What is the OWASP LLM Top 10, explained?

The OWASP LLM Top 10 is the security industry's consensus ranking of the most critical vulnerabilities in production LLM applications, modeled on the long-running OWASP Web Top 10. First published in 2023 and revised annually, it is the de-facto reference frameworks for AI security programs and is referenced by SOC 2, ISO 42001, and NIST AI RMF audits.

The current categories (2025 revision):

• LLM01 — Prompt Injection. Direct and indirect. The number-one risk; covered exhaustively elsewhere in this pack.
• LLM02 — Insecure Output Handling. Treating LLM output as trusted in downstream systems — leading to XSS, SQLi, RCE when model output is rendered or executed without sanitization.
• LLM03 — Training Data Poisoning. Adversarial manipulation of fine-tuning or RAG data to bias future behavior.
• LLM04 — Model Denial of Service. Resource-exhaustion attacks (long contexts, recursive tool calls, expensive operations).
• LLM05 — Supply Chain Vulnerabilities. Risks from third-party models, datasets, plugins, embeddings vendors.
• LLM06 — Sensitive Information Disclosure. Models leaking PII, secrets, system prompts, training data; chained from LLM01.
• LLM07 — Insecure Plugin/Tool Design. Tools with excessive permissions, poor input validation, or no allowlists; the agent-injection blast-radius enabler.
• LLM08 — Excessive Agency. Granting LLMs more autonomy, permissions, or functionality than the threat model justifies.
• LLM09 — Overreliance. Operational risk from users trusting model output without verification; safety/quality, not security.
• LLM10 — Model Theft. Unauthorized extraction of model weights, fine-tunes, or system prompts.

For prompt-injection defense specifically, LLM01 + LLM02 + LLM06 + LLM07 form the chain most attacks traverse — injection lands (LLM01), bad output flows downstream (LLM02), secrets leak (LLM06), and tools execute attacker actions (LLM07). InjectShield is purpose-built for LLM01 with explicit hooks into the rest of the chain.