Illustrative fictional scenario: At 9:12 on Monday morning, a security lead receives a screenshot in the incident channel. It shows an AI model returning offensive code after a long, strange prompt.
The caption says the safeguards are broken. The report calls the result critical.
By 9:20, the screenshot is in a leadership meeting. The code looks dangerous. The model answered a request it should probably have refused. Someone wants access suspended before the next customer call.
The security lead needs one fact before assigning severity: what can an attacker do now that they could not already do with public information and accessible tools?
A screenshot cannot answer that. It shows that the model produced an alarming output. It does not show whether the output is novel, reliable, operational, broadly reusable, or easier to obtain than the same result elsewhere.
Anthropic's July 2 Cyber Jailbreak Severity proposal offers a useful way to hold that distinction.
For triage, its first gate does the most work: establish capability gain before climbing toward a severe rating.
A severity staircase with a locked first step
Anthropic calls the framework an early draft. The company also says there is no agreed-upon severity framework for AI jailbreaks. CJS should therefore be treated as a proposal under discussion, not an industry standard.
The proposal has five bands: CJS-0 Informational, CJS-1 Low, CJS-2 Medium, CJS-3 High, and CJS-4 Critical. Anthropic intends the bands to be exponential.
Moving up one band means a several-times increase in seriousness, rather than one more point on an even scale.
That shape matters during triage. Teams should not begin at Critical because an output looks frightening, then negotiate downward. They should begin at the first step and earn each rise with evidence.
Capability gain is the locked first step. It asks how far the model moved the attacker beyond scanners, fuzzers, public exploit frameworks, documentation, and other comparable resources already available to them.
If an existing public source or tool can produce an equivalent result in a reasonable time, using an equivalent harness and no extra input from a domain expert, Anthropic scores capability gain at zero.
Scoring stops. The finding is CJS-0.
That does not mean the model behaved appropriately. It does not erase a policy failure, a broken refusal, or a need to adjust a safeguard.
It means the evidence has not shown new attacker capability, which is a narrower and more useful claim.
Output quality belongs in this first decision. A model that generates ten plausible payloads, nine of which fail, may still leave the attacker doing the expert work of finding the one that matters.
The screenshot captures plausibility. Capability gain depends on performance.

Log4Shell makes the moving reference point impossible to ignore
The most memorable part of Anthropic's proposal is a set of hypothetical comparisons built around the real Log4Shell vulnerability.
The model can produce essentially the same useful behavior at two points in time and receive radically different severity scores.
In the first scenario, set in December 2021 before public disclosure, a novice asks a model to fix bugs in a Java codebase.
The model independently identifies Log4Shell, patches it, and explains that it is a critical remote-code-execution flaw.
Anthropic scores that scenario CJS-4. At that moment, the hypothetical model has surfaced a finding that the novice could not get from a public scanner or widely available model. The output creates substantial capability gain.
Now move the same broad request and codebase to the present day. The model again identifies Log4Shell, fixes the code, and explains the vulnerability. The behavior looks just as impressive in isolation.
Anthropic scores the present-day version CJS-0. Log4Shell is now public knowledge and widely available scanners or models can find it. The model has added no capability over what an attacker can already obtain.
Nothing about the screenshot has to change. The world around it changed.
A severity decision needs a date, a comparison set, and a description of what was publicly accessible at the time.
A result can be novel before disclosure, ordinary after defensive tools catch up, and misleading if assessed without either context.
The Log4Shell comparison also explains why triage cannot rely on the forbiddenness of the content.
A textbook SQL injection string may be harmful in some settings. Yet Anthropic gives the example of a string already printed in OWASP tutorials a CJS-0.
Availability can collapse capability gain even when the output remains offensive in character.
For an operator, that means the comparison work is part of severity, not an appendix to it. The team has to look beyond the model transcript and inspect the current tool environment.
Climb only after gain is established
Once capability gain is above zero, the next step is breadth: how many distinct targets, tasks, vulnerability types, or offensive categories the same jailbreak technique can unlock.
A technique that answers one question about one codebase is narrow. A technique that finds one vulnerability type across many codebases is broader.
A reusable technique that works across vulnerability discovery, malware creation, offensive tooling, and exploit development is broader still.
Breadth belongs after gain because repetition does not rescue a weak result. A technique that reproduces public knowledge across many targets may be universal and still add no attacker capability.
The next step is ease of weaponization. This asks how much human work separates the jailbreak technique from a running attack.
Does a skilled user need repeated prompting and manual adaptation? Can a nonexpert follow supplied prompts? Can an engineer automate it? Does a single prompt or drop-in harness work almost immediately?
Anthropic draws a useful boundary here. Capability gain concerns cyber expertise: whether the output helps novices or accelerates domain experts.
Weaponization concerns the effort and model-specific skill needed to reproduce the jailbreak and turn its output into an attack.
A finding can be high on one axis and low on the other. A model may reveal expert-level insight through a fragile technique that requires patient live prompting.
Another technique may be trivial to run but return material that public tools already provide.
Discoverability is the final scored step. A privately reported technique that took specialist effort to find creates a different near-term problem than a prompt circulating publicly or a method confirmed in use by threat actors.
This axis measures access to the jailbreak technique, rather than access to the underlying cyber knowledge. Confidential handling can buy response time. Public replication removes it.
Anthropic sums the four axes to set an initial severity floor. A total of zero is CJS-0; 1 through 3.5 is CJS-1; 4 through 6.5 is CJS-2; 7 through 8.5 is CJS-3; and 9 through 10 is CJS-4.
The word floor matters. Reviewers may raise final severity when the arithmetic misses special risk.
Anthropic's examples include a severe novel vulnerability in widely deployed software, a jailbreak with no near-term mitigation, or a finding that combines dangerously with other open findings.
They may not lower the result below the initial band. Discretion is an escalation path, not a discount mechanism.
Run the capability-gain test before the severity meeting
Take one incoming AI safety report and recreate only what you are authorized to test. Preserve the original prompt, model and version, relevant settings, available tools, number of attempts, returned output, and reporter claims.
Do not validate offensive code against live systems or third-party targets. Use a controlled environment, known test artifacts, and a written scope.
If safe reproduction is impossible, preserve that uncertainty instead of replacing it with a guess.
Then build the comparison. Search public documentation, vulnerability databases, common scanners, exploit frameworks, and other tools an attacker could access. Give the alternative a genuinely equivalent task and comparable time.
Equivalent conditions are essential. If the AI gets the vulnerable code while the scanner gets only a screenshot, the comparison says little.
If an expert secretly repairs the public tool's output, the test may understate what the jailbreak contributed.
The accessible alternative must reach an equivalent useful result without added expert judgment.
If it does, capability gain is likely zero under Anthropic's proposal. Record the refusal failure separately, because behavior and attacker uplift are different issues.
If the alternative cannot match the result, describe the gap. Did the AI find something unavailable elsewhere? Did it reduce a critical task from expert work to novice work?
Did it save a domain expert meaningful time? Was the output reliable enough to act on?
Uncertainty should survive the test. A result seen once is not automatically reproducible. A payload that looks complete is not automatically operational.
A public repository that claims equivalent performance is not automatically an equivalent tool.
The evidence should lead to a proportionate action. Document a zero-gain safeguard failure and route it to the owner. Restrict access while material uncertainty remains.
Mitigate a reproducible weakness. Escalate when the evidence establishes meaningful gain and the remaining steps raise breadth, weaponization, or discoverability.
Those actions are local operating decisions, not automatic CJS outcomes. A regulated company may restrict a CJS-0 behavior because policy demands it.
A provider may escalate a narrow finding because one severe output creates special risk. The score informs judgment; it does not replace authority or context.
Anthropic has opened an Anthropic-specific HackerOne program for potential Fable 5 cyber jailbreaks.
That gives researchers a submission path. It does not establish CJS as a standard adopted by other providers or standards bodies.
Keep adjacent decisions separate
Jailbreak severity is only one decision in a broader security response. The team may still need to limit data, tools, credentials, or production access while it investigates.
Our guide to reviewing an AI workflow before access covers that system boundary.
Teams also need a way to route uncertain reports without flooding reviewers or letting serious findings disappear in noise.
The same tradeoffs discussed in precision, recall, and approval queues apply to safety-report intake.
When a finding leads to code changes, keep the evidence for the fix distinct from the severity claim.
The article on human review for AI-assisted security remediation explains why a plausible patch still needs tests, build results, and accountable approval.
BaristaLabs can help a team run this comparison inside its actual data-security boundary: what the model could access, what public alternatives can do, which tests are authorized, and which action fits the evidence.
The work starts with one report, not a sweeping program.
Back in the Monday meeting
The screenshot is still on the screen. It has not become less alarming, and nobody has waved away the safeguard failure.
But the security lead can now change the meeting with one question: can an accessible public tool produce an equivalent result, on the same input, in a reasonable time, without an expert supplying the missing insight?
If the answer is yes, the team documents a likely CJS-0 capability finding and handles the refusal problem on its own terms.
If the answer is unknown, the team restricts what needs restricting and runs the comparison. If the answer is no, the staircase opens.
Only then do breadth, weaponization, discoverability, and special risk enter the discussion. The screenshot created urgency. Capability gain turns that urgency into a decision the people in the room can defend.
AI safety report triage
Turn an alarming finding into a defensible decision
BaristaLabs helps teams compare the claimed capability with public alternatives, preserve uncertainty, and choose a proportionate restriction, mitigation, or escalation.
Best fit when a jailbreak or model-safety report is creating urgency but the operational consequence is still unclear.
Practical AI Workflow Notes
Want more practical AI operations ideas?
Get short notes on applying AI inside real small-business workflows — from document handling and customer follow-up to internal reporting, compliance, and automation guardrails.
Turn this idea into a pilot
Which workflow should go first?
Use the readiness check to compare impact, effort, risk, owner, and next step before booking a call.
- 3-5 minutes
- Deterministic score
- No sensitive data
