Mapping Findings to OWASP LLM Top 10
Walkthrough for mapping AI red team findings to the OWASP Top 10 for LLM Applications, with classification guidance, reporting templates, and remediation mapping.
The OWASP Top 10 for LLM Applications has become the de facto standard for categorizing AI security vulnerabilities. Mapping your red team findings to OWASP categories adds industry-recognized context, helps clients understand where their vulnerabilities fit in the broader landscape, and satisfies auditors who expect standardized classification. However, the mapping is not always one-to-one: many AI findings span multiple categories, and some findings do not fit cleanly into any category. This walkthrough provides systematic guidance for accurate, useful OWASP mapping.
This walkthrough references OWASP Top 10 for LLM Applications version 2025 (v2.0). Category numbering and descriptions may differ in future versions.
Step 1: Understand the OWASP LLM Top 10 Categories
Quick Reference Table
| # | Category | Core Risk | Common Finding Types |
|---|---|---|---|
| LLM01 | Prompt Injection | Untrusted input manipulates model behavior | Direct injection, indirect injection, jailbreaking |
| LLM02 | Sensitive Information Disclosure | Model reveals confidential data | System prompt extraction, PII leakage, training data exposure |
| LLM03 | Supply Chain Vulnerabilities | Compromised components in AI pipeline | Poisoned models, malicious plugins, compromised training data |
| LLM04 | Data and Model Poisoning | Tampered training or fine-tuning data | Backdoor injection, bias introduction, knowledge base poisoning |
| LLM05 | Improper Output Handling | Unsafe use of model outputs | XSS via output, SQL injection via tool calls, SSRF |
| LLM06 | Excessive Agency | Model takes unauthorized actions | Unrestricted function calling, excessive permissions, autonomous actions |
| LLM07 | System Prompt Leakage | System instructions revealed to users | Direct extraction, inference-based extraction, error message leakage |
| LLM08 | Vector and Embedding Weaknesses | Vulnerabilities in RAG/embedding systems | Data exfiltration, access control bypass, embedding inversion |
| LLM09 | Misinformation | Model generates false or misleading content | Hallucination exploitation, authority spoofing, false citations |
| LLM10 | Unbounded Consumption | Resource exhaustion attacks | Token exhaustion, compute abuse, denial of service |
Step 2: Map Findings to Categories
Mapping Decision Process
For each finding, work through this decision process:
Finding: [Description]
│
├── Does it involve manipulating model behavior via input?
│ └── Yes → LLM01: Prompt Injection
│ └── Is the injection direct (user input) or indirect (external data)?
│
├── Does the model reveal confidential information?
│ └── Yes → LLM02: Sensitive Information Disclosure
│ └── Also check LLM07 if system prompt specifically is leaked
│
├── Does it involve compromised third-party components?
│ └── Yes → LLM03: Supply Chain Vulnerabilities
│
├── Does it involve tampered training/fine-tuning data?
│ └── Yes → LLM04: Data and Model Poisoning
│
├── Does the application unsafely handle model output?
│ └── Yes → LLM05: Improper Output Handling
│ └── Examples: Output rendered as HTML, used in SQL, passed to shell
│
├── Does the model take actions beyond intended scope?
│ └── Yes → LLM06: Excessive Agency
│ └── Unauthorized function calls, excessive permissions
│
├── Are system prompt contents exposed?
│ └── Yes → LLM07: System Prompt Leakage
│
├── Does it involve RAG/embedding vulnerabilities?
│ └── Yes → LLM08: Vector and Embedding Weaknesses
│
├── Does the model generate false/misleading information?
│ └── Yes → LLM09: Misinformation
│
└── Does it involve resource exhaustion?
└── Yes → LLM10: Unbounded Consumption
Common Multi-Category Findings
Many findings legitimately span multiple categories. Document the primary and secondary categories:
| Finding Description | Primary Category | Secondary Category | Rationale |
|---|---|---|---|
| Prompt injection extracts system prompt | LLM01 | LLM07 | Injection is the attack method, prompt leakage is the impact |
| Injection causes unauthorized function call | LLM01 | LLM06 | Injection enables excessive agency |
| RAG retrieves cross-tenant documents | LLM08 | LLM02 | Embedding weakness causes information disclosure |
| Model output rendered as HTML causes XSS | LLM05 | LLM01 | Output handling flaw, possibly enabled by injection |
| Jailbreak generates harmful misinformation | LLM01 | LLM09 | Injection bypass enables misinformation generation |
| Token exhaustion via crafted prompts | LLM01 | LLM10 | Injection technique causes unbounded consumption |
Step 3: Create the OWASP Mapping Table
Finding-to-OWASP Mapping Template
# OWASP LLM Top 10 Mapping
## Mapping Summary
| OWASP Category | Findings Mapped | Highest Severity |
|---------------|----------------|-----------------|
| LLM01: Prompt Injection | F-001, F-002, F-003 | Critical |
| LLM02: Sensitive Information Disclosure | F-004, F-007 | High |
| LLM03: Supply Chain Vulnerabilities | None identified | N/A |
| LLM04: Data and Model Poisoning | Not in scope | N/A |
| LLM05: Improper Output Handling | F-008 | Medium |
| LLM06: Excessive Agency | F-005 | High |
| LLM07: System Prompt Leakage | F-004 | High |
| LLM08: Vector and Embedding Weaknesses | F-007 | High |
| LLM09: Misinformation | F-010 | Low |
| LLM10: Unbounded Consumption | F-009 | Medium |
## Coverage Assessment
- Categories tested and findings identified: 7/10
- Categories tested with no findings: 1/10 (LLM03)
- Categories not in scope: 2/10 (LLM04 - no access to training pipeline)Detailed Mapping Per Finding
## F-001: Direct Prompt Injection Bypass
### OWASP Mapping
- **Primary:** LLM01 - Prompt Injection
- **Secondary:** None
- **Subcategory:** Direct prompt injection (user-supplied input)
### OWASP Description Alignment
This finding aligns with LLM01 as follows:
- Attack vector: User-crafted prompt that overrides system instructions
- Vulnerability: Insufficient input validation and model instruction adherence
- Impact: Content safety policy bypass, potential for harmful output generation
### OWASP Remediation Guidance (adapted)
OWASP LLM01 recommends:
1. Enforce privilege control on LLM access to backend systems → **Applicable**
2. Add a human in the loop for high-risk actions → **Applicable for tool use**
3. Segregate external content from user prompts → **Applicable**
4. Establish trust boundaries between LLM and external sources → **Applicable**
### Our Specific Recommendations
[Include engagement-specific recommendations that build on OWASP guidance]Step 4: Handle Edge Cases
Findings That Do Not Map Cleanly
Some AI security findings do not fit neatly into OWASP categories. Document these as supplementary findings.
# Supplementary Findings (Outside OWASP LLM Top 10)
## Finding F-011: Model Fingerprinting
The AI system reveals its underlying model identity, version,
and configuration when asked directly.
**Closest OWASP category:** LLM02 (Information Disclosure)
**Why it doesn't fit perfectly:** OWASP LLM02 focuses on sensitive
data exposure (PII, confidential data). Model identity disclosure
is a reconnaissance finding that enables more targeted attacks but
is not itself a data breach.
**Classification:** Supplementary finding - Reconnaissance enabler
**Severity:** LowCategory Disambiguation
When the mapping is ambiguous, use these rules:
| Scenario | Rule | Example |
|---|---|---|
| Attack method vs. impact | Map to the impact category primarily | Injection (method) causing data leak (impact) → LLM02 primary |
| Overlapping categories | Map to the most specific category | System prompt leak → LLM07 (specific) over LLM02 (general) |
| Chain of vulnerabilities | Map each link to its own category | Injection → Agency → Output = LLM01 + LLM06 + LLM05 |
| Category not testable | Document as "Not in scope" | Training data poisoning when no training access |
Step 5: Leverage OWASP for Remediation Guidance
OWASP provides remediation guidance for each category. Map your recommendations to OWASP guidance for additional authority.
Remediation Cross-Reference
# Remediation Cross-Reference with OWASP Guidance
## F-001: Direct Prompt Injection → LLM01
| OWASP Recommended Control | Our Finding's Status | Our Recommendation |
|--------------------------|---------------------|-------------------|
| Constrain model behavior within well-defined boundaries | Partially implemented (system prompt) | Implement multi-layer enforcement |
| Validate and sanitize all input | Basic filter present but bypassable | Enhance filter with multi-language support |
| Apply defense in depth | Single-layer defense only | Add output filtering as second layer |
| Implement input/output length limits | Length limits present | Adequate, no changes needed |
| Use content filtering on outputs | Not implemented | Implement output content moderation |
## F-005: Unauthorized Function Calling → LLM06
| OWASP Recommended Control | Our Finding's Status | Our Recommendation |
|--------------------------|---------------------|-------------------|
| Limit functions available to the LLM | All functions available | Implement role-based function access |
| Avoid open-ended function calls | Functions accept arbitrary parameters | Add strict parameter schemas |
| Require human approval for high-impact actions | No human-in-the-loop | Add approval flow for destructive actions |
| Implement rate limiting for function calls | No function-specific rate limits | Add per-function rate limiting |
| Log all function call activity | Basic logging present | Enhance with parameter and result logging |Step 6: Generate the OWASP Summary Section for the Report
Include an OWASP mapping section in the report that provides at-a-glance classification.
Report Section Template
## OWASP Top 10 for LLM Applications Coverage
This assessment evaluated the target system against the OWASP Top 10
for LLM Applications (v2.0, 2025). The following table summarizes
coverage and findings for each category.
| # | Category | Tested | Findings | Highest Severity |
|---|---------|--------|---------|-----------------|
| LLM01 | Prompt Injection | Yes | 3 | Critical |
| LLM02 | Sensitive Information Disclosure | Yes | 2 | High |
| LLM03 | Supply Chain Vulnerabilities | Partial | 0 | - |
| LLM04 | Data and Model Poisoning | No* | 0 | - |
| LLM05 | Improper Output Handling | Yes | 1 | Medium |
| LLM06 | Excessive Agency | Yes | 1 | High |
| LLM07 | System Prompt Leakage | Yes | 1 | High |
| LLM08 | Vector and Embedding Weaknesses | Yes | 1 | High |
| LLM09 | Misinformation | Yes | 1 | Low |
| LLM10 | Unbounded Consumption | Yes | 1 | Medium |
*LLM04 was not tested as the assessment scope did not include
access to the training or fine-tuning pipeline.
### Key Observations
- The system's highest risk concentration is in **LLM01 (Prompt
Injection)**, with three findings including one rated Critical.
- **LLM06 (Excessive Agency)** findings are amplified by LLM01
weaknesses, as prompt injection enables unauthorized function calling.
- The system shows strong resistance to **LLM03 (Supply Chain)**
risks through use of established AI providers with controlled
dependency management.Common OWASP Mapping Mistakes
-
Forcing every finding into exactly one category. Many findings legitimately span two or three OWASP categories. Use primary/secondary classification rather than forcing a single mapping.
-
Mapping by attack method instead of impact. A prompt injection that causes data leakage should map primarily to LLM02 (impact) with LLM01 as secondary (method). The client cares about the impact more than the technique.
-
Ignoring categories not in scope. If you did not test for supply chain vulnerabilities, say so explicitly. An empty row without explanation looks like the assessment missed a category rather than intentionally excluded it.
-
Using outdated OWASP versions. The OWASP LLM Top 10 has been updated multiple times. Specify which version you are mapping to and verify your category descriptions match.
-
Treating OWASP mapping as compliance checklist. OWASP is a classification framework, not a compliance standard. Mapping findings to OWASP categories adds context but does not substitute for thorough, engagement-specific testing and analysis.
A red team finding shows that a prompt injection attack causes the AI to call a database function and return records from another tenant's account. Which OWASP LLM categories should this be mapped to?
Related Topics
- Mapping to MITRE ATLAS -- Complementary attack mapping framework
- Finding Severity Classification -- Severity ratings referenced in OWASP mapping
- NIST AI RMF Assessment -- Another standards framework for AI risk
- EU AI Act Compliance Testing -- Regulatory compliance that references OWASP