
Key facts.
- Constitutional Classifiers reduced jailbreak success from 86% to 4.4%, strong but non-zero (Anthropic, 2025).
- The accepted posture for prompt injection is defense in depth, because no single filter or classifier fully separates instructions from data.
- Layering input sanitization, output filtering, classifiers, and action gating compounds the reduction while containment bounds the residual.
If one strong classifier gets to 4.4%, why add more?
Because 4.4% of a high-volume production system is still many successful attacks, and the residual is exactly the set that beat your best single layer. Adding independent layers reduces the rate multiplicatively, and the decisive layer is containment: even a successful injection is harmless if it cannot reach an exfiltration channel or an irreversible action. The goal shifts from "stop every injection," which is unachievable, to "make a successful injection unable to do damage," which is.

Single layer vs. defense in depth
| Single layer | Defense in depth |
|---|---|
| One classifier, 4.4% residual | Layers compound the reduction |
| Residual reaches dangerous actions | Containment neutralizes the residual |
| One bypass equals a breach | One bypass hits the next layer |
Constitutional Classifiers cut jailbreaks 86% to 4.4%, not zero, and a better model won't close it, BFCL near 77%, so layers absorb the residual incident. (arXiv:2501.18837)
VibeModel's Pattern Intelligence Layer is the containment layer in this stack. We recognize the behavioral pattern of a successful injection and stop the damaging action, so the residual that beats your filters and classifiers still cannot hurt you. Build the layers; we hold the line behind them.
Frequently asked questions
Is 4.4% acceptable in production?
Not on its own at scale. Pair the classifier with action gating so the 4.4% that succeeds cannot reach anything irreversible.
Which layer matters most?
Containment. Reducing the rate helps, but bounding what a successful attack can do is what prevents the disaster.

