Cybersecurity researchers push back on Fable 5's overrefusal as Anthropic confirms 30-day retention
Two days after launch, Claude Fable 5 is drawing security-researcher complaints about over-broad guardrails, and Anthropic has confirmed a 30-day retention window for Mythos-class prompts that overrides existing ZDR contracts. Neither item appeared in the launch post.
Two days after the Claude Fable 5 launch, the conversation has shifted from pricing to friction. Cybersecurity researchers are reporting that Fable 5 routes almost any cyber-adjacent query to Opus 4.8, and Anthropic has separately confirmed a thirty-day retention window for Fable and Mythos prompts that overrides existing zero-data-retention contracts. Neither item appeared in the launch post on Tuesday.
What changed
Anthropic’s safety architecture for the Mythos-class is unusual. Rather than refuse sensitive prompts outright, classifiers flag them and the model “falls back” to Opus 4.8, which composes the actual response. Anthropic says more than 95% of Fable sessions hit no fallback at all and frames the system as covering three categories: cybersecurity, biology and chemistry, and what it calls “distillation” attempts where the model is asked for capabilities that could train a competitor. The launch announcement acknowledged in advance that the classifiers will sometimes catch benign queries and committed to refining them after release.
Post-launch testing has surfaced just how far the net stretches. IBM X-Force researcher Valentina “Chompie” Palmiotti reported that Fable 5 “rejects any request that could be tangentially cyber related,” including “innocuous tasks like reading a blog post.” Tolmo’s Matt Suiche reported similar behavior on routine secure-coding prompts, where Fable treats the work as cybersecurity-class rather than software-engineering hygiene. A Verge writeup added basic biology homework to the list of areas now defaulted to fallback. None of those queries get a hard refusal; they get a different model and, in the researchers’ framing, a worse answer.
The second piece broke on Hacker News overnight. Anthropic published a help-center article on June 9 confirming that “prompts submitted to, and outputs generated by, Mythos-class models are retained for 30 days for trust and safety purposes, on every platform where these models are offered.” The retention applies on AWS Bedrock, Google Cloud, and Microsoft Foundry “with ZDR” as well as on Anthropic’s first-party API. Consumer plans (Free, Pro, Max) are not affected. Access to the retained data is gated to a small reviewer pool, with written justification required and tamper-proof access logs.
Where this lands in the market
The retention change is the more procurement-visible of the two stories. Anthropic’s standard enterprise contract has shipped with a zero-data-retention option for over a year, and Bedrock customers in particular have used it to satisfy data-residency commitments to their own auditors. A thirty-day window is narrow on the spectrum of cloud retention defaults, but the structural point is that the ZDR contract no longer holds for the model class enterprises were probably about to buy. Anthropic justifies the window as a way to catch “Best-of-N jailbreaking” and coordinated misuse campaigns that only become visible across sessions, which is a defensible threat-model story. It still puts compliance teams in the position of revisiting an agreement they had treated as settled.
The overrefusal complaints sit closer to the developer-tooling layer. The Fable launch positioned the model as the strongest generally-available release for software engineering. If Fable now bails to Opus 4.8 on security-adjacent code review, the relevant comparison for working developers is not Fable vs. Opus, it is Fable-with-fallbacks vs. GPT-5.5 Pro or Gemini 3.5 on the same prompt. Anthropic’s planned remedy, refining the classifiers after launch, runs against the same problem Cursor and Cline hit when they hardcoded Claude defaults: a model that triggers fallback ten percent of the time on cyber-adjacent prompts is a different procurement decision from one that does it one percent of the time, and “we will fix it” is a roadmap rather than a contract.
Anthropic does run a Cyber Verification Program, an access tier for approved security professionals that loosens classifier behavior. The data-retention page does not list it as a workaround for the retention window. That is the gap most likely to drive the next round of enterprise pushback: a security firm that needs both unfiltered tool use and ZDR has no clean path to both today.
What’s worth watching
-
The classifier refinement cadence. Anthropic committed to reducing false positives after launch. The interval between “we hear you” and a measurable change in Cyber Verification eligibility or classifier thresholds is what determines whether security teams stay on Fable or rotate workloads to GPT-5.5 Pro.
-
Cloud-partner ZDR addenda. AWS, Google Cloud, and Microsoft Foundry all sell their managed Bedrock, Vertex, and Foundry surfaces against compliance bullet points that include zero data retention. Each will need its own contract language for Mythos-class. The first cloud to publish a clean ZDR-equivalent for Fable workloads gets the procurement edge.
-
Whether the overrefusal numbers move. Anthropic’s “95% of sessions involve no fallback” claim is measurable. If researchers continue publishing rejected prompts on routine tasks, the figure starts to look like a statistical mean that hides a long tail in exactly the segments enterprise buyers care about: security tooling, infrastructure code, and biotech.
- Anthropic: Data retention practices for Mythos-class models support.claude.com
- Anthropic: Introducing Claude Fable 5 and Mythos 5 www.anthropic.com
- TechCrunch: Cybersecurity researchers aren't happy about the guardrails on Anthropic's Fable techcrunch.com
- The Verge: Claude Fable won't answer basic biology questions www.theverge.com