The Economics of a Jailbreak
Offense tolerates error. Defense pays for it. When a model surfaces ten possible vulnerabilities and three are real, the attacker keeps three and moves on. The defender has to run down all ten. Jailbreak severity should measure that asymmetry, not just what the model unblocks.
Qi Deng, Principal Threat Research Engineer | Aurascape
July 7th, 2026 | 🕐 6 minute read
Introduction
Anthropic’s severity framework scores what a jailbreak unblocks. The harder question is what it does to the balance between attackers and defenders.
Anthropic has proposed something the AI security field has needed: a common way to score the severity of a jailbreak. Drafted with Amazon, Microsoft, Google, and other partners, the framework rates a finding on four criteria. Capability gain asks how far past existing tools the jailbreak takes an attacker. Breadth asks how many distinct offensive tasks the same technique serves. Ease of weaponization asks how much human effort turns the technique into an attack. Discoverability asks how easily someone obtains it.
Anthropic invited industry partners to help shape the framework. This piece is our answer, written from the defender’s side of the problem.
The short version: the four criteria are the right start, and they are half the picture. They score what a jailbreak gives the attacker. The other half is what it does to the economics of attack and defense.
Severity is Not Exposure
The four criteria take attacker uplift seriously: capability gain and breadth measure what a technique hands the attacker, while weaponization and discoverability measure how fast that uplift can spread. Together they answer the provider’s question, and answer it well: how urgently must we fix the model? What they do not yet price is the defender’s side of the same finding: the triage burden, the validation work, and the operational cost of responding. That is not a flaw to correct. It is a lens to extend.
Watch what happens when the same evidence crosses to the enterprise side. Take capability gain, the framework’s anchor. It scores low when widely available tools, including weaker models, already reach the same capability. Take the June episode that preceded Fable 5’s redeployment. A reported technique got the model to surface software vulnerabilities, and Anthropic’s testing showed that weaker models could identify the same vulnerabilities, while every model tested could reproduce the one exploit demonstration. Low marginal capability. Correct call: de-escalate.
Now sit in the defender’s chair. “Every model can already do this” is not reassurance. It means the capability is a commodity, and the population able to run the offensive play includes anyone with a laptop and an API key. The same evidence that lowers severity for the provider raises exposure for the defense. Same fact. Opposite impact.
Security has solved this problem before. The Common Vulnerability Scoring System (CVSS) never stops at intrinsic severity. A base score gets refined by threat and environmental metrics before anyone acts on it, because a vulnerability’s raw severity and its risk in a specific environment are different questions.
Anthropic’s four criteria work like a base score. The threat, environmental, and operational context that helps turn that base score into an enterprise decision does not exist yet.
Offense Tolerates Error, Defense Pays For It
Start with a distinction the current conversation keeps blurring. Anthropic’s post discusses false positives at length, and means something specific: safety classifiers blocking benign requests. That is a false positive of the safeguard. A second kind matters more to defenders: the false positive of the output, when a model’s offensive finding turns out to be wrong. The two share a name and nothing else.
Here is why output accuracy matters less than people assume. Offense tolerates error. If a model hands an attacker ten candidate vulnerability paths and three are real, that session succeeded. The seven duds cost minutes of compute and nothing else. The attacker samples, discards, and moves on.
Defense discards error at a far higher price. Hand the same ten findings to a security team and each one costs something before anyone knows which three are real: triage at minimum, then reproduction, prioritization, patching, and regression testing for whatever survives. Teams prioritize, but prioritizing under uncertainty is itself work, and dismissing a candidate is a bet whose downside is a breach. The attacker pays for the three that work. The defender pays for all ten.
That is the asymmetry a severity score misses. A model capability does not need to be accurate to shift advantage toward offense. It needs to be cheap, scalable, and good enough. Ten mediocre findings an hour beats one excellent finding a week, if you are the side that gets to discard the misses.
Frontier models change the exploration budget on exactly those terms. Work that once took a skilled researcher a week becomes a batch job of candidate generation. The finding rate does not need to improve for the pressure to grow. Volume alone moves the line, because every candidate lands on a defender’s queue somewhere, and security teams clear queues one item at a time.
A Fifth Axis: Attack-defense Asymmetry
So here is the contribution we would offer the framework: score attack-defense asymmetry. A jailbreak, or an unblocked capability, rates higher when it lowers the cost of offensive exploration faster than it lowers the cost of defense. In the framework’s own idiom: a technique scores high on this axis when its output is cheap to generate and expensive to clear, and low when it burdens both sides equally.
An assessor would ask questions like these:
• What does a candidate finding cost the attacker to produce, and what does the same candidate cost a defender to clear?
• Does the output arrive ready to use, or does it still need an expert’s hands?
• Does the technique parallelize, and does the response to it parallelize too?
• Does the capability compress a skill that used to gate the attack?
None of this requires abandoning the four base criteria. It extends them the way CVSS threat and environmental metrics extend a base score: same finding, second lens, different decision. The provider’s lens answers how fast to fix the model. The defender’s lens answers how much the world just changed for the people running networks, codebases, and incident queues.
Safeguards Bind the Compliant
One more asymmetry deserves naming, and it is uncomfortable: safeguards bind the people who follow the rules.
Anthropic is candid that Fable 5’s safety margin deliberately blocks requests that are probably benign, and that the June classifier update flags more legitimate coding and debugging work. Defenders live inside that margin. Vulnerability research, exploit reproduction, and detection engineering look, from a classifier’s seat, almost identical to the behavior the classifier exists to stop. That is not a design flaw. It is the definition of the ambiguous middle.
Attackers do not stay in the sanctioned lane. They jailbreak, chain models, or move to less restricted alternatives. So the friction lands unevenly: heaviest on the defender doing legitimate work inside the rules, lightest on the adversary who ignores them. Left alone, that gap widens.
Anthropic sees this and deserves credit for acting on it. Mythos 5 exists precisely to give vetted defenders the capability that safeguards hold back from general release. The open question is not whether that structure should exist. It is whether defender access can scale as fast as attacker workarounds do. That is a governance problem the whole industry owns, and the severity framework is a reasonable place to start accounting for it.
Score Both Sides of the Ledger
The framework will mature the way CVSS did: through argument, revision, and contact with messy reality. Anthropic expects that too. The proposal is explicit that it is a work in progress.
Our ask is that the next revision score both sides of the ledger. Severity tells you what the attacker gained. Economics tells you what it costs everyone else to answer. The industry needs both numbers, because attackers already run this calculation. The framework should too.
Aurascape works on the defender’s side of this ledger, building the controls that govern how employees and agents use AI across the enterprise. For the operational half of this argument, where control belongs once agents hold real permissions, read the companion piece, From Model Safety to Execution Control. And if you would rather debate severity scoring face to face, find us at Black Hat 2026.
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.