TKOResearch
Menu
01

Untrusted input

02

Model context

03

Tools and data

04

Control layer

05

Decision record

The list is most useful when each category maps to a concrete system boundary: who can influence the model, what data can enter context, which tools can act, and what control stops a bad path before it reaches production.

Category guides

Ten failure modes, each tied to practical defenses.

Each page explains the risk, shows a common chain, and lists the controls an engineering or security team can actually review.

LLM01:2025

Prompt Injection

Prompt injection happens when an attacker uses instructions in user input, documents, webpages, tickets, or tool output to change the model's intended behavior.

Open guide

LLM02:2025

Sensitive Information Disclosure

Sensitive information disclosure occurs when an AI system exposes secrets, regulated data, customer records, proprietary material, or internal context through outputs, logs, tools, or retrieval.

Open guide

LLM03:2025

Supply Chain

Supply chain risk covers compromised or unreviewed models, datasets, plugins, packages, MCP servers, prompts, templates, infrastructure, and vendors used by the AI application.

Open guide

LLM04:2025

Data and Model Poisoning

Data and model poisoning happens when training, fine-tuning, RAG, feedback, or memory data is manipulated so the AI system learns or retrieves attacker-shaped behavior.

Open guide

LLM05:2025

Improper Output Handling

Improper output handling occurs when model output is trusted as safe code, markup, commands, database input, tool arguments, or business decisions without validation.

Open guide

LLM06:2025

Excessive Agency

Excessive agency occurs when an AI system has more autonomy, permissions, tools, or action scope than the task requires.

Open guide

LLM07:2025

System Prompt Leakage

System prompt leakage happens when hidden instructions, policy text, tool rules, internal routing logic, or operational context is exposed through model responses.

Open guide

LLM08:2025

Vector and Embedding Weaknesses

Vector and embedding weaknesses affect RAG systems when embeddings, vector stores, chunking, metadata, retrieval filters, or similarity logic expose or distort context.

Open guide

LLM09:2025

Misinformation

Misinformation occurs when an AI system produces false, unsupported, outdated, or misleading output that users or downstream systems treat as reliable.

Open guide

LLM10:2025

Unbounded Consumption

Unbounded consumption occurs when attackers or faulty workflows drive excessive model calls, token usage, context growth, tool loops, compute, cost, or availability impact.

Open guide

Use it in review

Turn the list into launch criteria.

OWASP gives the categories. The work is translating them into testable boundaries, named owners, and controls that survive model upgrades and product changes.

Read the official OWASP 2025 PDF

Map each category to runtime components.

Test direct and indirect prompt paths.

Inventory MCP, OAuth, and tool authority.

Review RAG source, tenant, and vector boundaries.

Set launch criteria with named owners.

Keep regression probes after remediation.