Guide · LLM Security

The practical guide to LLM security.

Large language models opened up a new attack surface — prompts, embeddings, tools, and agents. This guide walks through the threats security teams see in production and the controls that actually work.

Why LLM security is different

Traditional appsec assumes deterministic code paths and structured input. LLMs invert both. Every prompt is untrusted input, every response is generative code or content, and every tool call the model can invoke becomes an attack primitive. Input validation, output encoding, and least-privilege still apply — but you also have to defend the model itself, the context you assemble, and any agent loops you build on top.

OWASP Top 10 for LLM applications

OWASP maintains a Top 10 specifically for LLM apps. These are the categories worth mapping every LLM feature against.

  1. LLM01

    Prompt injection

    Direct or indirect instructions that override the system prompt or exfiltrate context.

  2. LLM02

    Insecure output handling

    Rendering model output as HTML, SQL, or shell without sanitization — classic XSS/RCE via generation.

  3. LLM03

    Training data poisoning

    Malicious data in fine-tune sets, RAG corpora, or feedback loops that shifts model behavior.

  4. LLM04

    Model denial of service

    Adversarial prompts that force expensive generations, long contexts, or infinite tool loops.

  5. LLM05

    Supply chain vulnerabilities

    Compromised base models, adapters, plugins, or embedding providers.

  6. LLM06

    Sensitive information disclosure

    The model leaks secrets, PII, or system prompts baked into its context.

  7. LLM07

    Insecure plugin design

    Tools with over-broad scopes, unvalidated arguments, or missing auth on downstream APIs.

  8. LLM08

    Excessive agency

    Agents given write access to systems where a hallucinated action becomes a real incident.

  9. LLM09

    Overreliance

    Users or downstream code trusting LLM output without human or programmatic verification.

  10. LLM10

    Model theft

    Extraction of proprietary weights, prompts, or fine-tunes via API abuse.

Threats in production

Prompt injection (direct & indirect)

Direct injection lives in the user turn. Indirect injection hides in tool output, web pages the model reads, PDF metadata, or email bodies in an inbox assistant. Assume any text the model ingests can carry instructions.

Data & context leakage

System prompts, retrieved documents, and cached embeddings can all leak. Adversaries ask the model to repeat its instructions, quote its sources, or emit tokens that reconstruct the corpus.

Agent & tool abuse

An agent with shell, browser, or database tools is a confused deputy waiting to happen. A single crafted document can turn a helpful assistant into an exfiltration pipeline.

Insecure output handling

Model output rendered as HTML enables XSS. Passed to eval, exec, or a SQL driver, it enables RCE and injection. Treat generations as untrusted the same way you treat user input.

Model DoS & cost attacks

Repeated long-context requests, recursive tool calls, and image inputs can burn credits and starve legitimate traffic. Budgets and rate limits are security controls, not billing controls.

Brand & content abuse

Lookalike apps, jailbroken clones, and phishing pages wrap your model or brand. Monitor the surface, not just the model.

Controls that work

Trust boundaries around context

Separate system, developer, and user roles. Mark retrieved content as data, not instructions. Strip or escape control tokens before they hit the model.

Least-privilege tools

Every tool the model can call gets its own scope, its own auth, and its own audit trail. No tool should be able to act on data outside the current user's tenant.

Guardrails & moderation

Input filters for injection patterns, output filters for PII, secrets, and policy violations. Fail closed when a filter is unavailable.

Evaluation & red-teaming

Automated jailbreak suites, adversarial prompts, and regression evals gate deploys the same way unit tests do. Track pass rates over time.

RAG hygiene

Sign your corpus. Validate sources. Chunk with provenance metadata so the model — and your logs — always know where a claim came from.

Monitoring & incident response

Log every prompt, tool call, and response with tenant, user, and cost. Alert on injection signatures, cost anomalies, and tool-call spikes. Rehearse the LLM-incident runbook.

Shipping checklist

  • Threat-model every LLM feature against the OWASP LLM Top 10.
  • Separate system, developer, and user roles in every prompt.
  • Sanitize model output before rendering, executing, or forwarding it.
  • Scope tools narrowly and require auth on every downstream API.
  • Cap tokens, cost, and tool-call depth per request and per tenant.
  • Run an automated jailbreak and PII suite in CI before every deploy.
  • Log prompts, tools, and responses with tenant, user, and cost metadata.
  • Alert on injection signatures, cost spikes, and refusal-rate drops.
  • Document a data-deletion and model-retraining path for regulated data.
  • Rehearse an LLM-specific incident runbook with your on-call rotation.

Frequently asked questions

Is prompt injection actually solvable?+

Not fully — it is the SQL injection of a probabilistic system. What you can do is reduce blast radius: separate roles, scope tools, sanitize output, and monitor for signatures. Defense in depth wins.

Do I need a separate guardrail model?+

For anything user-facing or agentic, yes. A cheaper classifier or rules layer in front of and behind the main model catches most policy and injection failures without adding user-visible latency.

How do I secure a RAG pipeline?+

Treat the corpus as code. Sign it, review changes, and store provenance. At query time, mark retrieved chunks as data, filter secrets, and never let retrieved content silently become instructions.

What frameworks should I map to?+

OWASP Top 10 for LLM Applications, the NIST AI Risk Management Framework (AI RMF), and — in the EU — the AI Act obligations for your risk tier.

Ready to operationalize this?

TrendGuru AI ships the scanner, brand monitor, and training modules teams use to close these gaps in production.

Explore the platform