Loading repository data…
Loading repository data…
requie / repository
A comprehensive reference for securing Large Language Models (LLMs). Covers OWASP GenAI Top-10 risks, prompt injection, adversarial attacks, real-world incidents, and practical defenses. Includes catalogs of red-teaming tools, guardrails, and mitigation strategies to help developers, researchers, and security teams deploy AI responsibly.
A transparent discovery signal based on current public GitHub metadata.
This score does not audit code, security, maintainers, documentation quality, or suitability. Verify the repository and its current documentation before adoption.
A comprehensive guide to offensive and defensive security for Large Language Models and Agentic AI Systems, updated for February 2026 with the OWASP Top 10 for LLMs 2025, corrected OWASP Top 10 for Agentic Applications 2026 (ASI prefix), new security tools, recent incidents, and AI regulation coverage.
Overview • What's New • Quick Start • OWASP LLM 2025 • 🆕 OWASP Agentic 2026 • Tools • Resources
⚡ MAJOR UPDATE: This guide has been significantly updated with critical corrections and new content for 2026. The OWASP Agentic Top 10 identifiers have been corrected from the unofficial "AAI" prefix to the official "ASI" (Agentic Security Issue) prefix with proper ordering per the December 2025 release. New sections cover DeepSeek R1 security concerns, recent AI security incidents, emerging red teaming tools, and AI regulations.
| Addition | Description |
|---|---|
| 🔴 ASI Prefix Correction | Fixed OWASP Agentic Top 10 from incorrect AAI to official ASI identifiers with correct ordering |
| 🆕 New Security Tools | DeepTeam, Promptfoo, ARTKIT, Meta LlamaFirewall/Llama Guard 4 |
| 🆕 New Case Studies |
| EchoLeak (CVE-2025-32711), DeepSeek R1 vulnerabilities, first malicious MCP server |
| 🆕 AI Regulations | EU AI Act 2026 milestones, NIST AI RMF, ISO/IEC 42001 |
| 🔄 Updated LLM Ecosystem | GPT-5.x, Claude Opus 4.6, Gemini 3.x, Llama 4 models |
| 📈 Updated Resources | New research references, red teaming tools, and regulatory resources |
This guide covers the OWASP Top 10 for LLM Applications 2025 (released November 18, 2024) and the OWASP Top 10 for Agentic Applications 2026 (released December 10, 2025). Key topics include Agentic AI Security, RAG Vulnerabilities, System Prompt Leakage, Vector/Embedding Weaknesses, and AI Compliance.
As Large Language Models become the backbone of enterprise applications, from customer service chatbots to code generation assistants, the security implications have evolved dramatically. This guide provides a comprehensive resource for:
The November 2024 release introduced significant changes reflecting real-world AI deployment patterns:
Released at Black Hat Europe on December 10, 2025, this globally peer-reviewed framework identifies critical security risks facing autonomous AI systems:
| Rank | Vulnerability | Description |
|---|---|---|
| ASI01 | Agent Goal Hijack | Redirecting agent objectives via prompt injection, deceptive tool outputs, or poisoned data |
| ASI02 | Tool Misuse & Exploitation | Agents misusing legitimate tools due to prompt injection, misalignment, or unsafe delegation |
| ASI03 | Identity & Privilege Abuse | Exploiting inherited/cached credentials, delegated permissions, or agent-to-agent trust |
| ASI04 | Agentic Supply Chain Vulnerabilities | Malicious or tampered tools, descriptors, models, or agent personas |
| ASI05 | Unexpected Code Execution | Agents generating or executing attacker-controlled code |
| ASI06 | Memory & Context Poisoning | Persistent corruption of agent memory, RAG stores, or contextual knowledge |
| ASI07 | Insecure Inter-Agent Communication | Spoofed inter-agent messages misdirecting entire clusters |
| ASI08 | Cascading Failures | False signals cascading through automated pipelines with escalating impact |
| ASI09 | Human-Agent Trust Exploitation | Confident, polished explanations misleading human operators into approving harmful actions |
| ASI10 | Rogue Agents | Compromised or misaligned agents diverging from intended behavior |
The framework introduces the principle of "least agency" — only granting agents the minimum autonomy required for safe, bounded tasks.
Large Language Models (LLMs) are advanced AI systems trained on vast datasets to understand and generate human-like text. Modern LLMs power:
| Category | Examples | Key Characteristics |
|---|---|---|
| Foundation Models | GPT-5.x, Claude Opus 4.6, Llama 4 | General-purpose, up to 1M+ token context windows |
| Specialized Models | Codex, Med-PaLM 2, FinGPT | Domain-specific optimization |
| Multimodal Models | GPT-5, Claude Opus 4.6, Gemini 3.x | Text, image, audio, video processing |
| Agentic Systems | Claude Code, OpenAI Codex agent, LangChain Agents | Autonomous multi-step task execution |
| RAG Systems | Enterprise search, Q&A bots | External knowledge integration |
Agentic AI represents an advancement in autonomous systems where AI operates with agency—planning, reasoning, using tools, and executing multi-step actions with minimal human intervention. Unlike traditional LLM applications that respond to single prompts, agentic systems:
| Aspect | Traditional LLM | Agentic AI |
|---|---|---|
| State | Stateless (request/response) | Stateful (persistent memory) |
| Behavior | Reactive | Autonomous |
| Scope | Single interaction | Multi-step workflows |
| Propagation | Isolated | Cascading across agents |
| Detection | Easier (single point) | Harder (distributed actions) |
Modern LLM deployments introduce unique attack surfaces:
The OWASP Top 10 for Large Language Model Applications 2025 represents the collaborative work of 500+ global experts and reflects the current threat landscape.
| Rank | Vulnerability | Status | Description |
|---|---|---|---|
| LLM01 | Prompt Injection | 🔴 Unchanged | Manipulating LLM behavior through crafted inputs |
| LLM02 | Sensitive Information Disclosure | 🔴 Updated | Exposure of PII, credentials, and proprietary data |
| LLM03 | Supply Chain | 🔴 Enhanced | Compromised models, datasets, and dependencies |
| LLM04 | Data and Model Poisoning | 🔴 Refined | Malicious training data and backdoor attacks |
| LLM05 | Improper Output Handling | 🔴 Updated | Insufficient validation of LLM-gen |