Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ayliea.com/llms.txt

Use this file to discover all available pages before exploring further.

OWASP LLM Top 10

The OWASP Top 10 for LLM Applications is the community-standard catalog of the most critical security risks in applications that integrate large language models. Maintained by the OWASP Foundation with input from practitioners and researchers across the LLM security community, it’s the de-facto reference for “what could go wrong with an LLM-powered feature.” This assessment is appropriate for any organization shipping LLM-powered features — customer-facing chatbots, internal copilots, RAG-based search and Q&A, code-assistance tools, document analyzers, or any application where user input flows through an LLM.
OWASP LLM Top 10 v2025 (published 2025-03) is the current version. The framework is maintained on a regular cadence — Ayliea tracks updates and refreshes the assessment as the catalog evolves.

What this framework covers

The assessment maps directly to the 10 risks in the OWASP catalog. Each risk has its own control area with questions tailored to that risk’s specific attack patterns and mitigations.
User-supplied content alters the LLM’s intended behavior — direct injection, jailbreaks, indirect injection via retrieved or tool-output content, and output manipulation that subverts downstream actions.
PII, PHI, credentials, proprietary data, or business-confidential context surfaced through LLM outputs — whether memorized from training, leaked via RAG retrieval, or echoed back from the user’s own session.
Compromises in the LLM value chain: foundation model providers, fine-tuning datasets, embeddings models, tool integrations, and the deployment infrastructure connecting them.
Adversarial manipulation of training data, fine-tuning data, or retrieved context to bias outputs, embed backdoors, or degrade model behavior.
Downstream systems trusting LLM output without validation — leading to XSS, SQL injection, command injection, server-side request forgery, or similar classical web-app risks rendered via LLM intermediation.
LLM-powered agents granted more permissions than their use case requires — leading to consequential actions taken without sufficient human oversight, blast-radius limits, or revocation paths.
System prompts and tool definitions leaked to users, exposing implementation details, business logic, or guardrail boundaries that attackers can use to refine prompt-injection attempts.
Weaknesses in RAG and vector-store deployments: poisoning the corpus, embedding inversion attacks, cross-tenant retrieval leaks, and stale or untrusted retrieved content treated as authoritative.
LLM outputs presented as authoritative when they’re confabulated, outdated, or systematically biased — including reliance failures where users defer to LLM judgment in high-stakes contexts.
Denial-of-wallet attacks via excessive inference requests, expensive tool invocations, or unbounded recursion patterns that aren’t rate-limited or cost-bounded server-side.

Why this matters for customers

Engineering teams shipping LLM features need a shared reference for “what we tested for” — both for internal pre-launch review and for external customer security questionnaires. The OWASP LLM Top 10 has become that reference. A clean assessment is increasingly table stakes for any vendor selling LLM-powered features into security-conscious buyers. This assessment surfaces:
  • Whether your prompt-injection defenses cover direct, indirect, and tool-output injection paths
  • Whether your RAG deployment isolates tenants and refreshes the corpus on a defined cadence
  • Whether your output handling validates LLM responses before downstream systems trust them
  • Whether your cost and rate controls protect against denial-of-wallet patterns

How it relates to other frameworks

OWASP LLM Top 10 is the practitioner-focused application security catalog. Pair it with:
  • AI Security (AISS) — broader AI program controls including governance, asset management, and incident response
  • AI Agent Security — drills deeper into LLM06 Excessive Agency for agent-specific deployments
  • NIST AI 600-1 (GAI Profile) — the regulatory-aligned risk-management view of many of the same risks
  • NIST AI RMF — the foundational AI risk-management lifecycle

Glass-Box scoring

Each question cites the specific OWASP LLM Top 10 risk ID (LLM01–LLM10) and version (currently 2025-03). Where the risk pattern maps to MITRE ATLAS techniques, those are surfaced in the drilldown as well.