluded from CVP]

    style CVP4 fill:#d4edda,stroke:#2e7d32
    style GW fill:#d4edda,stroke:#2e7d32
    style Sales fill:#fff3cd,stroke:#b8860b
quadrantChart
    title Capability vs. Restriction Across Access Tiers
    x-axis Low Restriction --> High Restriction
    y-axis Low Capability --> High Capability
    quadrant-1 Full power, low friction
    quadrant-2 Full power, gated
    quadrant-3 Limited power, low friction
    quadrant-4 Limited power, gated
    Public Fable 5, unverified: [0.25, 0.45]
    Fable 5 rerouted to Opus 4.8: [0.35, 0.25]
    Cyber Verification Program tier: [0.55, 0.75]
    Project Glasswing Mythos 5: [0.85, 0.95]
    Adversary using jailbreak: [0.1, 0.9]

The Jailbreak: A 48-Hour Bypass

On June 10th — less than 48 hours after Fable 5’s launch — a researcher known publicly as “Pliny the Liberator” published a successful bypass of Fable 5’s classifier. The researcher extracted Fable 5’s full system prompt and published it on a public code-hosting platform: 120,000 characters of internal safety instructions, now publicly available. Using the bypass, the researcher got the model to generate stack buffer overflow exploit code, framed as preparation material for the OSED (Offensive Security Exploit Developer) certification exam.

The technique itself is significant because it was not a single “magic prompt.” It required deliberate, multi-step effort:

  1. Decomposing the overall request into individually benign-looking sub-prompts.
  2. Combining that decomposition with Unicode character substitution.
  3. Wrapping the request in narrative framing (e.g., an exam-preparation scenario) to disguise intent.

The vendor’s pre-launch red-teaming claim technically still holds in a narrow sense — what the researcher found is a method that works with effort, not a trivial one-shot exploit.

sequenceDiagram
    participant Att as Researcher (Pliny the Liberator)
    participant Cl as Fable 5 Classifier
    participant M as Fable 5 (Mythos-class model)
    participant GH as Public code-hosting platform

    Att->>Cl: Submit decomposed benign sub-prompts<br/>(Unicode substitution + narrative framing)
    Cl-->>Att: Each sub-prompt individually passes<br/>(no single prompt looks dangerous)
    Att->>M: Reassemble sub-prompts in context
    M-->>Att: Generates stack buffer overflow<br/>exploit code (framed as OSED exam prep)
    Att->>M: Extract full system prompt
    M-->>Att: 120,000-character system prompt revealed
    Att->>GH: Publish bypass technique + system prompt
    Note over Att,GH: Full bypass achieved within 48 hours of launch

The Core Asymmetry: Defenders vs. Attackers

The jailbreak timeline exposes the central asymmetry discussed throughout this briefing:

  • A security researcher performing routine, legitimate defensive forensics was rerouted or degraded by the classifier with no effort required on their part to trigger that restriction.
  • An attacker willing to invest deliberate effort bypassed the same classifier entirely within 48 hours of launch.

The vendor’s usage policy binds the vendor’s own customers. It does not bind anyone else. Nothing about the jailbreak, the extracted system prompt, or the exploit-generation capability requires an attacker to agree to any usage policy at all.

mindmap
  root((Fable 5 Risk Factors))
    Guardrail Design
      Classifier keys on topic not intent
      Defensive queries misrouted
      Hidden degradation at launch
    Access Asymmetry
      Cyber Verification Program
      ZDR orgs excluded from CVP
      Project Glasswing vetting
    Adversary Behavior
      No CVP application required
      No retention policy constraint
      Willing to invest jailbreak effort
    Underlying Capability
      Agentic hacking
      Autonomous zero-day discovery
      181 working exploits vs 2
    Data and Compliance
      30-day retention overrides ZDR
      Regulated data exposure
      Board-level budget impact

Practical Guidance for Analysts and Incident Response Teams

  • Determine your organization’s Zero Data Retention (ZDR) status now, before you need it in the middle of an incident.
  • If your organization is not on ZDR, apply for the Cyber Verification Program. It is free, has an approximately two-day turnaround, and materially changes what Fable 5 will do for you in a defensive context.
  • If your organization is on ZDR, the path to elevated access runs through the vendor’s sales representative — start that conversation now, not mid-incident.
  • Do not build workflows around the assumption that the classifier will improve on your timeline. It likely will improve eventually, but today, assume any security-adjacent query has a meaningful chance of being routed to a less capable model, and structure prompts with that constraint in mind.

Applying to the Cyber Verification Program in practice: the application is a straightforward web form requesting the organization’s account details and a description of the security work being performed, including an “intended use” section explaining what the elevated access is needed for and why the work requires it. There is no formal credential audit and no deep vetting process — the practical bar is simply: are you a security professional with a legitimate use case? If so, the application is generally accessible and approved quickly.

For anyone who manages data retention agreements on behalf of their organization, this is also the moment to confirm what agreements are actually in place — security tooling frequently gets adopted operationally before the surrounding contracts catch up.

Practical Guidance for CISOs: Updating the Threat Model

The recommended action here is a threat model update, not a routine policy refresh. Mythos-class agentic hacking capability compresses the window between a vulnerability being discovered and a working exploit existing — what used to take days or weeks can now take hours or less. Patching cycles, detection coverage, and incident response timelines that were built around the old window are, by definition, already behind if they have not been recently revised.

On budget: industry analysis (cited in this discussion as coming from Bain and Company) has estimated that organizations may need to double or triple their investment in response to Mythos-class AI capability, and a cyber-risk analytics firm (Bitsight) has published guidance for quantifying that exposure in financial terms. These two sources are useful together in a board conversation for a specific reason: one speaks the language of capital allocation (familiar to boards), and the other quantifies cyber risk in financial terms that a CFO already understands. Together, they translate a technical capability shift into the board’s own vocabulary.

flowchart TD
    A[Mythos-class agentic hacking capability exists] --> B[Vulnerability discovery-to-exploit<br/>window compresses from days/weeks<br/>to hours or less]
    B --> C{Have patching cycles, detection<br/>coverage, and IR timelines been<br/>revised for the new window?}
    C -->|No| D[Program is already behind -<br/>update the threat model now]
    C -->|Yes| E[Continue monitoring as<br/>capability continues to evolve]
    D --> F[Quantify exposure for the board:<br/>capital-allocation framing +<br/>financial risk quantification]

Practical Guidance for Enterprise IT and Business Leaders

A detail that is easy to overlook: Fable 5’s 30-day retention policy overrides existing Zero Data Retention agreements. If an organization uses Fable 5 through an integrated cloud platform (for example, a hosted model marketplace such as AWS Bedrock), that data leaves the organization’s own cloud security boundary and is retained by the model vendor for up to 30 days. The vendor’s documentation states the data will not be used for training and will be deleted after 30 days — but for that window, the data is no longer inside the organization’s own environment.

If any workflow touching Fable 5 involves regulated health data, financial data, or personal data covered by frameworks such as GDPR or HIPAA, that is a compliance decision that needs to be made explicitly and on the record before the model goes into production — not discovered after the fact.

Model and Access Tier Comparison

Model / TierUnderlying CapabilityPublic AvailabilityCybersecurity Query RestrictionsData Retention
Mythos Preview / Mythos 5Full agentic hacking capability (autonomous zero-day discovery and exploitation)Not publicly released (“too dangerous to release publicly”); full access only via Project GlasswingNone for vetted Project Glasswing membersGoverned by individual vetted-organization agreements
Fable 5 (public)Same weights/architecture as Mythos, gated by a safety-layer classifierPublic, currently suspended pending export-control reviewSensitive queries rerouted to Opus 4.8 or (originally) silently degraded30-day retention by default, which overrides existing ZDR agreements
Opus 4.8Prior-generation capability (2 working exploits vs. Mythos Preview’s 181 on the same test set)Public fallback destination for rerouted Fable 5 queriesN/A (used as the “safe” fallback target)Standard vendor retention policy
Fable 5 + Cyber Verification ProgramSame as public Fable 5Free application, ~2-day turnaround, ZDR organizations excludedFewer restrictions on cybersecurity queriesSame as public Fable 5
Fable 5 / Mythos 5 + Project GlasswingFull Mythos-class capabilityVetted critical-infrastructure organizations only (~200 orgs / 15 countries)Cybersecurity restrictions lifted entirelyGoverned by individual vetted-organization agreements

Risk Factors vs. Mitigations

Risk FactorDescriptionMitigation
Intent-blind classifierClassifier routes on subject matter, not attacker vs. defender intentStructure prompts assuming defensive security queries may be misrouted; apply for CVP to reduce restriction rate
Silent reroutingUsers receive no notice when a query is quietly answered by a weaker modelTreat any security-adjacent answer as potentially lower-fidelity; verify critical outputs independently
Hidden degradation (pre-reversal design)One query category was silently degraded via hidden prompt edits/steering vectors with no user-visible noticeConfirm current vendor documentation reflects the reversed, visible-fallback behavior before relying on default responses
ZDR exclusion from CVPOrganizations most likely to need elevated access (those with ZDR agreements) cannot use the free CVP pathEngage the vendor’s sales representative proactively, well before an incident
30-day retention overriding ZDRData used through integrated platforms leaves the organization’s security boundary for up to 30 daysMake an explicit, documented compliance decision before using Fable 5 with regulated data
Jailbreak-derived system prompt exposureA 120,000-character system prompt was fully extracted and published publiclyAssume guardrail instructions are not secret; do not rely on prompt secrecy as a security control
Adversary non-complianceUsage policies bind only the vendor’s own customers, not attackersAssume adversaries have effectively unrestricted access to Mythos-class capability when threat modeling
Compressed exploit-development windowAgentic hacking capability can compress vulnerability-to-exploit timelines from weeks to hoursUpdate patching cadence, detection coverage, and IR runbooks to reflect the new window; quantify budget impact for the board

Summary

Fable 5 is presented in this briefing as the public release of a frontier model (Mythos) whose underlying capability was deliberately withheld from general availability because it can autonomously discover and exploit zero-day vulnerabilities with minimal human direction — a capability the vendor calls agentic hacking. What separates the public Fable 5 from the withheld Mythos 5 is not the underlying model but a safety layer built around a classifier that reroutes or, in its original launch form, silently degraded queries touching cybersecurity, biology and chemistry, or model distillation.

That classifier keys on topic rather than intent, which means routine defensive security work is caught in the same net as genuinely dangerous requests — a burden that falls disproportionately on the legitimate security practitioners who most need full capability, while a determined attacker bypassed the entire guardrail system within 48 hours of launch using nothing more than prompt decomposition, Unicode substitution, and narrative framing. Elevated access exists through the Cyber Verification Program and Project Glasswing, but both paths carry meaningful exclusions or barriers, and the model’s 30-day default data retention silently overrides Zero Data Retention agreements that many enterprise security teams already depend on.

The suspension of both models following a government export-control directive does not remove the underlying threat model — it only pauses public access to it. The capability exists, adversaries are not bound by any usage policy, and the compressed window between vulnerability discovery and working exploit is already changing what “acceptable” patching and detection timelines look like.

Practical Risk-Assessment Checklist

  • Confirm whether your organization currently holds a Zero Data Retention (ZDR) agreement with the vendor.
  • If not on ZDR, submit a Cyber Verification Program application before an incident makes it urgent.
  • If on ZDR, open a direct conversation with the vendor’s sales representative now, not mid-incident.
  • Do not assume the classifier will improve on your timeline; structure security-related prompts assuming possible rerouting or degradation.
  • Verify that your current understanding of the “hidden degradation” behavior reflects the reversed, visible-fallback design, not the original silent one.
  • Reassess patching cycles, detection coverage, and incident response timelines against a compressed vulnerability-to-exploit window (hours, not days or weeks).
  • Quantify the budget impact of Mythos-class AI risk in board-ready terms (capital allocation and financial risk framing).
  • Document an explicit compliance decision before routing any regulated (health, financial, GDPR/HIPAA-covered) data through Fable 5, especially via integrated cloud platforms.
  • Confirm whether any use of Fable 5 through a hosted platform (e.g., a cloud model marketplace) causes data to leave your organization’s own security boundary.
  • Treat system-prompt secrecy as an unreliable control — assume guardrail instructions can be extracted and published.
  • Update your organization’s threat model to explicitly account for adversaries who face none of these access restrictions or retention constraints.
  • If your organization operates in critical infrastructure, evaluate eligibility for Project Glasswing as a longer-term access strategy.

Search Terms

security · hot · takes · fable · dangerous · ai · model · almost · threat · intel · networking · systems · practical · access · guidance · mythos

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.