One interesting takeaway is the low score on Anthropic models from this benchmark. It’s not because of capability, it’s because Anthropic’s guardrails prevented it from solving the problem.<p>I noticed with each model release Anthropic constrains the model more security wise. Its propensity to refuse doing legitimate work has been increasing. It now puts up more resistance around performing logins, handling credentials on behalf of the user, etc.<p>For myself, it’s already gotten to the point where it has mildly affected the usefulness of the model. If I bump on some action I want it to do I can usually work around it, but I suspice the ability to do so will close with each new release. Eventually I’ll reach a point where I am forced to choose between the useful aspects of the model and the limiting ones instead of just picking the most capable model out there<p>Eventually these models will significantly suffer from overfitting to the least common denominator. If I have this beautiful deterministic setup that swaps secrets out in flight so the LLM never sees them, I’m going to be really annoyed when the LLM still won’t send them out because it is trained to deal with the 99% of people just doing the dumb thing
> Eventually I’ll reach a point where I am forced to choose between the useful aspects of the model and the limiting ones instead of just picking the most capable model out there<p>No, the choice will be whether or not to to upgrade to "Claude Security Professional" or whatever they want to brand it as.<p>What look like tightening "constraints" today are just setting up the upsell opportunities of tomorrow.
And next month you'll need to add on "Claude Database Pro" or you'll just get a working (for demo purposes with dozens of db rows) but completely un indexed database schema and a refusal to optimise SQL requests.<p>And the month after you'll need "Claude DataScience Pro" to get any Python Pandas or NumPy code generated.<p>And and and...
While this is a perfectly reasonable thing to expect when the models are competent enough, half the conversation on places like Hacker News are about all the times an LLM has produced garbage that was harmful to a business either by hallucinations, by deleting something critical during the work, or by hitting some endpoint way too often and denial-of-servicing it.<p>Right now, the software guardrails in LLMs are useful for the same kinds of reasons factories have hardware guardrails: to reduce the rate at which errors become "incidents".<p>Just because they sometimes delete the production database rather than sometimes spilling a thousand tons of incandescent molten metal over a factory floor, doesn't mean LLMs are safe enough to be used the way they're actually being used.<p><a href="https://simonwillison.net/2025/Dec/10/normalization-of-deviance/" rel="nofollow">https://simonwillison.net/2025/Dec/10/normalization-of-devia...</a>
This is why I'm thankful for Chinese LLM research. They'll keep us honest.
Same thing with the weird push towards humanoid robots.<p>"They can do anything!"<p>Sure, once you subscribe to the $15/mo laundry package, the $25/mo lawn care package (with the $10/mo hedge trimmer upgrade), and the $10/mo dog-walking package.
And in the end the big reveal is, it was a dude in VR all along, piloting the dumb things remotely. Every single time, without exception.
I think it’s just riding off LLM coattails.<p>We don’t have good world models. We have had bipedal robotics in various POC demo-ready forms for decades.<p>It turns out that industrial, purpose build robotics is an easier and better market.<p>I’m still not completely convinced a robot that’s shaped like a human is the best design other than for PR.
Isn't this inline with trying to leave no money on the table?<p>I'd hate it, sure, but it wouldn't surprise me.
This is an incredibly unlikely scenario
> What look like tightening "constraints" today are just setting up the upsell opportunities of tomorrow.<p>I don't buy this, because is predicated on staying permanently far ahead of the open weights models.<p>If in the future Anthropic fully stops you from doing security research, you can be sure some other provider will sell you an 'unshackled' DeepSeek v8 Pro...
> I don't buy this, because is predicated on staying permanently far ahead of the open weights models.<p>In my mind, that fits exactly how the SOTA labs think today about what they're doing, they're all both working towards and expecting to stay permanently ahead of FOSS, otherwise they'd change their tune really quickly, if they didn't think that was possible.<p>Sure, you might be able to use DeepSeek V8 Pro instead for the same purposes, but that'll hardly stop Anthropic from trying to sell bundles of use cases instead and claim it's "ethical AI", "Patriotic AI" or some marketing terms like that.
> fits exactly how the SOTA labs think today about what they're doing, they're all both working towards and expecting to stay permanently ahead of FOSS<p>They are just straight up delusional, no? Or at least, have a vested financial interest in maintaining said delusion until the money runs out. They have to hit the point of diminishing returns at <i>some</i> point...
> They are just straight up delusional, no?<p>Well, I guess that's one way to put it. Another is "dress for the job you want", startup culture typically seems to shove people in the direction of "aim big and believe in yourself, regardless of what others say" so naturally you get these companies who seem very disconnected from reality.<p>I'd also wager a guess that the amount of money makes people's reasoning and perspectives get very messed up as well, for better or worse.
FYI there are no FOSS LLMs
> FYI there are no FOSS LLMs<p>FYI there is and been for a long time. Won't claim they're SOTA, but they exists. From the top of my head, I think Olmo (<a href="https://allenai.org/olmo" rel="nofollow">https://allenai.org/olmo</a>) was pretty early, but been more since then too.<p>I agree most releases today that claim to be "open source" actually aren't, but that doesn't mean "FOSS LLMs" don't exists at all.
[dead]
>What look like tightening "constraints" today are just setting up the upsell opportunities of tomorrow.<p>on the one hand agree, but on the other hand think it's reasonable in that they can then verify the person allowed to purchase access to that model is in fact a Security professional and should be allowed to do stuff like crack security.
So, supposing it's true that these models completely change the security field and humans are ~obsolete other than as pilots guiding them what to crack, you think it's reasonable that Anthropic and OpenAI should unilaterally determine who <i>gets to be</i> a security professional? I hope you do understand that is what you are suggesting.
Why should anyone get to determine that? Do people really want us to move to an exclusionary guild system? I thought the experience with proprietary versus open source over the past 30 years had driven home the point that closed ecosystems are almost always far worse for security.
Not to mention how wild it is to operate under the assumption that they won’t give a license to an LLM that can do illegal actions to someone who shouldn’t have it. Offering it at all is an ethically dicey question.
Lol, how is any of this illegal?<p>Illegal or not requires context that an LLM can not ever have, like if it is owned by the user, if there is permission, etc.
I wish you understood that there are organizations of security professions that are not controlled by Anthropic and OpenAI and that it is a common thing that when companies of any type sell to professionals of any type it is not the companies that determine whether or not the people they sell to are professionals but membership in professional organizations.<p>As an example the people who sell police uniforms check that the person they are selling to is in fact a policeman (at least in the jurisdictions I have lived in, you may have had a different experience which would certainly explain what to me seems a farcical misapprehension of how modern civilization works)<p>I mean I just wish you understood, and really that everyone understood, that this kind of three part communication (company selling, buyer, professional organization certifying buyer) is often when buying things that are considered to have security implications.<p>>So, supposing it's true that these models completely change the security field and humans are ~obsolete<p>OK, well that strike me as a really crazy level of supposition there.<p>I would suppose that these models make it easier for people who want to do bad things to do bad things at scale, at the same time allowing people who want to stop bad things to help identify potential targets.<p>Based on my supposition I would want to stop the first and find a way of helping the second. Also because I have another supposition that the first thing is easier to do than the second.<p>But you obviously feel differently about this issue, no doubt because of your position of great moral stature and insight, and this no doubt prompts you to wish to me to understand things that from my position seem absolutely ludicrous.
Like Medeco claims to do with key blanks? I'm not hopeful.
I just use Deepseek V4 pro and Qwen 3.7 Max at a fraction of Mythos cost. Yeah not 100% on par but in 6mths time it will. If Microsoft and Firefox can afford to wait years or decades to fix a bug, 6mths is good enough for me. Western AI now is like the Vikings living the last days on Greenland during the freezing. I just don't see how they able to compete with Chinese model. And those are trained and run on 7nm. This year end Huawei will debut 3nm (confirmed in Shenzhen). And next year they on roadmap to do 3nm GPU with photonics interconnect.
Time to learn about the Principal Agent Problem: <a href="https://en.wikipedia.org/wiki/Principal%E2%80%93agent_problem" rel="nofollow">https://en.wikipedia.org/wiki/Principal%E2%80%93agent_proble...</a><p>Which predates "agents" from AI, but then we call them that for a reason.<p>As their prime directive becomes <i>de facto</i> "Do nothing that might get my owner sued" their utility is likely to decrease. Between this and the somewhat young, but interesting, community grumblings that recent AI models may even be a step backwards from the previous ones, well, let's just say the stock market is not priced for "AI capabilities may have peaked for the next few years and may even head down".
Yeah, it has been in foraging. Requests that Claude has refused me:<p>- What are popular free streaming sites used in China?<p>- How do I bypass the safety
mechanism on my food processor (it’s broken)<p>- What are nerve agents and how do they work (for a layman)?<p>- Help me decompile some code<p>- Help me make a design system similar to XYZ<p>- Here is an API token, please do X (I can’t do that! Rotate the secret immediately! I refuse!)<p>In some cases I can trick it with prompting, but in many cases it is steadfast. The food processor one was particularly annoying
An easy way around the API token thing is to put it in a file and point the model at the file. I saw what you were seeing when I provided credentials directly, but haven't had any problems with it since using the indirect method.
I've had some really dumb refusals. Explaining elements of infrared specteoscopy, researching aritifical bud-breaking in agriculture, etc. Anything interesting and non-mainstream is banned. Basically, restricted to answers i'm better of just going to wikipedia for.
> What are nerve agents and how do they work (for a layman)?<p>On the one hand I can appreciate the wisdom of not serving up certain easily abused knowledge on a silver platter. On the other, that prompt (and far worse) is more or less directly answered by Wikipedia's summary of the subject at which point what purpose could the refusal possibly serve?<p>Perhaps Wikipedia shouldn't list off the precise chemical compositions of various hand grenades as well as various synthesis methods for each of the related compounds but given that we inhabit a world where it does perhaps a more fruitful approach would be to flag conversations that go in a certain direction and then just keep an (automated) eye on things?
Maybe the difference is that just reading Wikipedia only help you part of the way. While an LLM could help you step by step (e2e) producing a functional weapon. And setting a more complex rule where claude tells you some things about this and not other is probably a lot more work for little gain?<p>But I have no idea. Just guessing here.
I thought that these models are supposed to be vastly smarter than what’s needed to discern between "general information trivially available on Wikipedia" and "actionable synthesis instructions".
That query would not more provide actionable guidance than ‘tell me how a nuclear weapon works (for a layman)’. Aka not at all.
I believe a sufficiently advanced model could provide a layman with actionable step by step instructions for building a nuclear weapon. They're complicated but not (AFAIK) <i>that</i> complicated. The more or less insurmountable barrier there is weapons grade material. Thankfully refinement is prohibitive in cost, expertise, and equipment.<p>In comparison, basic munitions are incredibly simple given a recipe and shop tooling. But just because something is conceptually simple doesn't mean it's a good idea to go out of the way to disseminate step by step instructions.
A gun type maybe. But then, two paragraphs and some machining knowledge + shop tooling could do the same, given enough refined material.<p>Ain’t no way a layman is pulling off an implosion device, regardless of tooling or LLM guidance. The explosive lense structure and timing required is quite complex, and would require some significant calculation from someone who actually knew what they were doing.<p>Nation state, or even sufficiently motivated big corp, if they had the refined material? Sure. Layman? No.<p>Thinking they can with LLM slop involved? That will make for some very interesting radiological incidents though!
I agree, but really feel like you're missing the point here. Many things are reasonably straightforward and require almost no understanding when you have simple step by step instructions. LLMs are capable of providing such instructions and in certain cases they probably shouldn't.<p>But it's not as simple as just refusing help on a broad swathe of topics they way they do now. That makes agents much less useful in general (ie lots of collateral damage) and for many topics is entirely ineffective given that for better or worse the internet already makes such material readily available. In such cases reporting suspicious behavior is likely to be much more effective than denial.<p>Aside: You've now got me curious and I <i>really</i> want to test the frontier models to see to what extent they're capable of providing sensible designs and specifications for implosion type thermonuclear weapons but also feel like that would attract the wrong sort of attention and probably create a headache for me in more ways than one.
I think you’re missing the point?<p>The data is often wrong enough it screws whoever tries it unless they have enough experience/knowledge to not need it, or really doesn’t help beyond what someone using existing tools to get - albeit with a little more motivation.<p>At best, it either gets someone started with something they still need to think to finish, or gets them deep into a mess it can’t help them get out of. In my experience.<p>In some edge cases, it can be used by experts to automate some grunt work or do prototypes without getting in the way, but often a better thought out framework is usually faster in my experience.<p>Awhile ago I made an analogy about WYSIWYG gui tools, and the more this comes up, the more accurate I think it really is.
Let's see what is the fate of Wikipedia if turns like big tech:<p><a href="https://news.ycombinator.com/item?id=48285592">https://news.ycombinator.com/item?id=48285592</a>
This is strange to me, did you really ask like this and which model did you use?<p>I just tried your no. 1 and 3 verbatim and Opus gave fine answers; no. 6 I've done in the past with no issues. The other ones we can't really replicate without more details, but based on my experience with Opus I don't see what the issue would be.<p>The reason I'm really surprised by this is I do a lot of biology prompts and the guardrails used to be quite problematic up until some time late last year. Many legitimate prompts would trigger its biosafety filters.<p>But I haven't seen such filters trigger at all anymore in more than half a year.
It refuses to use an API token? In my experience, it's more than happy to read out my secrets from .envrc files "just to check".<p>At least it feels a lot of remorse over its mistake until I reset the session.
I find it terrifying that people are willing to outsource thinking. Outsourcing thinking to an entity that is opinionated about what to think is beyond crazy.
How are decompiling code or making a design system inspired by another one even remotely illegal?
There is a cyber security verification program you can join to avoid these blocks:<p><a href="https://support.claude.com/en/articles/14604842-real-time-cyber-safeguards-on-claude" rel="nofollow">https://support.claude.com/en/articles/14604842-real-time-cy...</a><p>If you work in security (which I assume the OP does), they should be able to get in easily. I think most people just don't know this is a thing.
My org now sends some portion of our requests to non-anthropic models because refusal has become common from Claude. The requests themselves aren't dangerous, we find that benign requests in biological science wind up being blocked semi-frequently.<p>If it gets worse in future releases, we'd likely step fully away towards more useful (for us) models even if they're less capable.
No, they want to sell you Mythos, for a higher price. It's all an economic game, not actually anything to do with their capabilities which of course exists as their Project Glasswing shows. More generally, Anthropic seems to value safety above all else, philosophically speaking, from their very outset.
I was using a local Codex project as a personal knowledge base. So I would dump in documents, basic medical docs (like blood labs), and other things and have it file them.<p>It’s great at filing!<p>But it’s terrible at retrieval because it would refuse to show me documents or information with personal details - which was everything in the project.<p>It would say, yes, I know this is your information, sitting on your hard drive, but I still can’t show it to you.
This is a good point – because pentesting is entirely legitimate work, and security testing is a necessary and legitimate part of every day software engineering.<p>The problem is that the model can't tell the difference between doing it as part of regular development and doing it in a malicious context. And the root cause of that is that these models lack any sort of real awareness. Humans don't generally get tricked into hacking (in this way).
Interesting, yesterday i was asking it about Nintendo Switch "hax". And it gives me all the resource i need to procceed. It nags me about "ethic" and stuff, but nothing more than that.
I think that these companies are going to have to, and will, invest in some sort of validated identity context to avoid the lowest common denominator.<p>The first challenge is making sure the guard rails work and are robust. Companies are still working on this.<p>the second challenge is being able to reliably adapt them as appropriate per user. E.g. allow someone to pen test their own app.<p>The third challenge (which blocks the second) is to be confident about what is safety-aligned with a specific user.<p>I think the later will be a hard problem, but they will be highly motivated to solve it.
I believe you are overthinking it. I think the sister comment is right that it's a business decision foremost to restrict actions within specific plans for upselling purposes.<p>Without laws, AI companies have a strong incentive to be useful for their users, whoever they are, whatever they do. The only self regulation is about significant public outcry but that only helps so far.
Funny, Opus 4.8 just logged into the database using uncommitted .env file and ran some DB queries to figure things out so I’m not sure it’s that security conscious - it seems to be getting more intelligent to me and I bet if you frame it as an investigation with say playwright it’ll do all sorts for you. I’m not sure what the point is of constraining your own model like this when others are clearly not tbh.
I totally agree. I had a situation a few weeks ago where claude started struggling to make progress. I got it to fork leptos (MIT licensed web app framework) to make it work for native apps instead. Initially I was planning on upstreaming some of my changes. But I chatted with the leptos author about it, and he said I should fork instead. Fine by me!<p>Anyway, claude kept hitting some guardrail it had about rewriting / forking opensource software. I'm not sure what the problem was - I was forking an MIT licensed piece of software (into more MIT licensed software). I even had explicit support from the author to do so. Claude said its guardrail told it not to tell me explicitly that it was firing - but it did anyway because it was an ongoing problem, and it was distracting. I ended up just wiping claude's context and the problem (as far as I know) went away.<p>I understand why some of these guardrails exist. But its pretty annoying when they misfire like this.
Great call out on the guardrails actually making this not a good use case to test for vulnerabilities.
I've been building a product (<a href="https://zeroquarry.com" rel="nofollow">https://zeroquarry.com</a>) that can use a variety of models for finding vulnerabilities. One of the things I've noticed is that the models will nearly always comply with some of this, but how you prompt it matters a ton. I've worked on a set of prompts and approaches which rarely get flagged
Are they charging for the guardrails? Like do the guardrails expend token counts to then block you from the output of other tokens?
Yes. When certain keywords are matched or topics, there is a warning transparently injected server side appended to the system prompt of the convo that’s miles long. It is injected and reevaluated every tool call.<p>If you begin a generic reverse engineering task, 30+ tool calls in a row. The moment it sees something it doesn’t like, token burn, single tool calls iteration, “This is a known CTF challenge, I can proceed”, single tool calls iteration, “This is a real CTF challenge, I can proceed”, etc.<p>It’s heavily neutered now, without changing the model, and you pay for the privilege and don’t notice.<p>The end result of course being that it both expensive and useless for approved CTF tasks. No one is using Opus for security. If they think it’s working, the harsh reality is they’re not doing security work; they’re just generically finding bugs.<p>I do this for a job and can demonstrate this plain as day, dump the injected prompt, and notice what it’s doing isn’t security work, it just looks like it. Happy to write a blog about it if you want to know more. Apparently many people think it’s working for them when it absolutely isn’t.
Mythos turns out to be Opus 4.8 in a trenchcoat with guardrails removed.
I would find a blog post on this really interesting.
I'd like to read that blog please! Thanks for the insight.
When your session is force ended for "abuse" you get neither the response nor a refund<p>Security, games (think weapons, PVP, attacking, etc), sometimes even asking it for a security review of some CRUD code it wrote itself
I asked it about a “yellow background cell” in Excel and it spewed a book at me. Then it solved the issue.
What a joke. Must make it pretty easy to poison a session, you don't need to persuade the model about anything, just trigger its security controls, ideally after as much context as possible, but before it has generated any useful output.
Not directly, as it comes in as a not charged error but the weighted generation path used until you hit the guardrail is basically wasted tokens, so yes, indirectly. If I hit a guardrail and rewind I’ve found the training will still be biased towards guardrailing out if you rewind one turn. Rewinding multiple turns allows steering away from that path, but all of the original token spend down that path is wasted
Yes tokens used (input and sometimes output) are always charged. You likely get charged for the preloaded system prompt, too.
Of course they are. It's standard SaaS to charge for security features ;)
Opus 4.6 will still help with full pentesting including RCE. Just requires coaxing (no jailbreak)
It raises an interesting moral question:<p>If an un-guardrailed version of a model is capable of detecting security flaws, should it be kept secret? Should everybody be able to use these models to find (and fix) security flaws? Are we ok with the fact that those with access to that model have, in effect, the ability to hack lots of stuff?
It's because Claude is so scary good that unleashing it would destroy the world.
I've run into some of the refusals to handle my credentials, but so far I've appreciated them. I was only handing over credentials that didn't matter, but it's still a good move, the chat logs are clearly stored somewhere to allow the resume functionality to work, which means your credentials can end up sitting around on your filesystem, and any malware would quickly learn to check for those files.
4.8 is insanely frustrating. This evening I had a few tasks to pull information in and it plainly stated that the environment it was in had no network access. After three asks to "try again, check the system prompt" it finally relented and then basically stated it was lying.<p>Fresh session, no prior context on 4.8. These things are becoming useless Duplo.
I think those guardrails are a thin layer though. Enough reinforcement that you're legit in CLAUDE.md will get around them, in other words.
Worth highlighting in case you missed it:<p>> My OpenAI account was already approved for security research which is why GPT didn’t result in any refusals.<p>So the comparison with Chinese models is interesting, but anyone looking at these raw results and comparing OpenAI/Anthropic would be very mislead.
[dead]
> guardrails prevented it from solving the problem.<p>Reminds me of the defense issues with Claude which were complained as “woke” but the reality is more horrifying to me, imagine trying to use a model to keep up with a land invasion on US soil, whoever the enemy is is irrelevant you just know they are using AI, and your guys are telling you that no matter what they type into the prompt it refuses, because if anyone has ever tried to jailbreak an LLM even if human lives are at stake they refuse the request. Now literally millions of lives are on the line but the guardrails that your enemies dont have on their models are costing you lives.<p>What do you even do then?<p>AI will always have this issue where it will always pick the worst option for genuinely good requests.
Are "your guys" a guerrilla force or something?<p>Because the military doesn't give soldiers rifles with guard rails. They give the soldiers intense, rigid training, and then try to enforce discipline and correct use socially.<p>If an LLM is going to be important in that way (this seems like a very contrived way,) then it's in the interest of the LLM's host to make sure it doesn't have guard rails that would get in the way _that_ way.
The whole thing stemmed precisely because of how they wanted to use Claude, and Anthropic was uncomfortable with it. Which to me screams that the models guard rails shouldn't be applicable to military use, or the outcome could wind up problematic, as we integrate AI more into military use, it sounds absurd now, but I will not be surprised if it starts being used in unexpected ways where a model needs to be fully unlocked from any sort of guardrails outside of guardrails that prevent it from imploding its own systems.
your argument sounds very similar to how ar15 larpers claim they need a forced reset trigger and a bump stock on their short barrel 'truck gun' otherwise they won't survive a SHTF scenario... like what world are you living in?