
"Claude Fable 5 is Currently Unavailable": and That Isn't Even the Worst News
Alexey Murkaev, CTO of Green Light Uzbekistan, on the problems of information security in the age of AI
A few days ago I opened a work tool and noticed a notification: "Claude Fable 5 is currently unavailable". Below it, a "Learn More" link. I clicked, and what opened up took a long time to work through: a statement from Anthropic, a government order, the market's reaction, statistics on what the new models can do, data on real-world attacks. Having worked at a system integrator for almost 15 years now, including on the information security side, I decided to share my thoughts. There will be no post-mortem of a specific incident here, but we will talk about what stands behind it and what it means for your company.
A brief word on the cast
Let's start with the context — the three models everything revolves around:
- Mythos (Anthropic, April 2026) — a vulnerability-finding model so powerful that the company chose not to release it publicly. Access went to a narrow circle: more than 100 organizations, among them AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, JPMorgan. In a matter of weeks these partners found more than 10,000 critical vulnerabilities in their own systems.
- Fable (Anthropic, June 2026) — the public version on the same engine, but with limiters: on sensitive cyber and bio requests it "falls back" to a weaker model. It was Fable 5 that was switched off by government order — for the very ability to find vulnerabilities in code, which the regulator deemed too dangerous for open access.
- GPT-5.5 (OpenAI, April 2026) — officially classified as "high" on cyber capability. In internal end-to-end exercises in emulated networks it passes 93% of scenarios — against 73% for the version six months earlier. And in independent testing by the UK's AI Security Institute it ran, on its own from start to finish, a 32-step attack scenario against a corporate network that experts estimated at roughly 20 hours of a specialist's manual work. So far in two cases out of ten, but the testers noted a detail more important than the result itself: the more compute the model was given, the higher the success rate climbed. What limits the machine is not capability but the amount of compute thrown at the task. And the further this goes, the cheaper it gets to add more.
All three models have the ability to identify vulnerabilities at industrial scale. And that ability turned out to be so powerful that companies are closing public access to their own products. When a tool provokes that kind of reaction from the people who built it, that is a signal worth reading correctly.
The attack has gone industrial
Until recently, a serious cyberattack required a serious team of attackers. Finding vulnerabilities in a corporate network was the work of qualified specialists: several days or weeks of analysis, manual work, accumulated experience. That created a natural barrier, but right now it is disappearing before our eyes.
The figures cited above are not vendor marketing but capabilities recorded in technical documentation. All that is left is to state the fact: what took an expert days and weeks, AI does in hours, in parallel and at scale. Rare expertise is turning into an automated operation, which means the search for weak spots in your infrastructure is no longer limited by the number of qualified attackers: now it all comes down to compute.
An example from reality
In the summer of 2023, the Chinese group Storm-0558 penetrated Microsoft's cloud email infrastructure and spent about a month quietly reading the correspondence of the U.S. Department of State and the Department of Commerce. The hackers stole around 60,000 emails, and among the compromised mailboxes was the account of the Secretary of Commerce. A specialized board under the Department of Homeland Security later characterized this breach as "preventable".
This happened before the AI models of the current generation appeared. Even without using them, the attackers managed to stay unnoticed inside the systems of the world's largest economy for a month. Now imagine a hacker with a tool that passes 93% of attack scenarios without a human involved…
The paradox regulators have yet to solve
The regulator acts on an understandable logic: organizations protecting critical infrastructure, the financial system and citizens' data must use certified, vetted tools. The goal is justified, but the certificate is issued for a tool that existed a year and a half or two years ago, while AI today develops not by years but by weeks. What looked like futurism in the autumn of 2025 had become a standard working instrument by the spring of 2026. By the time a defender earns the right to use an approved solution, the attacker is already working with what shipped three releases later.
That is where the main contradiction lies: the most advanced AI capabilities live in the cloud, in the infrastructure of technology giants, access to which states increasingly seek to restrict for the sake of data sovereignty and control. But this caution has a flip side: the more tightly an organization and a state close themselves inside their own perimeter, and the more warily they treat cloud AI solutions, the less access they have to the most powerful tools of defense. The attacker, meanwhile, is constrained by no perimeter at all.
So, in trying to keep data out of the cloud, the regulator deprives the defender of a cloud weapon and does nothing whatsoever to hinder the party it is defending against. Caution conceived as a shield turns, over time, into a breach. Clearly this is not the problem of one country or a particular region but a structural asymmetry built into the very logic of regulation. It works the same way in Central Asia, in Europe, in the U.S., and in other states commonly considered benchmarks of digital maturity.
Where most organizations actually stand
External events are the context, but the real vulnerability sits inside the organizations themselves. And here the picture, regardless of geography, repeats itself with remarkable precision.
- The information security function is overloaded and understaffed. Often it is one or two people who at the same time select the solutions, implement them, work through the event streams and support everything that has been installed. Where a team does exist, it is occupied above all with policies, reporting and meeting formal requirements. Practitioners capable of genuinely standing up to an attack and developing the defense are in critically short supply.
- Solutions are chosen slowly, and implemented more slowly still. Supporting and updating systems already in place is a rare discipline. Threats are closed reactively, after the fact of an incident.
- The gap between management and reality. Imagine a CFO making decisions about insurance without understanding what exactly is being insured. That is precisely how most organizations make decisions about information security — slowly, formally, or not at all.
Cybersecurity is one of the few areas where a manager is expected to make decisions but is not given a clear language in which those decisions are made. Finance, law and operations learned long ago to speak to top management in the language of numbers and risks. Information security — almost never.
As a result the manager ends up in a position he cannot win: he is asked to approve a budget for something whose consequences he cannot assess. The natural reaction is either to take it on trust or to postpone the conversation. Neither brings anyone closer to being protected.
The other half of the problem is on the side of the security specialists themselves: the information security specialist speaks the language of technology — SIEM, EDR, event correlation. But what is needed is the language of business and losses: how many days of downtime, what fines from the regulator, what reputational damage. As a result the conversation that ought to take place at board level stays inside the technical department, and the budget gets approved on the principle of "something for security".
According to the U.S. Government Accountability Office, agencies have been issued more than 4,000 recommendations on cybersecurity since 2010. By February 2026, over 730 of them remained unimplemented. Of five ministries audited, only one had fully adopted key workforce management practices in information security. This is the state with the largest technology and defense budget in the world. It is worth asking honestly: how do things stand in the organizations of our region?
Four questions worth asking your security leadership right now
This piece is not about technology, so the questions are not technical either. They are for those who make the decisions:
1. "If we are attacked tonight, how many hours will it take us to find out?"
If the answer is uncertain or there is no answer — that is a signal not to buy a new tool but first to work out why the existing monitoring systems do not provide that answer (if they exist at all). An audit of the current state of threat detection is the first step, and it requires no procurement budget.
2. "What happens to our business if key systems go down for 48 hours?"
This is a question not for the security department but for the COO and the CFO. If there is no specific answer in terms of money and processes, then no business impact analysis has been done. Without it, any decisions about security are made blind.
3. "Which specific employee in our organization bears personal responsibility for information security?"
If the answer is vague, then there is no real responsibility. No one accountable — no priority — no resources — no protection. Appointing a specific person with authority, a budget and direct access to the chief executive is a management decision that can be taken in a single day.
4. "When did we last test the real resilience of our infrastructure not on paper, but by the hands of an external team with a real objective?"
If the answer is "never" or "a long time ago" — that is the starting point. An independent penetration test gives a real picture within a few weeks. It works not on paper but as a management instrument: you will see exactly where the weak spot is and get the grounds for specific decisions.
In place of a conclusion
With the arrival of AI, the arms race in cybersecurity has moved into another league. Attack and defense tools are now updated every few weeks, and accordingly, falling one cycle behind means more than a technical inconvenience. It means the attacker sees what you do not. In this reality the tool has become one of the key factors deciding the outcome. But a tool without people who know how to use it, and without processes that turn what is found into what is fixed, creates something more dangerous than a vulnerability: it creates a confidence in being protected that does not exist.
That is why, in our era, successfully protecting a company's information assets rests on two supports. The first is modern security solutions with AI functionality. The second, and more important, is the ability to react fast enough that the damage stays manageable and does not turn into a catastrophe.