Guides · OWASP LLM Top 10
The OWASP LLM Top 10, explained
One risk at a time: what it is, how it shows up in real LLM and AI-agent products, how we test for it, and how to reduce it.
- LLM01Prompt InjectionWhen attacker-controlled text becomes instructions the model obeys, you have the defining flaw of LLM apps.
- LLM02Sensitive Information DisclosureThe model reveals data it shouldn't: other users' records, secrets, PII, or internal details.
- LLM03Supply ChainRisk you inherit from third-party models, datasets, adapters and plugins you never built.
- LLM04Data and Model PoisoningTainting training, fine-tuning or retrieval data to bend the model's behaviour.
- LLM05Improper Output HandlingTreating model output as safe and passing it straight into a browser, shell, query, or API.
- LLM06Excessive AgencyGiving an agent more tools, permissions, or autonomy than the task needs, so a single manipulation causes real-world harm.
- LLM07System Prompt LeakagePulling the hidden system prompt out of a model, along with the secrets, rules, and tool schemas teams bury in it.
- LLM08Vector and Embedding WeaknessesAttacks and leaks in the RAG layer: the embeddings, vector store, and retrieval that ground your model.
- LLM09MisinformationConfident, plausible, and wrong. What happens when hallucinations and overreliance turn into real decisions.
- LLM10Unbounded ConsumptionNo limits on usage, so attackers can run up your bill, degrade service, or extract your model.
Test this on your own AI before someone else does
Redproof is independent red-teaming for LLM and AI-agent products. We probe your system across the OWASP LLM Top 10, hand you severity-ranked findings with reproductions, fixes, and EU AI Act mapping, and re-test after you patch. That is the evidence your self-assessment needs, before a regulator or customer asks.