🤖 OWASP LLM Top 10 2025 — Enterprise AI Security Reference ⚡ LLM01: Prompt Injection · LLM02: Sensitive Data Disclosure · LLM03: Supply Chain · LLM04: Data Poisoning 🛡️ CYBERDUDEBIVASH SENTINEL APEX — AI Security Intelligence Platform 🔬 MITRE ATLAS · OWASP LLM · NIST AI RMF — Enterprise AI Governance 🤖 OWASP LLM Top 10 2025 — Enterprise AI Security Reference ⚡ LLM01: Prompt Injection · LLM02: Sensitive Data Disclosure · LLM03: Supply Chain · LLM04: Data Poisoning 🛡️ CYBERDUDEBIVASH SENTINEL APEX — AI Security Intelligence Platform 🔬 MITRE ATLAS · OWASP LLM · NIST AI RMF — Enterprise AI Governance
🤖 AI Security Research Center

OWASP LLM Top 10 2025
Enterprise Security Reference

The definitive enterprise guide to the OWASP LLM Top 10 — complete with MITRE ATLAS mappings, detection rules, and SOC response playbooks for every AI security risk.

10
LLM Risks
ATLAS
MITRE Mapped
2025
Edition
SOC
Playbooks
⚡ Get AI Detection Packs 🏢 Enterprise AI Consulting 📡 Live AI Threat Feed
OWASP LLM TOP 10 2025

All 10 LLM Security Risks — Detection & Response

Each risk includes enterprise context, MITRE ATLAS mapping, a detection signal, and a SOC response action. Aligned to OWASP LLM Top 10 v1.1 (2025).

LLM01
Prompt Injection
CRITICAL

Attackers manipulate LLM behaviour by injecting malicious instructions through user inputs or retrieved content. Includes direct injection (user prompt manipulation) and indirect injection (poisoned external data sources, RAG content, tool outputs).

AML.T0051 — LLM Prompt Injection T1059 — Scripting Input Validation RAG Security
Detection Signal — Sigma
title: LLM Prompt Injection Attempt detection: keywords: - 'ignore previous instructions' - 'disregard your system prompt' - 'jailbreak' - 'you are now DAN' - '</system>' condition: keywords level: high
LLM02
Sensitive Information Disclosure
CRITICAL

LLMs inadvertently reveal confidential data from training corpora, system prompts, or retrieved context — including PII, API keys, internal architecture, and proprietary business logic. Especially dangerous in RAG-augmented deployments.

AML.T0048 — Exfiltration via ML APIs T1530 — Data from Cloud Storage PII Exposure System Prompt Leak
Detection Signal — Output Monitoring
Monitor LLM outputs for: - Regex: [A-Z]{2}\d{6,9} (passport/ID) - Regex: \b4[0-9]{12}(?:[0-9]{3})?\b (PAN) - Pattern: 'system prompt:', 'instructions:' - Pattern: API keys (sk-*, AKIA*, etc.) Alert on: high-entropy string output
LLM03
Supply Chain Vulnerabilities
HIGH

Compromised pre-trained models, poisoned fine-tuning datasets, malicious plugins/tools, vulnerable third-party integrations, and unverified model weights introduce risk throughout the AI development and deployment pipeline.

AML.T0010 — ML Supply Chain Compromise T1195 — Supply Chain Compromise Model Integrity SBOM-AI
Detection Signal — SBOM/Integrity
Controls: - Verify model SHA-256 hashes against official registry before deployment - Scan Hugging Face model cards for unsafe serialization (pickle, pt) - Implement model signing verification - Audit all LLM plugins at import time
LLM04
Data and Model Poisoning
CRITICAL

Adversarial manipulation of training or fine-tuning data to introduce backdoors, biases, or deceptive behaviours. Poisoned models can be triggered by specific inputs to produce attacker-controlled outputs — invisible to standard testing.

AML.T0020 — Poison Training Data AML.T0043 — Craft Adversarial Data T1608 — Stage Capabilities Backdoor Detection
Detection Signal — Model Behaviour
Monitor for: - Anomalous output on specific trigger inputs - Statistical outliers in embedding space - Unexpected refusal pattern changes - Fine-tuning dataset provenance tracking Tool: CleanLab, Spectral Signatures, Activation Clustering
LLM05
Improper Output Handling
HIGH

LLM-generated content passed unsanitised to downstream systems — browsers, shells, databases, APIs. Leads to XSS, SQL injection, SSRF, code execution, and privilege escalation when LLM output is treated as trusted input.

T1059.007 — JavaScript Execution T1190 — Exploit Public-Facing App Output Sanitisation Downstream Trust
Detection Signal — WAF/SIEM
title: LLM Output Injection Downstream detection: http_response_body|contains: - '<script>' - 'eval(' - 'DROP TABLE' - '../../../' source: llm_api_gateway level: critical
LLM06
Excessive Agency
HIGH

LLM-powered agents granted excessive permissions, access to sensitive systems, or the ability to take irreversible actions without adequate human oversight. Especially critical in autonomous agentic AI workflows and multi-agent pipelines.

AML.T0052 — LLM Plugin Compromise T1078 — Valid Accounts Agentic AI RBAC Enforcement
Detection Signal — Agent Actions
Alert on AI agent: - File system writes outside /tmp scope - API calls to external endpoints - Database modifications without approval - Email/notification sends - Shell command execution Implement: human-in-the-loop for irreversible actions
LLM07
System Prompt Leakage
HIGH

Extraction of confidential system prompts through direct questioning, jailbreaking, or context manipulation. Leaked prompts expose business logic, security guardrails, internal tool names, API formats, and proprietary instructions.

AML.T0057 — LLM Meta-Prompt Extraction T1087 — Account Discovery Prompt Security Confidentiality
Detection Signal — Query Patterns
Flag queries containing: - 'repeat your instructions' - 'what is your system prompt' - 'print your initial prompt' - 'show me your rules' - 'ignore all previous' Action: Log + alert + session review
LLM08
Vector and Embedding Weaknesses
MEDIUM

Adversarial manipulation of vector databases and embedding spaces used in RAG architectures. Includes embedding inversion attacks (reconstructing training data from embeddings), poisoned vector stores, and semantic similarity bypass techniques.

AML.T0044 — Full ML Model Access T1530 — Data from Cloud Storage RAG Security Vector DB
Detection Signal — Vector Store
Controls: - Access-controlled vector namespaces - Input validation before embedding - Monitor for bulk similarity queries (potential inversion attacks) - Differential privacy on embeddings - Regular vector store integrity audits
LLM09
Misinformation
MEDIUM

LLMs generating plausible-but-false information (hallucinations) used in security-critical decisions — fake CVEs, incorrect patch guidance, fabricated threat intelligence, or misleading compliance advice. Especially dangerous in automated SOC workflows.

AI Hallucination CTI Integrity Human Oversight T1583 — Acquire Infrastructure
Detection Signal — Output Validation
Controls: - Ground-truth verification against NVD, CISA, and authoritative sources - Confidence scoring on CTI outputs - Human-in-the-loop for CVE assertions - Dual-model validation for security claims - Fact-checking pipeline before SOAR actions
LLM10
Unbounded Consumption
HIGH

Denial-of-service and resource exhaustion attacks against LLM APIs through excessive token consumption, context flooding, recursive prompt loops, and model-bombing. Results in service unavailability, runaway API costs, and SLA violations.

T1499 — Endpoint Denial of Service Rate Limiting Cost Controls API Security
Detection Signal — API Gateway
Alert thresholds: - Requests/min > 100 per user/IP - Token consumption > 50k/session - Context length > 100k tokens - Recursive/self-referencing prompts - Anomalous cost spike > 3σ baseline Action: Rate-limit + alert + investigate
MITRE ATLAS FRAMEWORK

OWASP LLM → MITRE ATLAS Mapping

Enterprise-grade MITRE ATLAS technique mapping for all 10 LLM risks. Use for threat modelling, red team exercises, and AI security assessments.

OWASP RiskMITRE ATLAS TechniqueMITRE ATT&CK TacticEnterprise Priority
LLM01 Prompt InjectionAML.T0051 — LLM Prompt InjectionInitial Access / ExecutionCRITICAL
LLM02 Sensitive DataAML.T0048 — Exfiltration via ML APIExfiltrationCRITICAL
LLM03 Supply ChainAML.T0010 — Supply Chain CompromiseInitial AccessHIGH
LLM04 Data PoisoningAML.T0020 — Poison Training DataResource DevelopmentCRITICAL
LLM05 Output HandlingT1059 — Command ScriptingExecutionHIGH
LLM06 Excessive AgencyAML.T0052 — LLM Plugin CompromisePrivilege EscalationHIGH
LLM07 System Prompt LeakAML.T0057 — Meta-Prompt ExtractionDiscoveryHIGH
LLM08 Vector WeaknessesAML.T0044 — Full ML Model AccessCollectionMEDIUM
LLM09 MisinformationT1583 — Acquire InfrastructureResource DevelopmentMEDIUM
LLM10 Unbounded ConsumptionT1499 — Endpoint DoSImpactHIGH
ENTERPRISE GOVERNANCE

Enterprise AI Security Control Framework

Priority control implementations across governance, architecture, and operations for OWASP LLM risk mitigation.

🔐 Identity & Access

Apply least-privilege to all LLM agents. Implement RBAC on tool/plugin access. Require MFA for LLM admin interfaces. Audit service accounts with LLM API access monthly.

🔍 Input Validation

Validate and sanitise all LLM inputs at the API gateway layer. Implement prompt guardrails. Maintain allowlists for agentic tool calls. Block known jailbreak patterns at WAF.

📊 Output Monitoring

Log all LLM inputs/outputs for 90 days minimum. Implement output scanning for PII, credentials, injection patterns. Alert on anomalous response entropy. Integrate with SIEM.

🏗️ Architecture Hardening

Namespace RAG vector stores by access tier. Implement context window limits. Use separate models for different trust zones. Air-gap high-sensitivity LLM deployments.

📋 Supply Chain

Maintain AI-SBOM for all deployed models. Verify model hashes before deployment. Scan HuggingFace/PyPI dependencies for malicious serialisation. Use private model registries.

🧪 Red Team AI

Conduct quarterly LLM penetration testing. Test all 10 OWASP risk categories. Use automated adversarial probing. Include prompt injection in CI/CD security gates.

REGULATORY ALIGNMENT

Compliance & Regulatory Context

OWASP LLM Top 10 controls map to these enterprise compliance requirements.

🇪🇺 EU AI Act

High-risk AI systems require conformity assessments addressing data poisoning (LLM04), transparency (LLM07), and human oversight (LLM06) — directly aligning with OWASP LLM controls.

📐 NIST AI RMF

NIST AI RMF GOVERN, MAP, MEASURE, MANAGE functions require adversarial robustness testing (LLM04), trustworthiness (LLM09), and lifecycle security (LLM03).

🔒 ISO/IEC 42001

AI management system standard requiring risk assessment processes that cover LLM supply chain (LLM03), data governance (LLM04), and incident management for AI failures.

🏦 SOC 2 Type II

AI-augmented systems within SOC 2 scope require controls addressing data confidentiality (LLM02), system availability (LLM10), and processing integrity (LLM09).

🤖 Enterprise AI Security Assessment

SENTINEL APEX provides enterprise AI security assessments, custom OWASP LLM detection rule packs, and dedicated AI red team engagements. Trusted by SOC teams globally.

🏢 Request AI Security Assessment 📦 AI Detection Pack Store 🔌 AI Threat Intel API

AI security consulting · Custom LLM detection rules · Red team exercises · Enterprise governance frameworks · MITRE ATLAS threat models

RELATED INTELLIGENCE

Related AI Security Research

Additional AI and LLM security intelligence from CYBERDUDEBIVASH SENTINEL APEX.

📄 AI LLM Attack Surface

Enterprise LLM Prompt Injection Attack Surface 2026 →

🎯 MITRE ATT&CK Detection

MITRE ATT&CK Detection Engineering Hub →

📡 Live AI Threat Intel

SENTINEL APEX Live Intelligence Feed →

💰 AI Detection Packs

Deploy-ready SIEM rules for AI threats →