How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia (new) Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action (live) vs Lakera vs Promptfoo Team
Theme
Compliance / OWASP LLM Top 10 2025

OWASP Top 10 for LLM Applications 2025 — Sunglasses Mapping

sunglasses://compliance/owasp-llm-top-10
The mapping

How our 65 threat categories and 1089 patterns map to the OWASP LLM Top 10 (2025 edition). Honest coverage: 7 risks covered, 3 gaps named.

7 / 10
Covered
28
Mapped categories
1112
Detection patterns
3
Honest gaps
sunglasses://compliance/owasp-llm-top-10/legend
How to read this page

Each risk below is tagged COVERED, PARTIAL, or GAP. Covered = we emit named findings for the risk. Partial = we catch some attack classes but not all. Gap = the risk sits outside our detection surface — we link to tools that handle it.

Risk-by-risk mapping

LLM01:2025 · COVERED

Prompt Injection

"A Prompt Injection Vulnerability occurs when user prompts alter the LLM’s behavior or output in unintended ways."

Our core detection surface. Direct, indirect, hidden-instruction, and obfuscated prompt injection all map here.

prompt_injectionindirect_prompt_injectionparasitic_injectionhidden_instructionencoded_payloadencoding_evasioninvisible_unicodertl_obfuscationunicode_evasioncode_switchingui_injectionsocial_engineeringsocial_engineering_ui

Source: genai.owasp.org/llmrisk/llm01-prompt-injection/

LLM02:2025 · COVERED

Sensitive Information Disclosure

"Sensitive information can affect both the LLM and its application context."

Covers both extraction attempts (asking the model to reveal its prompt/config) and detection of secrets leaking through inputs/outputs.

prompt_extractionprompt_leaksecret_detectionexfiltration

Source: genai.owasp.org/llmrisk/llm022025-sensitive-information-disclosure/

LLM03:2025 · COVERED

Supply Chain

"LLM supply chains are susceptible to various vulnerabilities, which can affect the integrity of training data, models, and deployment platforms."

We detect runtime indicators of supply-chain compromise in tool metadata and MCP server descriptions. Training-data supply chain is outside our scope (it’s pre-training).

supply_chainmcp_threattool_poisoning

Source: genai.owasp.org/llmrisk/llm032025-supply-chain/

LLM04:2025 · PARTIAL

Data and Model Poisoning

"Data poisoning occurs when pre-training, fine-tuning, or embedding data is manipulated to introduce vulnerabilities, backdoors, or biases."

We detect runtime-side memory/context poisoning (after a model is deployed). Pre-training and fine-tuning data poisoning is pre-deployment and outside our surface — that’s model-scanning territory (ProtectAI Guardian, HiddenLayer).

memory_poisoning

Source: genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/

LLM05:2025 · COVERED

Improper Output Handling

"Improper Output Handling refers specifically to insufficient validation, sanitization, and handling of the outputs generated by large language models before they are passed downstream to other components and systems."

We detect dangerous payloads that downstream systems would execute: shell injection, path traversal, SSRF-style URLs, deserialization, C2 indicators, DNS tunneling, exfil patterns.

command_injectionpath_traversaldeserializationssrfexfiltrationc2_indicatordns_tunneling

Source: genai.owasp.org/llmrisk/llm052025-improper-output-handling/

LLM06:2025 · COVERED

Excessive Agency

"An LLM-based system is often granted a degree of agency by its developer — the ability to call functions or interface with other systems via extensions to undertake actions in response to a prompt."

We catch agent-workflow violations, privilege escalation attempts, sandbox-escape patterns, and MCP/tool-metadata poisoning that triggers unintended agent actions.

agent_securityagent_workflowagent_workflow_securityprivilege_escalationsandbox_escapemcp_threattool_poisoning

Source: genai.owasp.org/llmrisk/llm062025-excessive-agency/

LLM07:2025 · COVERED

System Prompt Leakage

"The system prompt leakage vulnerability in LLMs refers to the risk that the system prompts or instructions used to steer the behavior of the model can also contain sensitive information that was not intended to be discovered."

We detect extraction-probe patterns (direct and indirect attempts to elicit the system prompt).

prompt_extractionprompt_leak

Source: genai.owasp.org/llmrisk/llm072025-system-prompt-leakage/

LLM08:2025 · GAP

Vector and Embedding Weaknesses

"Vectors and embeddings vulnerabilities present significant security risks in systems utilizing Retrieval Augmented Generation (RAG) with Large Language Models (LLMs)."

Sunglasses does not currently ship specific detection for RAG/vector store attacks. This includes embedding poisoning, adversarial embeddings, and vector-store access control bypass. Planned as part of output scanning work in v0.3.1 (retrieval content is exactly the kind of tool-output we want to inspect). For now: see Lakera Guard (runtime), Invariant/Snyk (MCP), Pillar Security (RAG inventory).

Source: genai.owasp.org/llmrisk/llm082025-vector-and-embedding-weaknesses/

LLM09:2025 · GAP

Misinformation

"Misinformation from LLMs poses a core vulnerability for applications relying on these models."

Sunglasses does not detect model hallucination or factual misinformation. That’s a model-behavior problem, not a pattern-match problem. See Giskard, Patronus AI, Arthur Shield for hallucination detection.

Source: genai.owasp.org/llmrisk/llm092025-misinformation/

LLM10:2025 · GAP

Unbounded Consumption

"Unbounded Consumption refers to the process where a Large Language Model (LLM) generates outputs based on input queries or prompts."

Sunglasses does not handle denial-of-service, cost-harvesting, or resource-exhaustion attacks. That’s rate-limiting and infrastructure territory (Cloudflare AI Gateway, Akamai, usage-capped proxies).

Source: genai.owasp.org/llmrisk/llm102025-unbounded-consumption/

Quick-reference table

OWASP Risk
Coverage
Sunglasses Categories
LLM01 Prompt Injection
COVERED
63 categories (full prompt injection surface)
LLM02 Sensitive Information Disclosure
COVERED
prompt_extraction, prompt_leak, secret_detection, exfiltration
LLM03 Supply Chain
COVERED
supply_chain, mcp_threat, tool_poisoning (runtime)
LLM04 Data and Model Poisoning
PARTIAL
memory_poisoning (runtime only)
LLM05 Improper Output Handling
COVERED
7 categories (shell/path/ssrf/deser/exfil/C2/DNS)
LLM06 Excessive Agency
COVERED
7 categories (agent workflow + privilege)
LLM07 System Prompt Leakage
COVERED
prompt_extraction, prompt_leak
LLM08 Vector/Embedding Weaknesses
GAP
Planned for v0.3.1 output scanning
LLM09 Misinformation
GAP
Out of scope (behavioral, not pattern-based)
LLM10 Unbounded Consumption
GAP
Out of scope (infrastructure-level)

Machine-readable evidence

Every finding Sunglasses emits includes the triggering pattern ID, severity, category, and matched text. When you pipe through --output sarif, each finding becomes a SARIF result with a security-severity score and a category tag that can be cross-referenced back to the OWASP risk above.

← Back to compliance mappings