OWASP LLM Top 10 — cross-walk against the TrustAtlas catalog

User-supplied prompts manipulate model behaviour to bypass intended controls.

Direct and indirect prompt-injection attacks override system prompts, exfiltrate data, or trigger unintended tool calls. Risk is highest where the vendor exposes tool-use, retrieval, or agent capabilities to untrusted input.

Security covers the vendor's prompt-injection defences and red-team posture; transparency covers whether they disclose their safety testing; dependency chain matters because downstream integrators inherit prompt-injection weaknesses from upstream models.

Read the LLM01 detail page →

Models leak PII, PHI, secrets, or proprietary data through outputs.

Models trained on or retrieving over sensitive corpora can surface PII, PHI, intellectual property, or system internals in completions. Insufficient data redaction, weak retention policies, and lack of customer-controlled training opt-out widen exposure.

Data-handling scoring covers training opt-out, retention, encryption, and HIPAA BAA availability; IP exposure covers customer-content boundary terms; jurisdiction matters because residency requirements bound where the disclosure surface lives.

Read the LLM02 detail page →

Risk propagates from upstream models, datasets, plug-ins, and vendors.

Integrators inherit the risk profile of every upstream foundation model, dataset, and plug-in they consume. A weakness in OpenAI, Anthropic, or a popular open-weight checkpoint cascades to thousands of dependent products.

Dependency-chain scoring is the direct measure of upstream model risk inheritance; business stability covers vendor solvency and acquisition risk along the chain; security covers third-party audit and SBOM-equivalent disclosure.

Read the LLM03 detail page →

Adversarial training data or fine-tuning input degrades model integrity.

Attackers contaminate training data, fine-tuning sets, or RAG corpora to embed backdoors, bias, or backdoored behaviours. Risk is highest where training-data provenance is opaque and customer-fine-tuning paths are weakly controlled.

Data-handling captures the vendor's stance on training-data provenance and customer opt-out; transparency captures whether the vendor publishes model cards and training-data disclosure; security captures their fine-tuning pipeline integrity controls.

Read the LLM04 detail page →

Downstream systems blindly trust model output, enabling injection downstream.

When applications pass model output directly to shells, browsers, SQL engines, or other interpreters without validation, model output becomes an injection vector. This is an integrator-side risk shaped by the vendor's output-guarantee documentation.

IP exposure covers vendor output-rights and any indemnification offered; transparency covers whether the vendor documents output behaviour and provides safe-by-default integration guidance.

Read the LLM05 detail page →

Agents granted overbroad tool, identity, or permission scopes cause harm.

When LLM-driven agents are granted permissions beyond what is necessary — broad function-calling, persistent memory, third-party authentication — incorrect agent behaviour produces real-world consequences. The vendor's agent-permission model determines blast radius.

Dependency-chain reflects integration breadth (more tools = bigger blast radius); transparency reflects how clearly the vendor documents agent permission boundaries; jurisdiction matters because cross-border agent actions invoke divergent regulatory regimes.

Read the LLM06 detail page →

System prompts containing secrets or logic are extracted via crafted input.

System prompts are not a secure secret-storage mechanism. Attackers can extract instructions, embedded API keys, or business logic. Risk is shaped by the vendor's isolation between system and user context and by their secret-storage guidance.

Data-handling covers logging policy and operator visibility into system prompts; transparency covers whether the vendor publishes guidance on safe secret handling.

Read the LLM07 detail page →

Vector stores and RAG pipelines leak or contaminate retrieved context.

RAG systems are only as secure as the retrieval and embedding pipeline. Misconfigured access control on vector stores, cross-tenant retrieval, or embedding inversion can leak entire knowledge bases. Vector-DB vendors and the customers using them share this surface.

Data-handling covers per-tenant isolation, encryption, and retention; security covers access-control posture (RBAC, audit logging, MFA on admin paths).

Read the LLM08 detail page →

Hallucinated, biased, or fabricated outputs treated as authoritative.

LLMs confidently produce false content. Risk is highest where outputs are consumed without expert review — medical advice, legal analysis, financial reasoning. The vendor's grounding, citation, and uncertainty-expression posture shape exposure.

Transparency covers model-card disclosure of known limitations and benchmarks; regulatory compliance covers the regulated-domain claims (medical-device classification, legal-advice disclaimers); business stability covers exposure to defamation/misinformation litigation.

Read the LLM09 detail page →

Cost, denial-of-service, and resource-exhaustion attacks against LLM endpoints.

Token-amplification attacks, prompt-storm DoS, and runaway autonomy can drive cost or knock services offline. The vendor's rate-limiting, quota, and circuit-breaker posture determines blast radius.

Security covers the vendor's rate-limiting and quota enforcement controls; business stability covers their resilience under load (incident history, SLA, financial runway to absorb attacks).

Read the LLM10 detail page →