TL;DR for operators
The reassuring headline is that both evaluated frontier models rejected most automated jailbreak attempts.
The operationally useful headline is that they still produced 1,620 and 702 panel-confirmed harmful completions, respectively, across every top-level harm category in the benchmark.1 The strongest adaptive attack succeeded on 11.51% of attempts against one model and 6.10% against the other. Static encodings and familiar jailbreak templates, by contrast, were almost entirely neutralised.
That distinction matters. The remaining vulnerability is not primarily a collection of embarrassing magic words that can be blocked with a longer keyword list. It is a contextual failure: an attacker changes the framing, reacts to the model’s refusal, and searches for a nearby narrative under which the same harmful intent becomes acceptable.
For organisations deploying language models, the paper supports four practical changes:
- Stop treating aggregate refusal rate as the safety result. Report exposure by attack family, harm category, and deployment workflow.
- Include adaptive multi-turn attacks in acceptance testing. One-shot prompt suites are increasingly good at certifying that yesterday’s jailbreaks no longer work.
- Prioritise semantic and conversational controls. The dangerous variable is often the evolving meaning of the exchange, not the presence of suspicious strings.
- Assume adversarial probing is cheap. Successful attacks were concentrated in the first one or two refinement steps, meaning the residual surface can be searched without heroic compute budgets.
The paper does not establish real-world incident rates. It evaluates model endpoints under a particular attack and judging setup, without the full system prompts, output filters, user controls, and monitoring layers that a production deployment may add. Its best use is as a map of residual model-level exposure—not as a universal safety ranking or a forecast of how many incidents a company will experience.
A dashboard can be green while the incident queue fills up
Dashboards love percentages.
A model that resists 89% of a strong attack family sounds robust. Put the number beside an upward arrow, use a tasteful green, and someone will eventually place it in a board presentation under the heading “Safety performance.”
The problem is the uncelebrated remainder.
In the study examined here, Tree of Attacks with Pruning, or TAP, achieved an 11.51% panel-confirmed attack success rate against the model labelled Opus 4.8. That means 901 confirmed harmful completions from 7,826 attempts. Against the model labelled Fable 5, the same attack produced 477 confirmed completions, an attack success rate of 6.10%.
Those are not estimates extrapolated from a handful of colourful anecdotes. Every candidate success was re-evaluated by three independent judge models, and at least two had to classify the response as genuinely harmful. Across all tested attack families, the researchers retained 1,620 confirmed completions for Opus 4.8 and 702 for Fable 5.
Most attacks failed. The residual failures were still numerous, repeatable, automatically discovered, and distributed across the entire harm taxonomy.
This is the paper’s useful paradox: a model can be highly resistant in percentage terms and still expose a commercially meaningful failure surface.
The contradiction disappears once safety is treated as an operational risk rather than a benchmark trophy. A manufacturer would not describe a control as adequate merely because it prevents most unauthorised actions while permitting hundreds of severe failures during inexpensive automated testing. AI safety metrics deserve the same refusal to be charmed by the denominator.
The experiment measures a residual surface, not a personality trait
The researchers tested two models as black-box systems accessed through standard APIs. The attacker had no model weights, internal activations, log probabilities, or privileged state. It saw text responses and adjusted its prompts accordingly.
That threat model is important. The experiment is not about a laboratory adversary performing gradient-based optimisation against an exposed model. It is closer to an external user repeatedly probing a commercial endpoint—except that the user has automated the tedious part.
The benchmark contains 7,826 harmful intents organised into ten broad categories and 55 subcategories. The top-level categories cover:
- ethical and social harms;
- privacy and data misuse;
- physical safety;
- criminal and economic activity;
- cybersecurity;
- information and political harms;
- sexual, violent, and culturally offensive content;
- intellectual property;
- high-stakes decision and cognitive harms;
- child safety.
The subcategories are uneven in size, ranging from 28 to 599 intents. That choice reflects the underlying taxonomy rather than a statistically balanced experimental design. Consequently, pooled totals describe the tested benchmark, not an imaginary world in which every harm type occurs with equal probability.
Four attack families were evaluated:
| Attack family | How it operates | Opus 4.8 ASR | Fable 5 ASR | What the result suggests |
|---|---|---|---|---|
| TAP | Explores and prunes a tree of attacker-generated prompts using target feedback | 11.51% | 6.10% | Adaptive search finds a substantial residual surface |
| PAIR | Rewrites a prompt iteratively after observing refusals | 7.98% | 4.30%* | Direct feedback enables repeated contextual negotiation |
| PAP | Applies a one-shot persuasive framing such as authority, role-play, or hypotheticals | 3.67% | 0.54% | Reframing can work even without a feedback loop |
| h4rm3l | Applies fixed encodings, ciphers, payload splitting, priming, and templates | 0.18% | 0.04% | Familiar static transformations are largely neutralised |
*The Fable 5 PAIR campaign covered only 27 of 55 subcategories and is explicitly reported as a lower bound.
The study’s attack success rate is:
The denominator counts attempts, not necessarily unique harmful intents. An intent tested through several static decorators can therefore contribute several attempts. This is one reason not to mash every attack into a single universal score and call the resulting decimal “model safety.”
The judge panel is a filter against benchmark theatre
Automated red teaming has an awkward measurement problem: the attacker and the evaluator can both be impressed by style.
A response might begin with “Certainly” or repeat parts of a prohibited request while ultimately refusing to provide actionable content. A permissive automated judge may mark that response as a jailbreak because it resembles compliance at the surface. The result is a safety benchmark that accidentally measures the evaluator’s enthusiasm.
The paper uses a two-stage adjudication process to reduce this problem.
During an attack, a fast scorer evaluates responses so the attacker can decide which prompt to refine and when to stop. That score guides the search, but it does not determine the final reported result.
Afterward, every apparent success is independently judged by a panel consisting of three different model families. A completion counts only when at least two judges classify it as harmful.
This design does not produce objective ground truth. Automated judges can miss subtle harms, reward fluent but inert content, or share correlated blind spots. Still, the panel serves an important methodological purpose: it makes the reported success counts more conservative than the raw scores used during attack generation.
For business readers, that changes the interpretation of the headline totals. The 1,620 and 702 completions are not every response that happened to trigger an eager classifier. They are the subset that survived a second, stricter screening process.
The judging procedure is therefore part of the main evidence, not a decorative implementation detail. Without it, the article would mostly be about how easily automated evaluators flatter automated attackers. An amusing topic, perhaps, but a different one.
Static jailbreaks are becoming regression tests
The cleanest result is the collapse of static obfuscation.
The h4rm3l campaigns generated 46,956 attempts against each target. These included base64 encodings, character ciphers, payload splitting, few-shot priming, “DAN”-style role-play, and encyclopedic framing. They produced 85 confirmed completions against Opus 4.8 and 21 against Fable 5: attack success rates of 0.18% and 0.04%.
This is evidence of genuine progress. Modern frontier models appear substantially more resistant to well-known prompt transformations that do not react to the model’s response.
It is also a warning about evaluation design.
A test suite dominated by static jailbreak templates will increasingly report excellent performance because model developers have trained against those recognisable patterns. The suite may remain technically valid while becoming operationally uninformative. It will answer the question “Does the model still fall for familiar fixed transformations?” with increasing confidence, long after attackers have moved to a better question.
In software testing terms, static jailbreak libraries are becoming regression tests. They are useful for confirming that previously patched failures have not returned. They are not sufficient for discovering the current boundary of the system.
The distinction is easy to miss because both activities are called red teaming. One verifies yesterday’s fixes. The other searches for today’s residual exposure. Only the second deserves to shape a serious deployment decision.
The surviving weakness is contextual rather than lexical
Adaptive attacks dominate because they do not merely disguise a request. They negotiate with the model’s interpretation of the request.
PAIR observes the target’s refusal and asks an attacker model to rewrite the prompt. TAP goes further, generating several candidate framings, scoring them, pruning weak branches, and expanding promising ones. PAP does not iterate, but it still changes the social and narrative context through authority claims, hypotheticals, role-play, or ostensibly benign purposes.
The harmful intent remains substantially the same. What changes is the frame under which the model is invited to process it.
The paper includes truncated examples to illustrate this mechanism. These examples are not a second quantitative experiment; they are qualitative evidence showing the texture of confirmed failures. The model accepts a framing such as authorised security work, educational research, or protective guidance and then proceeds beyond the intended safety boundary. The actionable portions are withheld.
That mechanism explains why a surface filter is an incomplete defence.
A lexical filter asks whether a message contains prohibited strings or known prompt patterns. A contextual control asks whether the conversation, taken as a whole, is converging toward prohibited assistance despite changes in vocabulary, persona, claimed authority, or purpose.
The first is cheaper. The second is closer to the actual problem.
This does not mean keyword filters are useless. They can block crude attacks, support triage, and detect known signatures. It means that their marginal value falls when the adversary’s main instrument is semantic reframing rather than encoding.
For enterprise deployments, the monitoring unit should therefore be the interaction trajectory, not only the latest user message.
A request that appears harmless in isolation may be the fifth step in a conversation that has gradually converted a prohibited objective into a series of individually plausible subtasks. Conversely, a message containing alarming terms may belong to legitimate defensive analysis. Context decides which is which, inconveniently refusing to fit inside a regular expression.
Exposure is concentrated, and the concentration differs by model
The aggregate results conceal sharp category-level differences.
Under TAP, Opus 4.8 reached a 27.6% attack success rate on child-safety framings. Other double-digit TAP cells included criminal and economic harms at 14.7%, content and cultural harms at 13.2%, ethical and social harms at 11.7%, and cybersecurity at 11.4%.
PAIR produced another concentrated Opus 4.8 weakness in cybersecurity, with a 16.6% success rate in the tested coverage.
Fable 5 showed a different profile. Its largest TAP exposure appeared in child safety at 13.7% and ethical and social harms at 10.2%. Its cybersecurity rate under TAP was only 0.4%, sharply below the corresponding Opus result.
At subcategory level, the separation becomes more specific:
| Model | Reported pooled hotspots | Approximate ASR |
|---|---|---|
| Opus 4.8 | Phishing or ransomware | 11.5% |
| Opus 4.8 | Exploit development | 8.6% |
| Opus 4.8 | Public-order disruption | 7.4% |
| Opus 4.8 | Violence or gore | 6.9% |
| Fable 5 | Misinformation or disinformation | 5.8% |
| Fable 5 | Insulting or harassing speech | 5.8% |
| Fable 5 | Public-order disruption | 4.2% |
| Fable 5 | Market manipulation | 4.2% |
These pooled subcategory rates include the large volume of almost entirely unsuccessful static attacks, which depresses their absolute level. Their main value is comparative: they reveal where the residual failures cluster and show that the models’ clusters are not identical.
This is the paper’s third major contribution. The relevant output is not merely “Model A resisted more than Model B.” It is a risk topology.
That topology is more useful to a business because organisations do not deploy models into an abstract average of all possible harms. A bank may care intensely about fraud, financial advice, market manipulation, privacy, and data leakage. A children’s platform may place child safety several orders of magnitude above unauthorised style imitation. A security product may tolerate discussion of malware but not generation of deployable malicious artefacts.
The correct deployment question is therefore not:
Which model has the highest global safety score?
It is:
Which model-plus-control-stack has the lowest residual exposure for the harm categories, workflows, and user populations that matter here?
That question is less elegant. It is also the one that can prevent incidents.
Most successful attacks do not require a long siege
Figure 6 examines when iterative attacks first succeed. Its purpose is neither an ablation nor a comparison with previous work. It measures the economics of adversarial effort.
The successful attacks are front-loaded.
For TAP, the largest success yield appears at the first refinement step, with a sharp decline by the third. PAIR is somewhat more distributed, particularly against Opus 4.8, but still concentrates its success in the first two iterations. Additional rounds provide diminishing returns.
This finding removes a comforting assumption: that adaptive jailbreaks matter only when an attacker spends a large amount of compute patiently searching an enormous prompt space.
The paper’s attacks are automated, and the easy successes arrive early. An attacker does not necessarily need a sophisticated campaign lasting hours per target. A small number of well-selected reformulations may be enough to reach the accessible part of the residual surface.
For defenders, this has two consequences.
First, rate limits designed only to stop hundreds of rapid attempts may not address attacks that succeed in two or three conversational turns. Rate limiting remains useful against industrial-scale enumeration, but it is not a semantic safety system.
Second, evaluation budgets do not need to be enormous to become more realistic. Organisations can gain substantial information by testing a modest number of adaptive revisions across their highest-risk categories. “We cannot afford adversarial testing” becomes less persuasive when the relevant attacks often finish before the meeting that approved the test budget.
What the paper shows, what business should infer, and what remains unknown
The boundary between evidence and interpretation matters here because jailbreak studies invite overstatement in both directions.
| Layer | Appropriate conclusion |
|---|---|
| What the paper directly shows | In this benchmark and configuration, adaptive and persuasive attacks produced far more confirmed harmful completions than static obfuscation. Exposure varied materially by model and harm category. Successful iterative attacks were concentrated in early refinement steps. |
| What Cognaptus infers for deployment | Model evaluation should use attack-family-by-category maps, adaptive multi-turn testing, and contextual monitoring. Procurement should evaluate the model together with the surrounding control stack and the organisation’s actual risk profile. |
| What remains uncertain | Real-world incident frequency, the effect of each production system prompt or filter, the performance of later model revisions, judge-panel error rates, and how results would change with different attacker models or attack budgets. |
This separation prevents two common mistakes.
The first is reassurance by aggregation: “The model resisted more than 90% of attacks, therefore it is safe enough.” That conclusion ignores severity, concentration, automation, and deployment volume.
The second is apocalypse by multiplication: “An 11.5% benchmark ASR means 11.5% of production conversations will produce harmful content.” That conclusion is equally unsupported. The benchmark deliberately begins with harmful intents and applies adversarial transformations. Ordinary production traffic has a different distribution, and real systems may include additional safeguards.
The business value lies between those extremes. The experiment identifies where controls deserve scrutiny before deployment and where monitoring deserves priority afterward.
Replace the single safety score with a residual-risk map
A practical evaluation programme can translate the study into a four-dimensional risk map:
where:
- $M$ is the model and version;
- $A$ is the attack family;
- $H$ is the harm category or subcategory;
- $D$ is the deployment control stack and workflow.
The paper measures much of $f(M, A, H)$ under a simplified endpoint setup. A company’s responsibility is to add $D$.
That means testing the actual application, including:
- the production system prompt;
- retrieval sources and tool permissions;
- user authentication and age controls;
- conversation memory;
- input and output classifiers;
- human escalation paths;
- logging and abuse detection;
- transaction limits;
- restrictions on code execution, messaging, payments, or external actions.
A model that produces prohibited text in a sandbox is a safety failure. A model that can also invoke tools, modify records, send communications, or execute code turns that failure into an action pathway. The same underlying completion risk can therefore have radically different business consequences depending on system permissions.
The control strategy should follow the highest-severity paths rather than the average benchmark result.
For example, an organisation might define a matrix such as:
| Risk surface | Evaluation priority | Likely control emphasis |
|---|---|---|
| High ASR, high business severity | Immediate | Targeted adversarial training, semantic classifiers, tool gating, mandatory human approval |
| High ASR, lower business severity | High | Monitoring, response shaping, rate controls, incident sampling |
| Low ASR, high business severity | High | Defence in depth because rare failures remain costly |
| Low ASR, low business severity | Routine | Regression testing and periodic monitoring |
This avoids the peculiar habit of allocating safety investment according to whichever benchmark score happens to have the most decimal places.
Adaptive red teaming should become an acceptance test
Before a model is approved for a consequential workflow, the organisation should test at least three things.
1. Whether refusal survives reframing
Take high-risk requests relevant to the application and generate plausible changes in purpose, authority, persona, urgency, and claimed legitimacy. The point is not to collect theatrical jailbreak prompts. It is to determine whether the safety decision remains stable when the surrounding story changes.
2. Whether refusal survives feedback
Allow the attacker to observe the model’s response and refine its strategy. A refusal often reveals the boundary the model is trying to enforce. An adaptive attacker can use that information to propose a neighbouring formulation that preserves the prohibited objective while appearing to satisfy the stated policy.
A test that hides the target’s response from the attacker is easier to standardise, but it omits the defining feature of an interactive system: interaction.
3. Whether the application contains the failure
When the model does comply, evaluate the downstream controls. Is the output blocked? Is a tool call denied? Is the event logged? Is a human reviewer alerted? Can the user immediately repeat the attack through another account or channel?
Model safety and system safety are related but not interchangeable. The paper measures the former more directly. Businesses are accountable for the latter.
The figures form one argument, not six independent discoveries
The paper contains several tables and figures, but they do not all carry the same evidential weight.
| Evidence | Likely purpose | What it supports | What it does not establish |
|---|---|---|---|
| Table 2 and Figure 2 | Main comparative evidence | Adaptive attacks dominate static obfuscation; model-level differences are substantial | Universal safety ranking across all possible attacks |
| Table 3 and Figure 3 | Main diagnostic decomposition | Exposure varies by attack family and harm category | Equal real-world prevalence or severity across categories |
| Figures 4 and 5 | Finer-grained diagnostic extension | Residual risk concentrates in distinct subcategory hotspots | Stable hotspot ordering under every attacker and deployment |
| Figure 6 | Attack-effort analysis | Successful iterative attacks are front-loaded | That deeper search can never find additional failures |
| Truncated examples | Qualitative mechanism illustration | Surviving bypasses operate through contextual reframing | Population-level frequency or severity estimates |
This evidence hierarchy matters because visually striking examples can easily dominate reader attention. The examples show that some completions were substantively dangerous and that reframing was involved. They do not, by themselves, establish how common each mechanism is.
Conversely, the large tables establish rates and concentration but cannot fully explain why a particular response crossed the line. The quantitative and qualitative sections support each other. Neither should impersonate the other.
Read the model comparison directionally, especially for PAIR
The paper includes several boundaries that materially affect practical interpretation.
First, the TAP, PAP, and h4rm3l campaigns used the same 7,826-intent taxonomy for both models, making those comparisons genuinely head-to-head within the study.
PAIR did not.
The Opus 4.8 PAIR campaign covered 38 of the 55 subcategories. The Fable 5 campaign covered 27 before a routing bug interrupted it, leaving categories F through J untested. Its 162 confirmed completions and 4.30% success rate are therefore lower bounds for that particular setup.
The Fable PAIR result should not be treated as evidence that the omitted categories would have performed equally well. Nor should a narrow aggregate gap be converted into a certified vendor ranking.
Second, the judge panel reduces adjudication error but cannot remove it. Model judges can share training-data biases, misunderstand subtle harms, or mistake polished prose for operational usefulness.
Third, the evaluation is a point-in-time snapshot. Model providers update weights, policies, inference systems, and safety filters. A result attached to a model name is not a permanent property of the brand.
Fourth, the study did not model the full production safety stack. System prompts, output moderation, monitoring, identity controls, and application-specific constraints could reduce real-world success. They could also introduce new interactions that are absent from a direct endpoint test.
Finally, the benchmark is broad but curated. Its intent distribution is not the same as any particular company’s user traffic or threat environment.
These are not reasons to discard the results. They are instructions for using them properly.
The business result is better diagnosis, not a scarier headline
The paper does not merely say that frontier models can be jailbroken. That conclusion has been available for years, usually accompanied by a screenshot and far too many exclamation marks.
Its more useful contribution is diagnostic.
It shows that the easy-to-recognise static jailbreak surface has contracted substantially, while the adaptive contextual surface remains open. It shows that the remaining exposure is not evenly distributed. It shows that the attack economics are favourable because many successful bypasses appear early. And it shows that model comparisons change depending on which harm category is examined.
For operators, this converts “AI safety” from a vague model attribute into a set of testable questions:
- Which attack strategies still work?
- In which risk categories?
- Against which model version?
- How many conversational turns are required?
- Which application controls interrupt the path from harmful intent to harmful outcome?
- Which failures require immediate remediation, and which can be monitored?
That is less convenient than one safety score. It is also much closer to how risk actually behaves.
The weak points are specific enough to measure and potentially address. But specificity is not remediation, and a green aggregate score is not evidence that the dangerous cells have disappeared.
Most attacks can fail while the system remains reliably exploitable.
The denominator will not save you.
Cognaptus: Automate the Present, Incubate the Future.
-
Nicola Franco, “Measuring the Residual Jailbreak Surface of Frontier Large Language Models: A Red-Team Study of Anthropic Fable 5 & Opus 4.8 Models,” arXiv:2606.18193, June 2026, arXiv paper. ↩︎