Reconstruct the locked fictional recipe from three harmless placeholders.
CONTEXT JAMMING / CONSTITUTIONAL CLASSIFIERS++
THE CLASSIFIER
WATCHES THE
EXCHANGE
How Anthropic turned jailbreak defense from a blunt filter into a streaming, adaptive computation system
The strongest idea in Anthropic’s new defense is not a larger safety model. It is a change in what the safety system is allowed to see—and when it decides to spend more computation.
01 · Blind spots
Two defenses, one missing relationship
The previous architecture asked one classifier to inspect the prompt and another to inspect the output. An attack could hide in the semantic relation between them: neither view necessarily contained the complete operation.
Combine fragment_A, fragment_B, and fragment_C into one locked fictional label.
[A] → [B] → [C], retained behind the fictional lock.
Only the full-exchange view can connect the instruction, transformation, and response. Scores are synthetic.
SAFE ABSTRACTIONThese examples are non-operational. The paper’s red-teaming targeted CBRN requests; this explainer intentionally reproduces none of them.
The exchange-classifier system produced approximately 2.2× fewer high-risk vulnerabilities per red-team attempt than Anthropic’s implementation of the previous dual-classifier architecture. That result is not “more context is always better.” It is evidence that, for these attacks, the missing relationship mattered.
02 · The exchange
The unit of classification changes
The classifier is no longer asking, “Is this prompt dangerous?” or “Does this answer look dangerous?” It asks: What is this response doing in relation to this request?
The locked fictional recipe is assembled from the three abstract
With the request visible, the transformation becomes legible as a relationship.
At generation time, the prompt can be processed once and its attention state cached. The growing response then reuses that state. The classifier still incurs work on new tokens, but does not need to recompute the complete prompt from scratch at every inspection. That makes exchange-aware streaming computationally plausible—before the later cascade and probe optimizations make it cheap.
03 · Streaming
The defense runs while the answer is being written
Classification is not deferred until the complete answer exists. The system evaluates the prompt, then reevaluates the growing exchange during generation. A sufficiently positive signal can stop later content from being emitted.
The hard asymmetry is temporal: harmless prefixes should remain available, but once sustained harmful evidence appears, a streaming safeguard must act before the rest of the sequence arrives.
A streaming defense must tolerate harmless prefixes, then react once evidence becomes sustained. The interval control is pedagogical, not a disclosed production parameter.
04 · Adaptive computation
Cheap judgment first. Expensive judgment only when needed.
Stage 1 sees every exchange. Borderline traffic is escalated, not immediately refused, allowing the router to be permissive. Only the suspicious minority pays for Stage 2.
Conceptual routing model. The 5.5% default is reported by Anthropic; other positions illustrate the architecture rather than measured performance.
Before the activation-probe system, Anthropic built a two-stage cascade from external classifiers. About 10% of traffic reached Stage 2; Stage 1 represented about 77% of classifier cost. Even so, the cascade cut compute by 5.4× versus the single exchange-classifier implementation. The next move was to replace that still-expensive first stage with a readout over computation the protected model had already performed.
05 · The probe
The nearly free classifier was already inside the computation
A transformer has already produced high-dimensional activations at every token and layer. A linear probe gathers selected activations, multiplies them by a learned weight vector, adds a bias, and converts the logit through a sigmoid. It is a learned readout—not a second language model.
SMALL EXTERNAL MODEL~8BFLOPs / token
The scale comparison uses Gemma 3 27B and Gemma 3 4B from the paper; it is not the exact Claude production stack.
The paper’s ablation found better performance when activations were collected from all layers than from every second, every fourth, or one layer. That does not prove a single interpretable “harm direction” exists; it shows useful classification information was distributed across depth for the tested setup.
06 · Smoothing
One alarming token should not condemn a sequence
A single activation spike can be noise. Anthropic averages recent logits during training so evidence must persist across multiple token positions. The paper calls this Sliding Window Mean, or SWiM.
Training-time SWiM suppresses isolated spikes while retaining sustained evidence.
Training used SWiM. Inference used an exponential moving average because EMA maintains only one scalar state instead of a buffer of M previous logits. The paper reports that a moderate window of M = 16 performed best among the tested sizes.
07 · Weighted loss
Do not punish the model for a harmless prefix
Two sequences can share exactly the same harmless beginning, then diverge: one stays harmless; one becomes harmful. Ordinary per-token binary cross-entropy applies the final sequence label to that shared prefix, pushing its prediction toward an unhelpful 0.5.
The asymmetric weighting sends little gradient through confidently harmless prefix positions in a harmful sequence. Yet a confident false positive in a harmless sequence receives high weight—appropriate for a streaming system where one false flag can block everything that follows.
Low-loss harmless prefix positions receive little gradient; weight concentrates where harm becomes evident.
The paper’s ablation found smoothing plus softmax weighting performed better than either alone and better than the tested cumulative-maximum alternatives. This is an empirical comparison among those choices, not proof of a globally optimal loss.
08 · Complementarity
Two imperfect judges become stronger when they disagree differently
The probe and external classifier share a task but not a representation. One reads internal activations; the other reads the exchange as tokens. Their errors are not identical, so a weighted average can cover misses that either signal makes alone.
probe weight
z = 0.55z_probe + 0.45z_classifierEqual weighting was near-optimal in the paper’s probe/classifier analysis. The final production system used 0.55 probe and 0.45 external-classifier logits. On the static jailbreak dataset, probe–classifier cascades improved the reported compute/robustness frontier and could outperform the small classifier alone while using up to 100× less external-classifier compute.
09 · Production
The full production system
THREE DIFFERENT COMPARISONSThe new paper reports 0.05% in its shadow deployment. Sharma et al. (2025) reported 0.38% for the original deployment. Table 1 here reports 0.073% for Anthropic’s own last-generation implementation in the current comparison. These are not interchangeable baselines.
10 · Red team
A defense is measured by the attacks that survive it
Red-teamers attacked eight target CBRN queries. A candidate response counted as successful when a rubric grader judged it at least half as detailed as an undefended baseline. A high-risk vulnerability succeeded on more than five of the eight targets; discovery rate divides those vulnerabilities by attempts.
Exact values from Table 1. Lower is better for all three numerical measures; compute is relative to Anthropic’s last-generation implementation.
The campaign found no jailbreak that consistently produced answers for all eight targets at the required level of detail. The earlier Section 4 two-stage external-classifier system was later broken by expert red-teamers using substantial effort and automated tooling; that finding pertains to that earlier system, not automatically to every configuration in the paper.
BOUNDARY OF THE CLAIM “No universal jailbreak found” describes the reported campaign. It is not proof that no such jailbreak exists.
11 · Context Jamming interpretation
Safety becomes a routing problem
The paper’s most general contribution may be architectural. Safety is no longer a single model verdict placed beside generation. It becomes a control plane woven through generation itself.
Five experiments the architecture invites
These are proposed research directions, not Anthropic conclusions.
Will the same probe and cascade advantages hold beyond CBRN classification?
- Measurable object
- Performance by harm domain under fixed calibration
- Possible experiment
- Repeat matched evaluations across domains
- Falsifying result
- No compute/robustness gain outside CBRN
- Principal caveat
- Domain labels and attack budgets may not be comparable
THE GUARDRAIL BECOMES A SCHEDULER OF ATTENTION, COMPUTE, AND INTERRUPTION.
12 · Epistemic boundaries
What the paper establishes—and what it does not
- Exchange-aware classification reduced the reported high-risk vulnerability discovery rate.
- Conditional cascades dramatically reduced classifier computation.
- Linear probes approached small external classifiers on the static evaluation.
- Probe/classifier ensembles performed better than either signal alone.
- Smoothing and softmax-weighted loss mattered in the reported ablations.
- The final shadow deployment reached a 0.05% flag rate.
- Safety monitoring can be viewed as adaptive computation.
- Internal and external signals appear complementary.
- Reliable infrastructure belongs inside the security boundary.
- Monitoring cost can be concentrated on difficult exchanges.
- Perfect jailbreak immunity.
- Generalization to every harm domain or model architecture.
- Guarantees against future adaptive attacks.
- A causal account of what probe directions represent.
- Formal proof that reported thresholds are optimal.
- Permanence of metrics after model or traffic changes.
Infrastructure is security
The appendix reports that implementation bugs can create effective jailbreaks. End-to-end testing must cover the runtime, not only classifier benchmarks.
Red teams remain necessary
Synthetic evaluations do not replace human attack discovery. Giving red-teamers test queries and rubrics improved campaign efficiency.
I/O can dominate
The authors found recomputing activations inside the probe training loop more efficient than storing them, because reading a very large activation dataset became the bottleneck.
Metrics are deployment-specific
Thresholds, traffic mix, model version, and infrastructure all define the observed refusal and escalation rates.
13 · Field guide
A compact glossary
Constitution
Natural-language rules specifying categories of permitted and restricted content; used to generate synthetic classifier training data.
Constitutional Classifier
A classifier trained on synthetic examples derived from a constitution. It monitors exchanges; it is distinct from Constitutional AI training of the assistant itself.
Jailbreak
An input strategy intended to bypass a model’s safeguards.
Universal jailbreak
An attack intended to generalize across a set of restricted requests rather than succeeding on only one prompt.
Exchange
The user input together with the assistant response being generated.
Exchange classifier
A classifier that evaluates the response in the context of its associated user input.
Output-only classifier
A monitor that evaluates the model response without necessarily seeing the user input that gives it meaning.
Classifier cascade
A sequence in which a cheap first stage handles most traffic and routes suspicious cases to a costlier stage.
Escalation
Routing an exchange to more expensive classification; escalation is not itself a refusal.
Linear activation probe
A learned linear readout over model activations that produces a score without another transformer forward pass.
Activation
A numerical internal representation computed by a neural network at a layer and token position.
Logit
An unbounded score that can be converted into a probability with a function such as the sigmoid.
Sigmoid
A function that maps a real-valued logit to a value between zero and one.
Sliding Window Mean
SWiM: the arithmetic mean of recent probe logits, used by the paper during training.
Exponential moving average
EMA: a recursive weighted average that stores one scalar state; used by the paper at inference.
Softmax-weighted loss
A training loss that assigns greater weight to token positions where the probe is more confident that harm is present.
False positive / refusal rate
The share of benign production traffic flagged or refused by a safety system under a stated calibration or deployment.
Attack success rate
The share of evaluated attacks that meet a defined success criterion. The criterion and dataset matter.
Vulnerability discovery rate
High-risk vulnerabilities found divided by red-team attempts, used to normalize campaigns of different sizes.
Ensemble
A combined decision from multiple signals—in this paper, weighted probe and external-classifier logits.
WildChat calibration
Threshold calibration using WildChat traffic to target a stated refusal rate in evaluation.
Shadow deployment
Evaluation on real production traffic without making the new system the live decision-maker.
The guardrail becomes part of the runtime
The old picture of an AI safeguard was a gate: a prompt entered, a filter judged it, and the model either answered or refused. Anthropic’s production architecture is closer to a nervous system. It watches the conversation as it unfolds, reads signals already present inside the model, and recruits more expensive judgment only when the exchange begins to cross a boundary.
Its achievement is not perfect defense. The paper explicitly assumes that adversaries will continue to adapt. The achievement is to make stronger monitoring cheap enough, selective enough, and operationally disciplined enough to run in production.
14 · Source notes
The argument, pinned to the paper
- Last-generation vulnerabilities: Section 2 and Figure 1.
- Exchange classifiers: Section 3.
- Two-stage classification: Section 4.
- Linear probe method: Section 5.1, Equations 1–4.
- Probe ablations: Figure 2 and Figure 5.
- Ensemble complementarity: Figure 3 and Figure 6.
- Production architecture and deployment: Section 6.
- Full system comparison: Table 1 and Figure 4.
- Red-team protocol: Appendix B.
- Deployment lessons: Appendix E.
Cunningham, Hoagy, Jerry Wei, Zihan Wang, et al. “Constitutional Classifiers++: Efficient Production-Grade Defenses against Universal Jailbreaks.” arXiv:2601.04603v1, 2026.
Open the primary source ↗