All posts
SecurityOWASPBest Practices

OWASP Top 10 for LLMs Explained: What Developers Need to Know

17 Feb 20268 min readBordair

The OWASP Top 10 for Large Language Model Applications (2025 edition) is the most authoritative guide to LLM security risks. Here is a practical summary of each risk, why it matters, and what you can do about it.

LLM01: Prompt Injection

The number one risk. Attackers craft inputs that override system instructions, extract secrets, or manipulate model behaviour. Both direct injection (in user input) and indirect injection (in retrieved data) are covered. Bordair addresses this directly with its detection API.

LLM02: Insecure Output Handling

LLM output is treated as trusted and passed to downstream systems without validation. If the model outputs SQL, shell commands, or HTML, it can be exploited. Always sanitise LLM output before using it in queries, commands, or rendered content.

LLM03: Training Data Poisoning

Malicious data in the training set biases the model's behaviour. This is harder to defend against at the application layer but important for model providers.

LLM04: Model Denial of Service

Crafted inputs that cause excessive resource consumption: very long prompts, recursive generation, or requests that trigger expensive operations. Rate limiting and input length limits are the primary defences.

LLM05: Supply Chain Vulnerabilities

Using compromised model weights, poisoned fine-tuning datasets, or vulnerable libraries. Verify the integrity of models and dependencies.

LLM06: Sensitive Information Disclosure

LLMs can leak PII, credentials, or proprietary data from their training set or context. Bordair's output scanning rules can catch and redact sensitive patterns in model responses.

LLM07: Insecure Plugin Design

LLM plugins and tools that lack proper authentication, input validation, or access control. Apply least-privilege principles to every tool an LLM can invoke.

LLM08: Excessive Agency

Granting LLMs too many capabilities or permissions. An AI with database write access, email sending, and code execution is a much bigger risk than one that only reads and responds.

LLM09: Overreliance

Blindly trusting LLM output without human review or validation. LLMs hallucinate, make mistakes, and can be manipulated. Human oversight remains essential.

LLM10: Model Theft

Extracting a proprietary model through API queries (model distillation) or compromised infrastructure. Rate limiting and access controls help.

Where Bordair fits

Bordair directly addresses LLM01 (prompt injection detection), LLM06 (sensitive information disclosure via output scanning), and supports LLM02 (by flagging dangerous patterns in output before they reach downstream systems).

Protect your LLM application

Add prompt injection detection in minutes with Bordair's API.

Get started free