Security reference
OWASP Top 10 for LLM applications, mapped to enforcement
The OWASP Top 10 for LLM Applications is the standard frame for securing systems built on language models. This page maps each risk to the specific guardrail stage that addresses it on the wire – and is honest about the two risks we cover partially and the one no runtime component can.
The short version: 7 covered, 2 partial, 1 out of scope. Training-time attacks need training-time defenses; everything that happens at runtime crosses the proxy, and that is where it is enforced.
Prompt Injection
CoveredCrafted input – direct from the user or hidden in content the model reads – overrides the application’s instructions and steers the model’s behavior.
Layered boundary defense: deterministic pattern checks and Prompt Guard 2 on inputs, injection scanning of every tool result before it re-enters context, and canary detection for system-prompt leakage. Behind detection, action-level invariants (grounding, tiers, taint, budgets) contain what slips through.
Sensitive Information Disclosure
CoveredPII, secrets, or proprietary data leak into prompts sent to providers, into model output, or out through an agent’s tool calls.
PII is screened into reversible placeholders before any request leaves the proxy and restored only on the response path; the placeholder map is never persisted. Taint tracking blocks screened values and detected secrets from leaving through tool arguments; logs store the screened form by default.
Supply Chain
PartialCompromised models, datasets, plugins, or tool servers introduce vulnerabilities the application inherits.
Model and dataset provenance is out of a runtime proxy’s scope. The agent-facing slice is covered: MCP manifest pinning detects a tool server whose manifest changed after vetting (the rug-pull), and tool policy limits what any third-party tool may be called with.
Data and Model Poisoning
Out of scopeTraining or fine-tuning data is manipulated to embed vulnerabilities, biases, or backdoors in the model itself.
A training-time risk – no runtime proxy can prevent it, and we won’t pretend otherwise. What the proxy does is catch poisoning’s runtime symptoms: output that contradicts its sources fails grounding, and unsafe output fails the content-safety cascade, whatever their cause.
Improper Output Handling
CoveredDownstream code consumes model output without validation – malformed structures, embedded payloads, or unsafe content flow straight into systems that trust them.
Structured output is validated and repaired in three tiers (parse, extract, corrective re-ask) so downstream parsers get the contracted shape or a clean 422 – never a silent poison value. The content-safety cascade judges output before your application sees it.
Excessive Agency
CoveredAn agent holds more tools, permissions, or autonomy than the task needs – and an error or injection turns that surplus into damage.
The agent stack exists for exactly this: per-key tool allow/deny with JSON-schema argument validation, risk tiers (read < network < write < exec < delete < payment) with escalation flags, human approval via the checkpoint API for designated tiers, and hard per-run cost/step/tool budgets.
System Prompt Leakage
CoveredThe system prompt – often carrying business logic, credentials, or instructions worth attacking – is extracted through the model’s own output.
A canary seeded into the system prompt makes leakage deterministically detectable: if the marker appears in output, the response is flagged or the leak redacted. Extraction attempts are also caught on the input side by the injection patterns and classifier.
Vector and Embedding Weaknesses
PartialRAG pipelines are attacked through their retrieval layer: poisoned documents, embedding inversion, or leakage across tenants’ vector stores.
Securing your vector database itself is outside the proxy. What is covered: retrieved content re-entering the model is scanned like any untrusted input, and RAG-grounded answers are verified against the retrieved chunks – a poisoned document that makes the model contradict its legitimate sources trips grounding.
Misinformation
CoveredThe model produces false or unsupported information that users and downstream systems rely on – the OWASP entry for hallucination.
The headline capability: deterministic numeric grounding recomputes arithmetic and matches every figure to the source; a fact-check judge flags unsupported claims, contradictions, and overconfident extrapolation; RAG, web search, and a second-model consilium verify externally. Findings block in PREVENT, repair-or-flag in FIX.
Unbounded Consumption
CoveredRunaway loops, denial-of-wallet attacks, or simple bugs consume tokens and budget without limit – across many requests, where no single-request cap can see it.
Per-run budgets enforce hard cost, step, and tool-call ceilings before the next model call spends a token; the loop guard fingerprints repeated calls to catch runaways early. Every guard-model sub-call is priced into the same run totals, so the budget reflects true spend.
What is the OWASP Top 10 for LLM Applications?
A consensus list from the OWASP GenAI Security Project of the most critical security risks specific to applications built on large language models – prompt injection, sensitive data disclosure, excessive agency, unbounded consumption, and six more. It is the reference frame most security reviews of LLM systems start from.
Can one product cover all ten risks?
No, and claims otherwise deserve suspicion. Two of the ten are wholly or partly training-time and infrastructure risks (data/model poisoning, supply chain) that no runtime component can prevent. A runtime proxy covers the runtime seven strongly, two partially, and catches the runtime symptoms of the rest.
How does a proxy help with excessive agency (LLM06)?
Excessive agency is a runtime property – which tools an agent holds and what it does with them. The proxy enforces per-key tool allow/deny lists, risk tiers with human approval for designated levels, argument grounding against the run’s sources, and hard per-run budgets, at the boundary the tool calls actually cross.
Is this an official OWASP assessment?
No – OWASP publishes the risk list, not vendor certifications. This page is our own engineering mapping of each risk to the specific guardrail stage that addresses it, including where coverage is partial or out of scope.
Run your next security review against a live coverage map.
Every check on this page records its verdict per request – so the answer to “are we covered?” is a dashboard, not a slide. We’re running a limited demo.