The OWASP LLM Top 10

The OWASP Top 10 for Large Language Model Applications is a community-driven list of the most critical security risks specific to systems built on LLMs. It mirrors the well-known OWASP Web Top 10 but addresses threats that classic AppSec lists miss.

It exists because LLM apps introduce new attack surface: natural-language control flow, non-deterministic output, model supply chains, and autonomous agents. The list gives security teams a shared vocabulary and a checklist for threat modeling.

The codes below use the LLM01-LLM10 numbering from the 2025 edition.

LLM01: Prompt Injection is consistently the number-one risk. Attacker-controlled text overrides the developer's instructions because the model cannot separate trusted instructions from untrusted data.

• Direct: the user types override instructions.
• Indirect: instructions hide in retrieved web pages, files, or tool output.

Mitigations: enforce least privilege on tools, treat all retrieved content as data, add human checkpoints for sensitive actions, and break the data-exfiltration path.