OWASP Top 10 for LLM Applications: A Developer's Checklist
LLM applications introduce entirely new categories of security risk — prompt injection, data leakage through model outputs, excessive tool permissions, and insecure plugin designs. The OWASP Top 10 for LLM Applications provides a framework for understanding and mitigating these risks. Here is the practical developer checklist.
Why LLM Security Matters
LLM applications are different from traditional software. They accept natural language input that can be crafted to manipulate behavior, they generate outputs that may contain sensitive data or malicious content, and they increasingly have agency — the ability to execute tools, call APIs, and modify data. Each of these capabilities creates attack surface that did not exist before.
of LLM applications are vulnerable to at least one form of prompt injection
increase in AI-related security incidents reported between 2023–2025
of organizations deploying AI agents have no security testing for them
The OWASP Top 10 for LLM Applications
Prompt Injection
Attackers craft inputs that override system instructions, causing the LLM to ignore its original purpose. Includes direct injection (user input) and indirect injection (injected via external data sources).
Insecure Output Handling
LLM outputs are passed to downstream systems without validation, enabling XSS, SSRF, SQL injection, or command injection through model-generated content.
Training Data Poisoning
Malicious data in training or fine-tuning datasets introduces backdoors, biases, or vulnerabilities into the model's behavior.
Model Denial of Service
Crafted inputs that cause excessive resource consumption — extremely long prompts, recursive tool calls, or inputs that trigger expensive computation.
Supply Chain Vulnerabilities
Compromised model weights, poisoned training pipelines, vulnerable dependencies in the LLM application stack, or malicious plugins.
Sensitive Information Disclosure
LLM reveals sensitive data from training data, RAG context, or system prompts. Includes PII leakage, credential exposure, and system prompt extraction.
Insecure Plugin Design
Plugins/tools with excessive permissions, missing input validation, or no authentication. An attacker who controls LLM output can abuse poorly designed plugins.
Excessive Agency
LLM agents with too many permissions — ability to execute code, modify databases, send emails, or access external systems without appropriate guardrails.
Overreliance
Users or systems trusting LLM outputs without verification, leading to incorrect code, wrong facts, or harmful recommendations being acted upon.
Model Theft
Unauthorized access to proprietary model weights, fine-tuning data, or system prompts through API abuse, side-channel attacks, or insider threats.
Automated LLM Security Testing
Manual testing for LLM vulnerabilities does not scale. Automated tools can test for prompt injection, PII leakage, harmful content generation, and excessive agency continuously as part of your CI/CD pipeline.
Agentic Radar
Scans AI agent workflows (LangGraph, CrewAI, OpenAI Agents) for security issues including prompt injection vectors, tool permission misconfigurations, and data flow vulnerabilities.
Prompt Injection Detection
Automated testing with adversarial prompts — jailbreak attempts, indirect injection payloads, and system prompt extraction techniques.
PII Leakage Scanning
Test LLM outputs for personally identifiable information, credit card numbers, API keys, and other sensitive data that should not appear in responses.
Prompt Hardening
Automated generation of hardened system prompts that are more resistant to injection attacks, with defensive instructions and output constraints.
Secure Your AI Applications with TigerGate
TigerGate's AI Scanner detects prompt injection vectors, PII leakage, and agent misconfigurations across LangGraph, CrewAI, OpenAI Agents, and more — mapped to the OWASP Top 10 for LLMs.