* [Blog](https://www2.paloaltonetworks.com/blog) * [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/) * [AI Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/ai-security/) * Explore the OWASP Top 10 ... # Explore the OWASP Top 10 for LLMs: A New Interactive Guide [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-10-llms-ai-security-guide%2F) [](https://twitter.com/share?text=Explore+the+OWASP+Top+10+for+LLMs%3A+A+New+Interactive+Guide&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-10-llms-ai-security-guide%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-10-llms-ai-security-guide%2F&title=Explore+the+OWASP+Top+10+for+LLMs%3A+A+New+Interactive+Guide&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/owasp-top-10-llms-ai-security-guide/&ts=markdown) \[\](mailto:?subject=Explore the OWASP Top 10 for LLMs: A New Interactive Guide) Link copied By [Sharon Farber](https://www.paloaltonetworks.com/blog/author/sharon-farber/?ts=markdown "Posts by Sharon Farber") Nov 20, 2025 4 minutes [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown) [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown) [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) ![The interactive layout gives you a big-picture view while guiding you through the various mechanisms of potential attacks.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-348488-1.png) Figure 1: The interactive layout gives you a big-picture view while guiding you through the various mechanisms of potential attacks. In just a few years, AI has gone from a novelty to a core part of how we work, innovate and build software. But while large language models (LLMs) and generative AI (GenAI) have accelerated development across industries, they've also introduced a volatile, largely unprotected attack surface. That's why the [OWASP Top 10 for LLMs](https://owasp.org/www-project-top-10-for-large-language-model-applications/) matters now more than ever. Just as traditional OWASP Top 10 lists have helped developers and security leaders mitigate classic web vulnerabilities, this new list is a foundational guide for understanding the unique threats in AI pipelines, applications and ecosystems. ## Why the Urgency? Because Attackers Are Already Targeting AI Pipelines It's time to stop assuming that these risks are theoretical. They're already playing out across cloud environments in real incidents -- and at a real cost. ### Prompt Injection Across Multi-Model Environments Prompt injection isn't a theoretical risk. [Unit 42's Prompt Attack report (2025)](https://unit42.paloaltonetworks.com/new-frontier-of-genai-threats-a-comprehensive-guide-to-prompt-attacks/) found that over half of all injection attempts successfully bypassed safety filters, even in production-grade systems. These attacks don't exploit complex zero days. They exploit trustworthy assets -- models, RAG pipelines or chained tools -- that accept and act on malicious input without guardrails. ### Agentic AI and Over-Permissioned Access Unit 42's AI threat research also highlights how [agentic systems can be turned against themselves](https://unit42.paloaltonetworks.com/new-frontier-of-genai-threats-a-comprehensive-guide-to-prompt-attacks/). In one test scenario, a single malicious prompt triggered an AI agent to extract sensitive data and send it to an attacker-controlled endpoint. When these agents operate with admin-level IAM permissions or no approval workflow (as seen in real-world shadow AI incidents), they become ideal entry points for data theft and insider-like abuse. ### Misconfigurations and Ransomware [The latest Unit 42 Ransomware Report](https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/) shows ransomware groups targeting cloud-hosted AI assets and development pipelines. Unsecured endpoints, excessive permissions or exposed training datasets can open the door to extortion or data destruction. > This isn't a hypothetical risk. It's leading to exposed secrets, leaked PII, and unintended external access from unsecured AI behavior. ## The Cost of Ignoring AI-Specific Security When AI pipelines are left unsecured, the financial and operational impact can be devastating. According to [IBM's 2025 Cost of a Data Breach report,](https://www.ibm.com/think/x-force/2025-cost-of-a-data-breach-navigating-ai) the average breach costs $4.7 million, rising to over $5.4 million for cloud-based AI workloads. These aren't abstract numbers. In recent real-world scenarios, attackers have exploited misconfigured AI endpoints and unsecured model APIs to exfiltrate proprietary data, hijack compute resources, and insert poisoned training data. For example, an exposed agentic AI workflow can be manipulated through prompt injection to leak sensitive data, trigger unintended actions or spread misinformation across downstream systems. Meanwhile, stolen PII used for fine-tuning can violate compliance frameworks like GDPR or HIPAA, adding regulatory fines to already mounting recovery costs. And since AI assets are dynamic -- models get retrained, data gets reclassified, endpoints proliferate -- security blind spots grow fast. Without visibility into where sensitive data lives and how it flows through AI systems, even well-intentioned teams can leave their crown-jewel assets exposed. ## What the OWASP Top 10 for LLMs Covers -- and Why It's Your Blueprint [The OWASP Top 10 for LLMs framework](https://www.paloaltonetworks.com/resources/infographics/llm-applications-owasp-10) brings structure to the chaos of emerging AI risks. But we've taken it a step further. Our new interactive experience helps security and platform teams visualize where each risk surfaces in a typical AI application stack, so they can take action with context. Each risk is translated into real-world scenarios across model inputs, outputs, endpoints, agents and pipelines -- giving you an at-a-glance understanding of where your AI stack is exposed. You'll also get recommended remediations that are aligned with leading security capabilities such as: * Sensitive data detection in AI pipelines * Model misconfiguration and prompt-based attack prevention * AI tool, plugin and access to cloud resource hardening The result: a practical, visual reference for securing AI across its full lifecycle -- from training data to deployment -- that's aligned with OWASP's latest guidance. ## Cortex Cloud's AI-SPM Brings Visibility and Control Here's how Cortex^®^ Cloud^TM^AI-SPM directly addresses today's threats: * \*\*Discover your AI ecosystem:\*\*Identify shadow AI, unmanaged models, OSS components, agents and connected data assets across your cloud workloads. * \*\*Map access and permissions:\*\*See which agents, endpoints and users have access to sensitive data and systems, as well as trace toxic permission paths. * \*\*Classify sensitive training data:\*\*Map PII, IP and financial data fueling your models, and assess exposure risk across pipelines. * \*\*Detect policy misconfigurations:\*\*Surface risks in real time and receive automated remediation recommendations. * \*\*Ensure governance and audit readiness:\*\*Build a defensible AI security posture before regulators or auditors come knocking. That's why this guide is essential. Align with the standard and stay ahead of threats. Explore the [Interactive OWASP Top 10 for LLMs](https://www.paloaltonetworks.com/resources/infographics/llm-applications-owasp-10). *** ** * ** *** ## Related Blogs ### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI-SPM](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-spm/?ts=markdown), [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown) [#### Is AI a New Challenge for Cloud Security? Yes and No.](https://www2.paloaltonetworks.com/blog/cloud-security/ai-security-gap-cloud-models-agents/) ### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown) [#### Understanding API Risk in the Age of AI](https://www2.paloaltonetworks.com/blog/cloud-security/api-security-ai-risk/) ### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) [#### OWASP Top 10 for Agentic Applications 2026 Is Here -- Why It Matters and How to Prepare](https://www2.paloaltonetworks.com/blog/cloud-security/owasp-agentic-ai-security/) ### [AI Security](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) [#### Why Self-Managed AI Models Are Blind Spots and What to Do About It](https://www2.paloaltonetworks.com/blog/cloud-security/self-managed-ai-security-risks/) ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown) [#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www2.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/) ### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown) [#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://www2.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language