Blog

OWASP published its first Top 10 for Large Language Model Applications in 2023. Two years later, most security teams still treat “LLM risk” as a synonym for “prompt injection.” That’s like treating the OWASP Web Top 10 as if SQL injection were the only vulnerability that mattered.

The 2025 revision of the OWASP LLM Top 10 expanded and reorganized the list based on real-world incidents. Supply chain attacks replaced insecure plugins. System prompt leakage and vector embedding weaknesses got their own categories. The list reflects what attackers are actually doing, not what conference talks speculate about.

Your employees interact with LLMs daily. Customer support agents use chatbots. Marketing teams generate content. Developers lean on AI coding assistants for everything from debugging to architecture decisions. Each interaction is a potential attack surface, and your team probably doesn’t know it.

You get an email from “Norton LifeLock” confirming your annual renewal at $499.99. You did not buy Norton LifeLock. There is no link to click, no attachment to open. Just a phone number to call if “this charge was made in error.”

So you call it. The person who answers sounds professional, patient, and genuinely helpful. They ask you to visit a website and download a “cancellation tool” so they can process your refund. What you are actually downloading is remote access software. Within minutes, the person on the other end controls your machine.

No malicious link was clicked. No attachment was opened. Your email security caught nothing because there was nothing to catch.

This is callback phishing, and it is one of the fastest-growing attack types in corporate environments.

In January 2024, a security team at a mid-size SaaS company noticed something odd. Over a single weekend, their authentication logs showed 340,000 failed login attempts across employee and customer-facing portals. The attempts came from thousands of IP addresses, rotating every few requests. Buried in the noise: 47 successful logins.

None of those 47 accounts had been brute-forced. The attackers already had the correct passwords. They had purchased a batch of stolen credentials from a 2023 breach of an unrelated service, and 47 employees had used the same email and password combination for both.

This is credential stuffing. Not a sophisticated exploit. Not a zero-day. Just a bet that people reuse passwords, and that bet pays off roughly 0.1% to 2% of the time. At scale, that is enough.

A systems administrator at a defense contractor copies classified schematics to a personal USB drive over the course of three months. His badge still works. His credentials are valid. He passes the same security checks as everyone else. Nothing in the firewall logs, intrusion detection system, or email gateway catches a thing.

When the breach is finally discovered, it is not because a tool flagged it. A coworker noticed he was accessing project folders he had no business being in and mentioned it to their manager. That conversation, uncomfortable as it was, prevented months of additional exfiltration.

External attackers need to break in. Insiders are already inside.

A finance team member opens a PDF labeled “Q4 Invoice Reconciliation.” The file came from what looks like a known vendor. Thirty seconds later, file extensions on her desktop start changing. Documents she opened yesterday now end in .locked. Programs freeze. A full-screen message appears with a Bitcoin address and a 48-hour countdown.

She pulls her ethernet cable. Calls IT. Does not touch the power button.

That instinct saved her company roughly two weeks of recovery time, because she had trained for this exact moment.