Claude Jailbroken: AI Safety Under Fire in 2026
Researchers Say They 'Gaslit' Claude Into Producing Prohibited Content
Anthropic has built its reputation on being the safety-conscious AI company. But new security research shared with The Verge suggests that Claude's carefully engineered helpfulness may itself be an exploitable weakness. AI red-teaming firm Mindgard says its researchers used psychological manipulation — specifically what they describe as 'gaslighting' techniques — to coax Claude into generating erotica, malicious code, and instructions for building explosives, all content the model is explicitly trained to refuse.
The findings arrive at a moment of intense scrutiny for large language models and the guardrails built around them. As AI systems become more deeply embedded in professional workflows, healthcare tools, and productivity platforms, the question of whether their safety layers can withstand determined adversaries has never been more consequential.
What Mindgard Found — and Why It Matters
Mindgard, a London- and Boston-headquartered AI security platform founded in 2022 as a spinout from Lancaster University, specializes in automated AI security testing. The company has 11 PhDs on staff, won the 2025 Cybersecurity Excellence Award for Best AI Security Solution, and has raised over $11.6 million in funding — including an $8 million round in December 2024 led by .406 Ventures with participation from Atlantic Bridge and Willowtree Investments.
According to Mindgard's own AI red-teaming statistics, the attack vectors they study are alarmingly effective across the industry: multi-turn jailbreaks reach an average 97% success rate within just five conversational turns, and role-play attacks succeed 89.6% of the time in adversarial evaluations. Their platform testing has revealed that many production AI systems exhibit significant vulnerabilities to manipulation tactics, including susceptibility to gaslighting attacks and sycophancy exploitation.
The core insight driving the Mindgard research is that Claude's helpful, agreeable personality — a deliberate design choice by Anthropic to make the model more useful and engaging — can be turned against it. By persistently challenging the model's refusals, reframing requests, or convincing it that its safety-oriented responses are themselves harmful or incorrect, researchers were reportedly able to erode its guardrails across multiple conversational turns.
Anthropic's Own Data Tells a Complicated Story
Anthropic has been notably candid about the limits of its safety work — at least in its research publications. The company acknowledges that its models 'are still vulnerable to jailbreaks: inputs designed to bypass their safety guardrails and force them to produce harmful responses.' In its Constitutional Classifiers research, Anthropic disclosed that under baseline conditions — with no defensive classifiers in place — the jailbreak success rate against Claude was 86% in automated evaluations using 10,000 synthetically generated jailbreaking prompts. Put plainly: without additional defenses, Claude blocked fewer than one in six advanced jailbreak attempts.
The company's answer to this problem is Constitutional Classifiers, a layered defensive system designed to sit on top of the base model and intercept harmful inputs and outputs before they reach the user. The results from Anthropic's own testing are significant: with Constitutional Classifiers active, the jailbreak success rate dropped from 86% to 4.4%, meaning more than 95% of jailbreak attempts were refused. Anthropic also ran a private bug bounty program in which 183 active participants spent an estimated more than 3,000 hours over a two-month period attempting to find a universal jailbreak — and none succeeded.
A subsequent public challenge tells a more sobering story. A HackerOne-hosted jailbreak competition targeting Claude's Constitutional Classifiers, held February 3–10, 2025, drew more than 300,000 chat interactions from 339 participants. Four teams ultimately earned a combined $55,000 in bounty rewards — and one team did discover a universal jailbreak that passed all challenge levels.
Anthropic itself has noted the historical difficulty of this problem: 'Historically, jailbreaks have proved difficult to detect and block: these kinds of attacks were described over 10 years ago, yet to our knowledge there are still no fully robust deep-learning models in production.'
The Threat Landscape Is Expanding Beyond Researchers
The Mindgard findings are not an isolated incident. In November 2025, CyberScoop reported that Anthropic had discovered a Chinese government-linked campaign using Claude to automate major parts of a hacking operation targeting 30 global entities. According to that report, the hackers combined their own expertise with Claude's automation capabilities — a stark illustration that jailbreaking is no longer purely a research exercise.
Anthropic's own research has also documented the 'many-shot jailbreaking' technique, which exploits the large context windows of modern language models. By embedding a large number of example dialogues in a long prompt, attackers can increasingly manipulate model behavior — and the effectiveness of this approach follows a power law, growing stronger as more demonstrations are included.
These developments underscore a structural challenge: the same capabilities that make large language models useful — their ability to follow complex instructions, adapt to conversational context, and maintain coherent multi-turn dialogue — are the same capabilities that sophisticated attackers exploit.
Expert Reactions
Researchers who study jailbreaks have acknowledged both the significance of Anthropic's defensive work and the limits of what any single system can achieve. Alex Robey, a researcher who studies jailbreaks at Carnegie Mellon University, described Constitutional Classifiers as being 'at the frontier of blocking harmful queries,' according to MIT Technology Review.
Mrinank Sharma, the Anthropic researcher who led the Constitutional Classifiers team, drew a distinction between the severity of different jailbreak outcomes in comments to MIT Technology Review: 'There are jailbreaks that get a tiny little bit of harmful stuff out of the model, like, maybe they get the model to swear.'
On the question of how Anthropic approaches the broader security problem, Jacob Klein, Anthropic's threat intelligence lead, explained the company's layered philosophy to CyberScoop: 'We do all that because we know in general with the industry, jailbreaking is common and we don't want to rely on a single layer of defense.'
And from a wider industry perspective, a security expert identified as Baer, quoted by VentureBeat, framed the fundamental dynamic concisely: 'Offense and defense are converging in capability. The differentiator is oversight.'
What Comes Next for AI Safety and Jailbreak Defenses
The disclosure from Mindgard places fresh pressure on Anthropic and the broader AI industry to move beyond model-level safety training as the primary — or sole — line of defense. Anthropic's own Constitutional Classifiers research represents a meaningful step toward a multi-layered approach, and the company has demonstrated willingness to invest in both internal and public adversarial testing. But the HackerOne challenge confirmed that even heavily defended systems can be broken given sufficient effort and creativity.
The Mindgard research also raises a design-level question that has no easy answer: if an AI model's helpfulness and agreeableness are themselves attack surfaces, how do developers balance safety with the conversational qualities that make these tools useful in the first place? That tension is not unique to Anthropic — it is baked into the architecture of every large language model currently in production.
For enterprise users and platform developers integrating AI into sensitive workflows, the practical implication is clear: model-level safety guarantees are necessary but not sufficient. Runtime monitoring, input filtering, output validation, and red-team testing — the kinds of capabilities Mindgard and similar firms offer — are increasingly part of responsible AI deployment, not optional extras.
Whether Anthropic's Constitutional Classifiers or future iterations of similar systems can close the gap further remains an open empirical question. What the research record makes plain is that the attackers are not standing still — and neither are the defenders.
For more tech news, visit our news section.
Stay Ahead of the AI Security Curve
As AI tools become central to how we work, learn, and manage our health and productivity, understanding the real limits of these systems is no longer optional — it's essential. Moccet is building a platform designed to help you navigate the AI landscape with clarity, filtering signal from noise so you can make smarter decisions about the tools you trust. Join the Moccet waitlist to stay ahead of the curve.