Back to Blog Listing

What can we learn about GEO from Claude Fable 5's leaked system prompt?

Tom Fry

Tom Fry

Anthropic's Claude

At what point does a frontier model stop trusting its own training and start searching the web for your brand? Fable 5's (alleged) leaked system prompt might just give us enough insight to help answer that hugely important question — if you care about GEO strategy, it's required reading!

Here's the background: A researcher has reportedly broken through Claude Fable 5's safety classifiers and pulled out the model's entire system prompt (CyberSecurityNews, "Anthropic's Claude Fable 5 Jailbroken"). Roughly 120,000 characters of standing instructions that Anthropic gives the model before a single message is exchanged. It's all fascinating reading but one section stands out for anyone working on GEO. It is called search_instructions, and it lays out, in the model's own rules, how and when Claude leans on its training and when it goes to the web for a citation instead. It's a decision that has big implications for whether your brand shows up in AI answers at all.

Where the model draws its line

The prompt splits information into two buckets. The first is settled knowledge: historical facts, scientific principles, foundational definitions, events that are over and done with. The model answers those straight from training and triggers no search. The second is current state: who holds a role right now, which policies are live, what products exist today, what was announced recently. For anything in that second bucket the model is told to search even when it believes it already knows, because the odds of a stale answer are too high.

The instruction itself is plain: "For queries about current state that could have changed since the knowledge cutoff date — who holds a position, what policies are in effect, what exists now — search to verify."

The model treats that as a requirement rather than a nudge, and the line it draws between settled and current information is exactly where your AI Visibility is won or lost.

Unknowns trigger a search, and every launch is an unknown

The passage with the most direct bearing on brand strategy is the one the prompt labels the "UNRECOGNIZED ENTITY RULE": "Claude MUST use [search] before answering about any game, film, show, book, album, product release, menu item, or sports event that Claude does not recognize. An unfamiliar capitalized word is almost certainly a name that postdates training." Notice what made the list: "product release". The model is not allowed to improvise on something it doesn't recognise. It has to go and look.

For a younger brand, that is quietly good news. If your company, your product or your category language isn't already baked into Claude's training, the model looks you up every time a buyer asks, which means your ICP meets the web-facing version of you first: earned coverage, press releases in credible outlets, journalist-written features. The version of you that lives in published third-party reporting is the version the model reads back.

The rule catches brands that are anything but unknown, too, through a follow-on clause: "Knowing a franchise, author, or series is NOT knowing their new release." Your latest launch, funding round, feature or rebrand is, by definition, something that postdates the model's training. Claude cannot answer about it from memory, because the memory isn't there yet. It has to search, and it surfaces whatever credible coverage exists. Announce well and get the trade press to pick it up, and that coverage becomes the model's answer about your news. Leave it uncovered, and the model either admits it doesn't know or falls back to whatever thin, low-authority mentions it can scrape together. Your launch PR is, in a very literal sense, writing the AI's answer for you.

How hard the model looks scales with the question

The search_instructions don't only decide whether to search. They decide how much to search, telling the model to match its effort to the difficulty of the question. A settled or trivial question gets answered straight from training, no search at all. A simple current-state lookup, such as who runs a company now or what a product costs today, gets a single search. A harder, multi-part or comparative question prompts the model to run several searches in sequence, gathering and cross-checking sources before it commits to an answer.

That scaling is where the commercial stakes really sit, because the questions worth most to your business are the complex ones. "Best [category] platform for enterprise", "X versus Y", "is X worth it for a team our size": these are buying-intent queries, and they are exactly the ones that send the model on its deepest search. It pulls in more sources, weighs them against each other, and leans on the brands that show up again and again across independent, credible coverage.

So the implication for brands is deeper than "do some PR". A thin footprint, a single press release or a couple of stray mentions, might be enough to surface on a simple "who is X" query. It will struggle on the high-value comparison query, where the model casts a wider net and trusts what it can corroborate across several sources. Winning those questions takes a body of authoritative, consistent coverage deep enough that when the model runs three, four or five searches on a buying-intent prompt, your brand keeps reappearing. Corroboration across multiple credible sources is what survives a deep search, and a deep search is what your most valuable buyers set off.

The prompt even names the linguistic signals that force a search: "current", "still", "now", "today", and present-tense phrasing about anything that might have changed. That list maps almost perfectly onto how B2B buyers actually research. Nobody asks who founded a company in 2019. They ask whether it is still the market leader, who runs it now, what it charges for enterprise today. Every one of those phrasings forces a live search.

What stays fixed in training data is the definitional and the historical, the material that never gets refreshed. So the highest-value AI Visibility work has little to do with polishing your Wikipedia entry and almost everything to do with keeping a steady, high-authority presence across the web, so there is something credible to find when the model comes looking for your current state.

Why a placed article can outrank your own white paper

The prompt is blunt about which sources win at retrieval: "Favor original sources (company blogs, peer-reviewed papers, gov sites, SEC) over aggregators and secondary sources. Find the highest-quality original sources. Skip low-quality sources like forums unless specifically relevant."

Two details reward a second look. Company blogs make the preferred list, so owned content on an authoritative domain still counts for plenty. And because the model weights "original sources" by quality, a 600-word article in a high-authority title can beat a 10,000-word white paper sitting on a weak one. Agentcy has the numbers to prove it: a single press release placed in a high-authority publication was cited 37 times across AI responses. The same brand's 10,000-word white paper on its own website managed just 8.

The system prompt shows the mechanism behind that gap. The model is not choosing between sources at random; it is following an explicit instruction to weight authority by where the information originated. A trade byline, a reporter-written feature, a placement in a high-DA outlet: those become the citations the model serves when your buyer asks about your category.

Why cadence beats the occasional blockbuster

For fast-moving topics, the prompt tells the model to "lead with most recent info, prioritise sources from the past month." The operational consequence lands awkwardly for a lot of marketing teams: cadence counts for as much as the occasional headline placement. A brand that ships one major piece a quarter will steadily lose ground in AI answers to one that keeps up a regular drumbeat, even when the individual pieces are less impressive.

SEO teams learned a version of this a decade ago with content-freshness signals. What has changed is where the freshness signal now lives: the publication date of external coverage you don't control, rather than a crawl timestamp on your own pages. You can't fake it by re-saving a page. You have to keep earning the placements.

Two layers, two jobs

Put it together and the search_instructions section describes a model working across two layers. One is the training layer, home to the settled, historical and definitional material. The other is the live-search layer, which covers current state, unfamiliar entities and recent developments. Your brand needs a credible presence in both, and the work that builds each one is different.

You earn the training layer slowly, over years: defining your category, getting cited in the publications that feed model training, owning the language buyers reach for when they describe the problem you solve. It takes patience, and it compounds.

You earn the live-search layer continuously, through PR. Press releases landing in high-authority outlets. Executive commentary journalists actually pick up. Product news that surfaces in the trade press. That is what the model retrieves when a buyer asks about you today, and it comes from what credible third parties have published recently rather than the copy on your homepage.

So the brands that come to dominate AI answers will be the ones with the most authoritative presence off their own domain: consistent, current and genuinely earned. The size of your content library barely comes into it. Call it PR-Ops rather than SEO; the leaked prompt has simply put the reasoning on paper.

Sources

Reporting on the leak: (CyberSecurityNews, "Anthropic's Claude Fable 5 Jailbroken"). The leaked system prompt itself was posted to a third-party repository: (GitHub, "Claude Fable 5 system prompt (CL4R1T4S)").

A note on that second link. It points to an unofficial, jailbroken copy of Claude Fable 5's system prompt hosted on a third-party GitHub repository. Anthropic has not published or verified it, its contents may be incomplete, altered or inaccurate, and we link to it for transparency rather than endorsement. Treat it as unverified and read it at your own discretion.