LLM Security Cheat Sheet

LLM security comprehensive guide — OWASP Top 10 for LLM applications, prompt injection defenses, data poisoning, model theft, supply chain risks, and secure deplo.

Last Updated: May 1, 2025

OWASP Top 10 for LLM Applications

#VulnerabilityRiskMitigation
LLM01Prompt InjectionCriticalInput validation, output filtering, least privilege
LLM02Insecure Output HandlingCriticalOutput sanitization, content security policies
LLM03Training Data PoisoningHighData provenance, integrity checks, human review
LLM04Model Denial of ServiceHighRate limiting, token budgets, caching
LLM05Supply Chain VulnerabilitiesHighSBOM, dependency scanning, model source verification
LLM06Sensitive Information DisclosureCriticalData sanitization, PII filtering, access controls
LLM07Insecure Plugin DesignHighInput validation, sandboxed execution, auth scoping
LLM08Excessive AgencyHighLeast privilege, human-in-the-loop for high-risk actions
LLM09OverrelianceMediumHuman oversight, confidence scores, disclaimer requirements
LLM10Model TheftMediumRate limiting, API auth, watermarking, access controls

Prompt Injection Deep Dive

ItemDescription
Direct InjectionUser attaches 'Ignore previous instructions...' to their query. Defense: sandwich prompting, instruction repetition, input sanitization
Indirect/Stored InjectionAttacker plants malicious content in a webpage or document that an LLM later retrieves. Defense: treat all retrieved content as untrusted
Multi-modal InjectionHidden text in images, audio, or video files processed by multi-modal models. Defense: strip metadata, resize/compress all uploaded media
Jailbreaking TechniquesDAN (Do Anything Now), roleplay scenarios, base64 encoding, language switching, few-shot manipulation. Defense: comprehensive safety training, red teaming
Token SmugglingUsing special tokens or encoding tricks to bypass filters. Defense: strict token validation, canonicalization before processing
Recursive InjectionLLM output is fed back as input, allowing injection to compound. Defense: treat LLM outputs as untrusted when re-feeding
Cross-Model InjectionOutput from one LLM poisons another. Defense: sanitize all LLM outputs before passing to downstream systems

Data Poisoning & Model Theft

ItemDescription
Data PoisoningAdversarial examples added to training/fine-tuning data to create backdoors or degrade performance
RAG PoisoningInjecting malicious documents into the retrieval corpus that steer RAG responses
Fine-tuning PoisoningPoisoned examples in fine-tuning data can implant backdoors triggered by specific phrases
Model InversionReconstructing training data from model outputs by querying strategically
Membership InferenceDetermining if specific data was in the training set — GDPR/privacy risk
Model ExtractionQuerying an API thousands of times to train a clone model — IP theft vector
WatermarkingEmbed detectable patterns in model weights/outputs to prove ownership if stolen
Access ControlAPI keys, rate limits, and user authentication prevent unauthorized model access and extraction

Secure Deployment Checklist

ItemDescription
API GatewayRoute all LLM API calls through an API gateway with authentication, rate limiting, and logging
Prompt FirewallDeploy a prompt firewall (e.g., Guardrails, NeMo Guardrails) that validates all prompts before reaching the LLM
Output ScanningScan all LLM outputs for PII, secrets, injection payloads, and policy violations before returning to user
Sandbox ToolsExecute all LLM tool calls in isolated sandboxes (Docker containers, restricted VMs) with timeout and resource limits
Audit LoggingLog every prompt, response, tool call, and user action — immutable logs for forensic analysis
Least PrivilegeGrant LLM agents the minimum permissions needed for each task — scope API keys to specific endpoints
Model SigningVerify model file integrity with cryptographic signatures — prevent supply chain attacks on model weights
Regular Red TeamingConduct adversarial testing at least monthly — automated (Garak, Promptfoo) + manual expert red teaming
Pro Tip: The OWASP Top 10 for LLM is your security baseline. Start with LLM01 (Prompt Injection) and LLM06 (Sensitive Information Disclosure) — these account for 70%+ of real-world LLM security incidents.