Large language model features shipped fast in the last two years — chat assistants, retrieval-augmented search, autonomous agents wired into internal tools. Most of that surface area was never threat-modeled the way a traditional web application would be before launch. The OWASP Top 10 for LLM Applications project exists to close that gap, giving security teams a shared vocabulary for a genuinely new risk category.
Why traditional AppSec testing isn't enough
A standard web application penetration test still matters for an LLM-powered product — the API layer, authentication, and infrastructure around the model are conventional attack surface. But the model itself introduces failure modes that don't map cleanly onto OWASP's classic Top 10 for web applications. An LLM doesn't have a SQL injection vulnerability in the traditional sense, but it can be manipulated through natural language in ways that produce equivalent business impact.
Risk categories worth testing for
- Prompt injection. Both direct (a user typing adversarial instructions) and indirect (malicious instructions hidden in a document, webpage, or email the model later processes) can override intended behaviour.
- Insecure output handling. Treating model output as trusted content — rendering it directly into a browser, shell, or downstream system — can open XSS, SSRF, or command-injection-style paths.
- Training data and retrieval risks. Poisoned training or fine-tuning data, and unauthorised retrieval from a RAG pipeline, can leak sensitive information or corrupt model behaviour.
- Excessive agency. Agents wired to take real-world actions (send emails, hit APIs, execute code) without tight scoping can be manipulated into taking unintended actions.
- Sensitive information disclosure. Models can be coaxed into revealing system prompts, other users' data, or details about internal architecture.
- Supply chain risk. Third-party models, plugins, and datasets each add a dependency your security review needs to cover.
What a practical AI security test actually covers
In our engagements, we test the full path: the system prompt and guardrails, how untrusted input reaches the model, how model output is consumed downstream, and what the model can access or execute. We combine adversarial prompting techniques with conventional application security testing of the surrounding infrastructure — because in almost every real incident we've reviewed, the weakness was in how the application handled the model, not the model provider's training process.
Where to start
If you've shipped an LLM feature without a dedicated security review, start with a scoped assessment of your highest-risk integration — usually anything with tool-calling, database access, or exposure to untrusted input (customer messages, uploaded documents, scraped web content). Architecture-level threat modeling before you build the next feature is significantly cheaper than a retrofit.
Want us to assess this risk in your own environment?
Book a free scoping call with our team.



