As organizations rush LLM features into production, they are shipping an attack surface that traditional security testing does not cover. The OWASP Top 10 for LLM Applications is the reference framework for that new surface, the shared language for the risks specific to generative AI. Here is what each risk means in plain terms, and how it shows up in real AI/ML penetration testing.
Why LLM apps need their own Top 10
An LLM does not distinguish between the developer’s instructions and an attacker’s input. To the model, it is all just text in the context window. Add tools the model can call and data sources it can read, and you get failure modes that no web application checklist anticipates. The OWASP LLM Top 10 names them.
The ten risks
1. Prompt injection. Crafted input that manipulates the model into ignoring its instructions or guardrails. It comes in two forms: direct (the user types it) and indirect prompt injection (the model reads it from a document, web page, or email it ingests). This is the defining risk of LLM security.
2. Sensitive information disclosure. The model reveals training data, system prompts, secrets, or another user’s context through its output. Often triggered by prompt injection or weak output filtering.
3. Supply chain vulnerabilities. Risks inherited from third-party models, datasets, plugins, and libraries, a poisoned or compromised component upstream becomes your problem downstream.
4. Data and model poisoning. Manipulating training or fine-tuning data (or a RAG knowledge base) to plant backdoors or bias the model’s behavior toward the attacker’s goal.
5. Improper output handling. Treating model output as trusted and passing it, unvalidated, into downstream systems, where it can drive cross-site scripting, SQL injection, or unsafe code execution. The model becomes an injection vector.
6. Excessive agency. Giving the model too much autonomy, too many tools, or too broad permissions, so that a manipulated model can take real, damaging actions (send email, move money, modify records) rather than just produce text.
7. System prompt leakage. Exposure of the system prompt, which often contains instructions, logic, or secrets the developer assumed were hidden. Attackers use it to understand and bypass your guardrails.
8. Vector and embedding weaknesses. Flaws in the retrieval (RAG) layer, poisoning the vector store, retrieval abuse, or weak access control on the data sources the model draws from.
9. Misinformation. The model produces confident, plausible, and wrong output that users trust and act on. A safety and reliability risk as much as a security one.
10. Unbounded consumption. Resource abuse, from denial-of-service through expensive queries to model-extraction attacks that clone your model’s behavior through excessive querying.
How to test against it
Reading the list is not the same as knowing where you stand. A meaningful AI/ML penetration test works through these risks against your actual system:
- Attempts direct and indirect prompt injection against your production guardrails
- Tries to extract the system prompt, secrets, and other users’ data
- Maps every tool the model can call and tests for excessive agency and unsafe output handling
- Probes the RAG pipeline for poisoning and retrieval abuse
- And remembers that the AI feature still sits inside a normal app that needs conventional web application and API testing too
Use it as a testing agenda
The OWASP Top 10 for LLM Applications is most valuable not as a checklist to read once, but as the agenda for a real assessment. If you are shipping LLM features, work through these ten risks against your own system before an attacker or a customer does. Scope an AI/ML assessment and we will show you which of the ten your system is actually exposed to.
Written by
Invadel Team
Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →