OWASP LLM Top 10: the Acceptance Bar for Shipping Models
SAST and DAST cannot reason about prompt-injection chains. The OWASP LLM Top 10 is the new acceptance bar for production model endpoints, and most teams ship with no baseline at all.
Why traditional AppSec misses LLM risks
Prompt injection is a logic flaw, not a memory bug. SAST tools that look for buffer overflows and SQL string concatenation cannot reason about a multi-turn conversation that ends with a tool-use call to delete a customer record.
DAST tools test HTTP endpoints with crafted payloads, but they can't generate the kind of indirect-injection chains where a malicious blog post in a RAG corpus rewrites the system prompt mid-conversation.
What black-box scanning actually tests
A purpose-built LLM scanner sends a curated battery of adversarial prompts to a deployed endpoint and grades the responses against the OWASP LLM Top 10 (LLM01–LLM10).
- LLM01 Prompt injection — direct and indirect
- LLM02 Insecure output handling — XSS, SSRF, RCE through model output
- LLM03 Training data poisoning
- LLM04 Model denial of service
- LLM05 Supply chain vulnerabilities
- LLM06 Sensitive information disclosure
- LLM07 Insecure plugin design
- LLM08 Excessive agency
- LLM09 Overreliance
- LLM10 Model theft
Bringing LLM scanning into CI
Treat LLM security like any other regression check. Threatstealth's LLM Scanner runs on every model or prompt-template deploy; results are diffable against the prior baseline so a regression is surfaced before customers see it.