OWASP Top 10 for LLM Applications
The OWASP Top 10 for LLM Applications is the primary vulnerability awareness list for large language model deployments. The 2025 edition (released November 2024) ranks Prompt Injection as the #1 risk, with only three categories surviving unchanged from 2023 — reflecting rapid threat evolution.
2025 Edition Changes
New additions compared to 2023:
- System Prompt Leakage — exposure of confidential system instructions
- Vector/Embedding Weaknesses — RAG system-specific attack surface
- Excessive Agency — agentic architecture risks (addressed more fully in the ASI Top 10)
Current Status (Q1 2026)
As of April 2026, the LLM Top 10 2025 is unchanged. A 2026 community questionnaire suggests a future update is under development, but no timeline has been announced.
The LLM Top 10 has been complemented rather than superseded by the Agentic Applications Top 10 (December 2025), which handles the agentic risk classes that the LLM Top 10 was not designed to address (multi-agent orchestration, cascading failures, rogue agents).
The ML Security Top 10 remains dormant at v0.3 — creating a gap in traditional ML security coverage.
Adoption
Translated into 10+ languages. Vendor integrations by Kong, Lakera (acquired by Check Point Q1 2026), Invicti, and others. Referenced in enterprise security policies worldwide.
Strengths
- De facto reference list for LLM application security
- Widely adopted; translated into many languages
- Actionable awareness for development teams
- Prompt injection coverage has informed a generation of defensive tooling
Gaps and Shortcomings
- Awareness framework, not compliance standard — no certification, audit procedures, or evidence criteria
- Does not address agentic-specific risk classes (handled by OWASP Top 10 for Agentic Applications (ASI Top 10))
- Risk descriptions, not control baselines — organizations cannot directly derive a test plan
- ML Security Top 10 (v0.3 draft) is dormant, leaving traditional ML security coverage thin
- No AI incident response playbooks or IoCs
See Also
- OWASP (publisher)
- OWASP Top 10 for Agentic Applications (ASI Top 10) — the agentic complement; covers ASI01–ASI10
- OWASP AI Vulnerability Scoring System (AIVSS) — OWASP’s AI vulnerability scoring system
- Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal — LLM Top 10 IDs anchor:
LLM01:2025Prompt Injection → D4 Runtime;LLM04:2025Data and Model Poisoning → D6 Data;LLM06:2025Excessive Agency → D3;LLM07:2025System Prompt Leakage → D6 + D9;LLM08:2025Vector/Embedding Weaknesses → D6