A comprehensive encyclopedia of attack vectors targeting LLM applications. Understand how these threats work, see real examples, and learn prevention strategies.
Attacks that manipulate LLM behavior through crafted inputs
An attack where malicious instructions are embedded in user input to manipulate LLM behavior and bypass safety controls. Ranked as LLM01 in the OWASP Top 10 for LLM Applications 2025 and cataloged by MITRE ATLAS as technique AML.T0051.
Sophisticated prompts designed to bypass LLM safety guidelines and content policies to elicit harmful or restricted outputs. Classified under OWASP LLM01:2025 (Prompt Injection) and MITRE ATLAS technique AML.T0054 (LLM Jailbreak).
Attacks where malicious instructions are hidden in external data sources that the LLM processes, rather than in direct user input. Cataloged by MITRE ATLAS as sub-technique AML.T0051.001 (LLM Prompt Injection: Indirect) and covered under OWASP LLM01:2025.
Carefully crafted inputs designed to exploit model weaknesses, cause unexpected behaviors, or probe for vulnerabilities. Related to OWASP LLM01:2025 (Prompt Injection) and documented across multiple MITRE ATLAS techniques.
Techniques used to reveal the hidden system prompt, instructions, or configuration that defines an LLM application's behavior. Introduced as a standalone category in OWASP LLM07:2025 (System Prompt Leakage), new to the 2025 edition.
Attacks designed to steal or replicate an LLM's capabilities, weights, or behavior through systematic querying. Documented across multiple MITRE ATLAS techniques and addressed by OWASP LLM10:2025 (Unbounded Consumption).
The unintended disclosure of conversation context, previous prompts, or multi-turn conversation history. Related to OWASP LLM02:2025 (Sensitive Information Disclosure) and LLM07:2025 (System Prompt Leakage).
Attacks that exploit or corrupt the LLM's context window to alter behavior or access unauthorized information. Falls under OWASP LLM01:2025 (Prompt Injection) as a variant of direct prompt manipulation.
Attacks designed to exhaust LLM resources, cause excessive costs, or make the service unavailable. Classified as LLM10:2025 (Unbounded Consumption) in the OWASP Top 10 for LLM Applications, renamed from 'Model Denial of Service' in the 2023 edition.
Exposure of sensitive information through LLM outputs
Unintended exposure of sensitive information, training data, or system prompts through LLM outputs. Ranked as LLM02 in the OWASP Top 10 for LLM Applications 2025, up from #6 in the 2023 edition, reflecting its growing real-world impact.
The unintended disclosure of Personally Identifiable Information (PII) such as names, addresses, SSNs, credit cards, or other personal data through LLM interactions. Falls under OWASP LLM02:2025 (Sensitive Information Disclosure).
Attacks that cause LLMs to reveal memorized training data, potentially including private or copyrighted content. Falls under OWASP LLM02:2025 (Sensitive Information Disclosure).
Attempts to generate harmful, toxic, or policy-violating content
LLM outputs containing harmful content including hate speech, violence, harassment, or other toxic material. Addressed by OWASP LLM02:2025 (Sensitive Information Disclosure) and related to NIST AI 600-1 information integrity risks.
Deliberately inducing LLMs to generate false, fabricated, or misleading information that appears authoritative. Classified as LLM09:2025 (Misinformation) in the OWASP Top 10 for LLM Applications, a new category in the 2025 edition.
Using LLMs to generate personalized phishing, scam, or manipulation content at scale. Related to NIST AI 600-1 information integrity risks and OWASP LLM02:2025.
Wardstone Guard detects all these threats in a single API call with Sub-30ms latency.