OWASP LLM Top 10
What is OWASP LLM Top 10?
OWASP LLM Top 10An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
First published in 2023 and updated as the OWASP Top 10 for LLM Applications, the list catalogues risks such as prompt injection (LLM01), insecure output handling, training-data poisoning, model denial of service, supply-chain vulnerabilities, sensitive-information disclosure, insecure plugin design, excessive agency, overreliance, and model theft. Each entry includes attack scenarios, business impact, and recommended controls aimed at developers, architects, and security teams. The project mirrors the structure and influence of the long-standing OWASP Top 10 for web applications and is widely referenced by NIST, ENISA, MITRE ATLAS, and EU AI Act guidance to set baseline expectations for secure LLM deployment.
● Examples
- 01
Using LLM01 (prompt injection) and LLM02 (insecure output handling) as required threat-model checkpoints for a RAG application.
- 02
Mapping a vendor security questionnaire to the OWASP LLM Top 10 before approving an enterprise GenAI rollout.
● Frequently asked questions
What is OWASP LLM Top 10?
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models. It belongs to the AI & ML Security category of cybersecurity.
What does OWASP LLM Top 10 mean?
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
How does OWASP LLM Top 10 work?
First published in 2023 and updated as the OWASP Top 10 for LLM Applications, the list catalogues risks such as prompt injection (LLM01), insecure output handling, training-data poisoning, model denial of service, supply-chain vulnerabilities, sensitive-information disclosure, insecure plugin design, excessive agency, overreliance, and model theft. Each entry includes attack scenarios, business impact, and recommended controls aimed at developers, architects, and security teams. The project mirrors the structure and influence of the long-standing OWASP Top 10 for web applications and is widely referenced by NIST, ENISA, MITRE ATLAS, and EU AI Act guidance to set baseline expectations for secure LLM deployment.
How do you defend against OWASP LLM Top 10?
Defences for OWASP LLM Top 10 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP LLM Top 10?
Common alternative names include: OWASP Top 10 for LLM Applications, OWASP LLM01-LLM10.
● Related terms
- ai-security№ 866
Prompt Injection
An attack that overrides an LLM's original instructions by smuggling adversarial text into the prompt, causing the model to ignore safeguards or execute attacker-chosen actions.
- ai-security№ 528
Indirect Prompt Injection
A prompt-injection variant where malicious instructions are hidden inside third-party content (web pages, documents, emails) that an LLM later ingests through retrieval, browsing, or tool use.
- ai-security№ 898
RAG Security
The discipline of securing retrieval-augmented generation pipelines so that the documents, vector stores, and retrieval steps that feed an LLM cannot be poisoned, abused, or used to exfiltrate data.
- ai-security№ 034
AI Supply Chain Risk
The set of threats arising from the third-party datasets, base models, libraries, plug-ins, and infrastructure that organisations combine to build and deploy AI systems.
- ai-security№ 618
LLM Guardrails
Mechanisms that constrain what an LLM-based application can input or output, enforcing safety, security, and business rules around the underlying model.
- ai-security№ 691
MLSecOps
The discipline of integrating security and risk controls across the entire machine-learning lifecycle, from data sourcing through training, deployment, monitoring, and retirement.
● See also
- № 030AI Jailbreak
- № 281Data Poisoning
- № 703Model Extraction
- № 704Model Inversion
- № 018Adversarial Example
- № 393Evasion Attack (ML)
- № 666Membership Inference Attack
- № 032AI Red Team