Framework

OWASP LLM Top 10

The OWASP LLM Top 10 is a community-maintained, ranked list of the most critical security risks for applications built on large language models, published by OWASP (the open-source security foundation behind the broader OWASP Top 10 for web apps). The scope is narrow on purpose: it catalogues risks at the LLM-application layer, where a model meets a prompt template, a tool call, a retrieval source, and a user. The architecture is not the attack surface, the application around it is.
Reviewed by 7wData

Why it matters

The list became the lingua franca for LLM application security across 2024 to 2026. Anyone shipping LLM-backed software now sees it cited in their threat model or in a customer’s security questionnaire, often both. The current ten entries: LLM01 Prompt Injection, LLM02 Insecure Output Handling, LLM03 Training Data Poisoning, LLM04 Model Denial of Service, LLM05 Supply Chain Vulnerabilities, LLM06 Sensitive Information Disclosure, LLM07 Insecure Plugin Design, LLM08 Excessive Agency, LLM09 Overreliance, LLM10 Model Theft. Numbering and names have shifted between editions, so the OWASP project page is the source of truth.

Where you’ll encounter it

Three concrete contexts. A vendor security questionnaire asks how you address the OWASP LLM Top 10 and expects a per-item answer. A pen-tester scopes the engagement against the list and produces findings per LLMnn entry. An internal threat-modelling session opens with the list as a starter checklist for a new AI feature. The practical pitfall is treating it as exhaustive rather than as a heuristic. Real LLM application risk moves faster than the publication cadence, and new attack classes (agentic loop hijacking, multi-modal jailbreaks) show up in the wild well before they show up on the list. Floor for the conversation, not ceiling.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.