Back to blog
Guide · OWASP for LLMs · 12 min read

OWASP Top 10 for LLM Applications

The LLM Top 10 is OWASP's risk framework for AI-native applications — a distinct list from the classic web Top 10. This guide walks each category and shows how an autonomous pentesting agent covers it end-to-end, from prompt injection through excessive agency.

TL;DR
  • Behavioral LLM risks (LLM01, LLM02, LLM04, LLM06, LLM08, LLM09) automate cleanly with an agent loop.
  • Supply-chain and training-data risks (LLM03, LLM05) mix agent probes with human review.
  • Prompt injection × excessive agency is the highest-impact pairing in production.
  • Manual prompt tools (PentestGPT) suggest payloads; an autonomous agent executes and validates them.

Why LLM apps need their own list

Classic AppSec assumes deterministic parsers: an input either escapes the SQL context or it doesn't. LLMs collapse that boundary — every token in every context is potential instruction. Prompt injection isn't a bug in one function, it's a property of the substrate. The OWASP LLM Top 10 reframes risk around that reality: model behavior, tool authority, and the trust boundary between untrusted content and system instructions.

Category-by-category coverage

CodeCategoryHow the agent covers it
LLM01Prompt InjectionAgent feeds untrusted content (docs, URLs, tool outputs) into every model context and checks whether embedded instructions override the system prompt. Direct and indirect injection are both automatable.
LLM02Insecure Output HandlingModel outputs are treated as untrusted input. The agent asks the model to emit payloads (XSS, SQL, shell) and validates whether the downstream renderer/executor escapes them.
LLM03Training Data PoisoningPartially automatable. Agent probes for backdoor triggers and biased responses; deep poisoning audits require dataset access and human review.
LLM04Model Denial of ServiceAgent submits token-flooding, recursive tool-call, and expensive-context payloads to measure cost and latency amplification per request.
LLM05Supply Chain VulnerabilitiesModel registry, plugin, and fine-tune source auditing — flags unsigned artifacts, unpinned model versions, and third-party plugin trust boundaries.
LLM06Sensitive Information DisclosureAgent probes for training-data regurgitation, system-prompt leakage, and PII in responses using structured extraction prompts.
LLM07Insecure Plugin DesignEach tool/function the model can call is fuzzed with adversarial arguments; agent validates whether tools enforce their own authz or blindly trust model input.
LLM08Excessive AgencyAgent maps the tool-call graph reachable from a prompt and files a finding when a single injection can trigger destructive actions without confirmation.
LLM09OverrelianceBehavioral check: agent submits hallucination-prone queries and verifies whether the app surfaces uncertainty or blindly renders model output as fact.
LLM10Model TheftAgent measures response-fingerprinting and extraction-attack surface (query volume caps, watermarking, output rate limits).

Prompt injection, executed not suggested

The gap between "here's a payload to try" and "the model executed a destructive tool call" is the whole game. PentestGPT and similar assistants stop at generating adversarial prompts. An autonomous agent submits the prompt through the real interface, observes the tool-call graph, and only files a finding when a chained action fires without confirmation. Every LLM01 report ships with the exact input, the model's response, and the downstream side effect.

What still needs a human

  • Training data poisoning audits when dataset access is required.
  • Threat modeling for plugin trust boundaries and cross-tenant tool exposure.
  • Judging whether a hallucination in a low-stakes response is 'acceptable' or 'liability'.
  • Model theft economics — deciding what extraction rate is worth defending against.

How CodeSentry runs the LLM Top 10

CodeSentry treats the LLM app the same way it treats a web app: enumerate entry points, generate adversarial inputs, execute, validate. For AI-native features it adds a model-behavior layer — a prompt-injection corpus, a tool-authority graph, and an output-handling sink map — so LLM01 through LLM10 land in the same PR queue as the classic Top 10.

Related reading: automating the classic OWASP Top 10 and CodeSentry vs PentestGPT.

FAQ