Published by the Open Worldwide Application Security Project (OWASP), the OWASP Top 10 for LLM provides a definitive taxonomy of risks including prompt injection, insecure output handling, and training data poisoning. It serves as the foundational security checklist for architects and developers building agentic systems, moving beyond traditional web application risks to address the unique attack surface created by generative AI and autonomous tool-calling.
Glossary
OWASP Top 10 for LLM

What is OWASP Top 10 for LLM?
The OWASP Top 10 for LLM Applications is an industry-standard awareness document that identifies and ranks the most critical security vulnerabilities specific to applications leveraging large language models.
The framework categorizes threats such as model denial of service, supply chain vulnerabilities, and excessive agency—where an LLM is granted unchecked permissions to execute actions. By defining these critical vulnerabilities, the document enables security engineers to implement a defense-in-depth strategy, ensuring that agentic threat modeling and jailbreak mitigation efforts are aligned with a globally recognized, peer-reviewed standard.
Frequently Asked Questions
Clear, technical answers to the most common questions about the OWASP Top 10 for Large Language Model Applications, covering the critical vulnerabilities every engineering team must address.
The OWASP Top 10 for LLM Applications is an industry-standard awareness document published by the Open Worldwide Application Security Project that identifies and ranks the ten most critical security vulnerabilities specific to applications leveraging large language models. Unlike the traditional OWASP Top 10 for web applications, this list addresses novel attack surfaces introduced by generative AI, including prompt injection, insecure output handling, training data poisoning, and model denial of service. The document serves as a foundational risk taxonomy for security engineers, CTOs, and compliance officers building or deploying LLM-integrated systems. Each entry includes a description of the vulnerability, common attack scenarios, prevention strategies, and references to related frameworks. The list is maintained by a community of security researchers and AI practitioners, with version 1.0 released in 2023 and subsequent updates reflecting the rapidly evolving threat landscape.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Core Vulnerability Categories in the OWASP Top 10 for LLM
The OWASP Top 10 for LLM Applications provides a definitive taxonomy of the most critical security vulnerabilities unique to large language model integrations. Each category represents a distinct attack surface requiring specific mitigation strategies.
LLM01: Prompt Injection
The most critical vulnerability where adversarial inputs override system instructions or hijack model behavior. Direct injections craft malicious user prompts to bypass safety guardrails, while indirect injections hide instructions in retrieved documents, web pages, or emails that the LLM processes. This attack exploits the model's inability to distinguish between developer-set instructions and untrusted data. Mitigation requires instruction hierarchy frameworks, input sanitization, and privilege separation between system and user contexts.
LLM02: Insecure Output Handling
Occurs when LLM-generated output is passed directly to downstream systems without validation, enabling cross-site scripting, SQL injection, or remote code execution. The model becomes an unwitting attack vector when its responses contain executable code, malicious URLs, or crafted payloads. Defense requires treating all model output as untrusted user input, implementing strict output encoding, and applying context-aware sanitization before consumption by interpreters, databases, or browsers.
LLM03: Training Data Poisoning
Adversaries corrupt training or fine-tuning datasets to implant backdoors, biases, or vulnerabilities that persist in the deployed model. Poisoned examples can cause targeted misclassification, leak sensitive information when specific triggers appear, or degrade overall model safety. Supply chain attacks on pre-trained models are particularly dangerous. Mitigation requires data provenance verification, anomaly detection in training corpora, and rigorous model evaluation against adversarial benchmarks before deployment.
LLM04: Model Denial of Service
Attackers overwhelm LLM infrastructure through resource-intensive queries that cause degraded service, inflated operational costs, or complete system unavailability. Techniques include crafting inputs that trigger infinite generation loops, exploiting attention mechanisms with extremely long contexts, or flooding APIs with concurrent requests. Defense requires rate limiting, input length restrictions, token budget enforcement, and monitoring for anomalous resource consumption patterns.
LLM05: Supply Chain Vulnerabilities
Security risks inherited from third-party components including pre-trained models, fine-tuning datasets, vector databases, and agent plugins. Compromised LangChain packages, malicious HuggingFace models, or vulnerable retrieval plugins can introduce exploits into otherwise secure applications. Mitigation requires software bill of materials tracking, dependency scanning, model signature verification, and strict access controls on plugin execution environments.
LLM06: Sensitive Information Disclosure
LLMs inadvertently reveal personally identifiable information, proprietary code, API keys, or training data through their outputs. This occurs through memorization of training data, context leakage between users, or model inversion attacks that reconstruct private information. Defense requires differential privacy during training, output filtering with regex and NER-based detection, and strict data sanitization before fine-tuning on proprietary datasets.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us