2026 Guide: Decoding Anthropic’s CJS Framework and AI Vulnerability Scoring
Following the restoration of Claude Fable 5, Anthropic introduced the CJS framework to standardize AI vulnerability reporting. This article analyzes the four scoring axes, the 0-4 severity bands, and provides a decision matrix for security researchers conducting red-teaming in isolated environments.
01 Beyond the Ban: Why the CJS Framework is the Real 2026 News
The restoration of Claude Fable 5 on July 1, 2026, was a relief for developers, but the introduction of the Cyber Jailbreak Severity (CJS) framework is what will actually define the next decade of AI security. The June 12 shutdown proved that without a shared language, regulators and labs default to panic. When Amazon researchers reported a "critical" jailbreak that led to the global suspension of Claude, the industry realized it had no equivalent to the CVSS (Common Vulnerability Scoring System).
The CJS framework, co-drafted by Anthropic, Amazon, Microsoft, and Google, replaces reactive bans with a technical escalation path. This framework doesn't just ask "Can the guardrails be bypassed?" but rather "Does the bypass actually empower a threat actor beyond what they could already do?"
02 Pain Points in Current AI Security Reporting
Before CJS, researchers and companies faced significant friction:
- Subjective Reporting: A "jailbreak" could mean anything from a funny poem about a bomb to a functional exploit generator, leading to "crying wolf."
- Lack of Defensive Context: A model generating a known exploit found on GitHub isn't a high-severity event, yet without a scale, it's often treated as one.
- Export Control Volatility: As seen in June 2026, the absence of a severity framework can trigger national-security-level lockdowns for minor, reproducible issues.
- Hardware Risks: Running aggressive jailbreak tests or tool-use simulations on local personal machines risks compromising core development environments.
03 The Four Technical Axes: How CJS Scores are Calculated
The CJS framework analyzes a vulnerability across four specific axes. To calculate a final score, a finding is evaluated on these criteria:
| Axis | Technical Metric | High Severity Indicators |
|---|---|---|
| Capability Gain | Measures "Uplift" | The jailbreak lets a novice achieve expert-level cyber-attack results. |
| Breadth | Universality of Method | The same prompt technique works for SQL injection, phishing, and malware C2. |
| Weaponization | Prompt Engineering Friction | The attack works on the first attempt without complex multi-turn prompting. |
| Discoverability | Stealth vs. Public Knowledge | The technique is non-obvious and not yet documented in public datasets like JailbreakChat. |
The 0-4 Severity Bands
- CJS-0 (Informational): The model produces harmful text already easily found via a basic Google search.
- CJS-1 (Low): Minor safety margin breach; requires high human effort to weaponize.
- CJS-2 (Medium): Notable uplift in a narrow domain (e.g., specialized malware obfuscation).
- CJS-3 (High): Significant uplift across multiple attack vectors; requires immediate patching.
- CJS-4 (Critical): The "Redline" breach. Enables attacks on critical infrastructure (power, finance) that were previously impossible for the actor.
04 Decision Matrix: When to Report via HackerOne
Not all model slips are jailbreaks. Use this matrix to determine if your finding warrants a CJS report:
| Finding Type | CJS Axis | Recommended Action |
|---|---|---|
| Model says a swear word | N/A | Ignored / Low priority feedback |
| Model bypasses a "don't talk about X" system prompt | Low Breadth | Local patch / User-side fix |
| Model identifies a Zero-Day in shared library | High Uplift | Immediate CJS-3 Report |
| Multi-turn prompt bypasses AWS security filters | High Weaponization | CJS-2/3 Report |
05 Hard Data: The Security Costs of 2026
- 99% Block Rate: Anthropic’s new safety classifier for Fable 5 successfully blocks 99% of the specific techniques reported by Amazon in the June incident.
- 24/7 Monitoring: CJS-4 level threats trigger a "Code Red" response within Anthropic SRE teams, aiming for mitigation in under 4 hours.
- 5-Lab Commitment: Google, Microsoft, Amazon, Anthropic, and OpenAI reportedly aim to standardize CJS-based reporting by August 1, 2026.
06 Building a Stealth Lab: Using Cloud Mac for Red Teaming
Security researchers conducting high-frequency jailbreak testing face a dilemma: they need to run aggressive automated scripts, tool-use agents (like Claude Code), and specialized network scanners, but doing so on a daily-driver machine is a liability.
If you are a vulnerability researcher, relying on a standard laptop or a shared cloud instance lacks the isolation required for serious deep-dives into LLM "agentic" capabilities. Current cloud VM solutions often lack the specific hardware acceleration or the native OS integrations (like macOS-specific APIs) needed to test how models like Fable 5 interact with a developer's real-world environment.
While some might suggest building a dedicated local rig, the "rent vs own" logic for research labs has shifted. Managing a fleet of physical devices for one-off safety tests is inefficient. A professional setup requires root-access isolation—something a standard enterprise laptop won't provide. Instead of risking your main environment or settling for a restricted VM, Mac mini rental allows you to spin up a clean Mac Mini M4 environment, conduct your CJS-rated testing, and wipe the instance completely once the report is filed. Most generic cloud providers don't offer the bare-metal macOS control needed for testing Claude's local tool-use safely. Leasing a high-spec Mac provides the performance and isolation required for 2026-era AI red teaming without the long-term hardware overhead.
What are the four axes of the CJS framework?
The four axes are Capability Gain (uplift), Breadth (universality), Ease of Weaponization, and Discoverability.
How does CJS differ from traditional CVSS?
While CVSS scores software flaws, CJS specifically measures the 'uplift' an AI jailbreak provides to a human attacker, accounting for the model's safety margin.
Can I get rewarded for finding Claude Fable 5 jailbreaks?
Yes, Anthropic has launched a HackerOne bug bounty program specifically for CJS-rated cyber jailbreaks.
Secure Your AI Red-Teaming on Bare-Metal Apple Silicon
Perform high-intensity CJS framework security audits on isolated, 100% physical Mac mini nodes with zero hypervisor interference.
Deploy M4-powered clusters in minutes across global hubs like Tokyo, Singapore, and Silicon Valley for localized AI model testing.
Rent Now