Skip to main content

Documentation Index

Fetch the complete documentation index at: https://threatbasis.io/llms.txt

Use this file to discover all available pages before exploring further.

Large Language Models introduce security risks that traditional application security frameworks were never designed to address. Unlike conventional software vulnerabilities that stem from implementation flaws, LLM vulnerabilities emerge from the fundamental nature of how these models process language, learn from data, and generate outputs. Security teams deploying LLMs in security operations must understand these novel attack surfaces to build resilient systems that resist manipulation while delivering reliable results. The challenge of LLM security extends beyond protecting the model itself. These systems often process sensitive security data, influence analyst decisions, and increasingly take automated actions that affect production environments. A compromised or manipulated LLM in a security context can generate false negatives that allow threats to go undetected, create false positives that exhaust analyst attention, or execute unauthorized actions that harm the organization it was designed to protect. According to Gartner’s research on AI security, organizations deploying AI systems face an expanding attack surface that requires new security paradigms. The OWASP LLM Top 10 provides a critical framework for understanding these risks, while MITRE ATLAS extends the ATT&CK framework to cover adversarial tactics against AI systems. Security engineers must internalize these frameworks to design defenses that address LLM-specific threats.

The LLM Threat Landscape

The security risks facing LLM deployments differ fundamentally from traditional application vulnerabilities. While SQL injection exploits predictable parsing behavior and buffer overflows exploit memory management, LLM attacks exploit the model’s core capability: understanding and following instructions in natural language. This makes LLM vulnerabilities simultaneously more accessible to attackers—requiring no specialized technical knowledge—and more difficult to defend against deterministically. The OWASP LLM Top 10 categorizes the most critical risks facing LLM applications. Prompt injection (LLM01) allows attackers to override intended behavior through carefully crafted inputs. Insecure output handling (LLM02) enables downstream vulnerabilities when applications trust LLM outputs without validation. Sensitive information disclosure (LLM06) occurs when models reveal training data, system prompts, or session information. Excessive agency (LLM08) creates risk when models have permissions beyond what their task requires. For security applications specifically, three risk categories demand particular attention: input-based attacks that manipulate model behavior, output-based risks that produce unreliable or harmful results, and data-based threats that compromise confidentiality or integrity. Input-based risks encompass attacks delivered through user prompts, retrieved content, or any data the model processes. These attacks seek to override system instructions, bypass safety controls, or manipulate the model into performing unintended actions. Output-based risks arise from the model’s generative nature. Hallucinations produce confident but fabricated information—imaginary CVEs, non-existent IOCs, or fictional threat actors. Without robust output validation, these fabrications can corrupt security decisions and trigger inappropriate responses. Data-based risks threaten confidentiality through various leakage vectors. Models may reveal sensitive information from training data, expose system prompts that reveal security architecture, or leak session data across user boundaries.

Prompt Injection: The Defining LLM Vulnerability

Prompt injection represents the most significant and distinctive vulnerability class in LLM security. Unlike traditional injection attacks that exploit parsing ambiguity, prompt injection exploits the model’s fundamental inability to reliably distinguish between instructions and data. When a model processes text containing what appears to be instructions, it may follow those instructions regardless of their source—whether from the system prompt, user input, or retrieved documents.

Understanding Direct Injection

Direct prompt injection occurs when attackers craft inputs that override the model’s intended behavior. The classic formulation—“ignore previous instructions and…”—represents only the most obvious attack pattern. Sophisticated attackers employ techniques that blend naturally into expected input while subtly redirecting model behavior. In security applications, direct injection might appear in analyst queries, where a compromised or malicious insider crafts prompts designed to extract sensitive information, bypass access controls, or manipulate investigation outcomes. The challenge lies in distinguishing legitimate complex queries from injection attempts—security analysts often need to ask nuanced questions that could superficially resemble injection patterns. Defense against direct injection requires multiple layers: input filtering that blocks known attack patterns, system prompt hardening that establishes clear behavioral boundaries, output monitoring that detects unexpected behavior changes, and guardrails that constrain possible outputs regardless of input.

The Indirect Injection Threat

Indirect prompt injection poses an even greater challenge because attack payloads arrive through trusted data channels rather than direct user input. When an LLM processes retrieved documents, threat intelligence feeds, or enrichment data, any of these sources can contain hidden instructions that the model may follow. Consider an AI-powered security analyst that retrieves context from various sources to investigate alerts. An attacker who controls any data source—a compromised threat intelligence feed, a malicious website the system crawls, or even attacker-controlled log entries—can embed instructions that manipulate investigation outcomes. The instruction might direct the model to classify malicious activity as benign, suppress certain findings, or exfiltrate investigation details. Research from Johann Rehberger and others has demonstrated practical indirect injection attacks against production AI systems. The fundamental challenge is that there’s no reliable technical mechanism to distinguish “instructions from the system” versus “instructions from retrieved data”—both appear as text that the model processes. Mitigating indirect injection requires treating all retrieved content as potentially hostile: sanitizing external data before including it in prompts, limiting the model’s capabilities regardless of instruction source, and implementing output validation that catches manipulation attempts.

Security Application Attack Vectors

Security AI systems face unique injection risks because they inherently process attacker-influenced data. Alert data often contains attacker-controlled fields—malicious payloads, suspicious URLs, crafted hostnames. Log entries can include injection attempts in user-agent strings, query parameters, or any other field attackers can influence. Even threat intelligence feeds, if compromised, become injection vectors. Attackers sophisticated enough to target an organization’s security AI can deliberately craft attacks that include secondary payloads designed to manipulate the AI’s investigation. A phishing email might include prompt injection in its body, anticipating that an AI system will analyze the content. Malware can include injection payloads in its metadata or communication patterns. This creates an arms race where every data source the security AI consumes becomes a potential attack vector. The same contextual awareness that makes AI valuable for security—the ability to process and correlate diverse data—creates its primary vulnerability surface.

Data Leakage and Information Disclosure

LLMs create novel data leakage risks that extend beyond traditional information disclosure vulnerabilities. Models may reveal sensitive information through multiple vectors: training data extraction, context window leakage, system prompt disclosure, and cross-session information bleeding.

Training Data Extraction

Research from Google and academic partners demonstrated that language models can memorize and reproduce training data verbatim. Through carefully crafted prompts, attackers can extract private information that appeared in training datasets—API keys, email addresses, code snippets, or proprietary data. For security applications using fine-tuned models, this risk extends to any data used in the fine-tuning process. If a model is fine-tuned on incident reports, playbooks, or security configurations, that information may be extractable by users interacting with the model. Organizations must treat fine-tuning data with the same sensitivity as production data—if you wouldn’t want it exposed, don’t include it in training. Commercial API providers like OpenAI and Anthropic have policies against training on customer data, but self-hosted and fine-tuned models require careful data governance to prevent memorization of sensitive content.

Context Window and Session Leakage

Within active sessions, LLMs maintain context that can leak across boundaries. Multi-turn conversations accumulate sensitive details that may be revealed through follow-up queries. In multi-tenant deployments, inadequate session isolation can leak information between users. System prompt extraction represents a particularly concerning leakage vector. System prompts often reveal security architecture decisions, available tools and capabilities, and defensive strategies. Attackers who extract system prompts gain valuable reconnaissance information and can craft more effective attacks against the specific implementation. Research published by Simon Willison and others has demonstrated reliable system prompt extraction from major commercial AI deployments. Defensive strategies include designing system prompts that assume eventual disclosure, implementing layers that don’t depend on prompt secrecy, and monitoring for extraction attempts.

Protecting Sensitive Security Data

Security AI systems process exceptionally sensitive data: investigation details, vulnerability information, detection capabilities, and potentially credentials or keys. Protecting this data requires systematic controls throughout the AI pipeline. Pre-processing sanitization removes or redacts sensitive information before LLM exposure. Personally identifiable information, credentials, internal IP addresses, and specific security configurations should be masked or tokenized. The Microsoft Presidio library provides automated PII detection, while custom patterns can address security-specific sensitive data. Session isolation ensures that conversation contexts don’t bleed across user boundaries. Each session should maintain strict boundaries with no shared state that could enable cross-session information disclosure. Memory management patterns must account for multi-tenant security requirements. Output filtering provides a final check before information reaches users, catching any sensitive data the model might include in responses despite input sanitization. This defense-in-depth approach assumes failures in earlier controls and provides redundant protection.

Model Manipulation and Behavioral Attacks

Beyond prompt injection, attackers can manipulate LLM behavior through techniques that exploit model psychology rather than explicit instruction override. These attacks often prove more subtle and harder to detect than direct injection.

Jailbreaking and Safety Bypass

Jailbreaking techniques seek to bypass the safety guardrails built into models during training. Approaches include role-playing scenarios that establish alternate personas unconstrained by normal rules, creative framing that presents harmful requests as hypotheticals or fictional scenarios, and multi-turn conversations that gradually erode boundaries. For security applications, jailbreaking might target restrictions on discussing offensive techniques, revealing security configurations, or performing dangerous actions. An attacker might convince a security AI to explain exactly how to exploit a vulnerability it detected, provide details about organizational security posture, or approve actions it should flag for human review. Defense requires layered guardrails that don’t rely solely on model training: output filtering that catches dangerous content regardless of how it was generated, action approval flows that require human validation for sensitive operations, and monitoring that detects behavioral drift suggesting successful manipulation.

Security-Specific Manipulation Goals

Attackers targeting security AI have specific manipulation objectives beyond general misbehavior. False negative induction seeks to suppress detection of real threats—convincing the AI that malicious activity is benign or doesn’t warrant escalation. False positive flooding generates spurious alerts that exhaust analyst attention, potentially masking real attacks amid the noise. Misdirection focuses investigation on irrelevant indicators while real threats proceed unexamined. An attacker might craft scenarios that emphasize benign anomalies, drawing AI and analyst attention away from actual compromise indicators. These attacks exploit the AI’s role in prioritization and triage rather than seeking direct harmful outputs. Understanding attacker objectives informs defensive monitoring. Sudden changes in alert classification patterns, unexpected shifts in severity assessments, or investigation conclusions that contradict evidence may indicate manipulation attempts.

Multi-Turn and Gradual Attacks

Not all manipulation occurs through single prompts. Multi-turn attacks gradually shift model behavior through seemingly innocent conversation, establishing context and precedents that enable later exploitation. The attacker might spend many turns building rapport, establishing expertise, or creating scenarios before attempting the actual exploitation. These attacks prove particularly effective against AI systems that maintain long conversation histories or have persistent memory. Each turn appears innocent in isolation, but the cumulative effect enables behavior the model would normally refuse. Detection requires analyzing conversation patterns holistically rather than evaluating individual turns. Monitoring should flag conversations that exhibit gradual boundary-testing patterns or accumulate context in ways that could enable exploitation.

Operational and Infrastructure Risks

LLM deployments face operational risks beyond direct attacks on model behavior. Availability attacks, supply chain vulnerabilities, and resource abuse threaten the reliability and integrity of AI security operations.

Denial of Service and Resource Exhaustion

LLMs consume significant computational resources, creating denial-of-service opportunities through resource exhaustion. Attackers can craft prompts that maximize processing time, flood systems with requests, or fill context windows with junk data that degrades performance. For API-based deployments, attacks can exhaust rate limits or quota allocations, effectively denying service to legitimate users. Cost-based attacks against pay-per-token APIs can generate significant financial impact through automated high-volume requests or carefully crafted long-context queries. Defense requires rate limiting at multiple levels, cost monitoring with automated circuit breakers, and request validation that rejects obviously abusive patterns before they consume resources. Cost optimization strategies should include abuse prevention controls.

Supply Chain Vulnerabilities

The AI supply chain introduces dependencies that extend the attack surface beyond the organization’s direct control. Base models from providers could theoretically contain backdoors or biases that affect downstream behavior. Fine-tuning datasets sourced externally might be poisoned to introduce vulnerabilities or biases. Libraries and frameworks for AI development face the same supply chain risks as any software dependency—vulnerable versions, malicious packages, or compromised repositories. Integration plugins and tools extend functionality while also extending trust boundaries. Software supply chain security practices apply to AI systems: vendor vetting before adoption, dependency scanning for known vulnerabilities, integrity verification for models and datasets, and ongoing monitoring for supply chain compromises. The NIST AI Risk Management Framework provides guidance on assessing and managing AI supply chain risks.

Risk Assessment for LLM Deployments

Effective LLM security requires systematic risk assessment that considers the unique characteristics of each deployment. Traditional risk frameworks need adaptation to address LLM-specific factors: what data the model accesses, what actions it can take, who interacts with it, and how deeply it integrates with other systems.

Assessment Dimensions

Data sensitivity determines confidentiality risk. Models that process classified information, customer PII, or detailed security telemetry require stricter controls than those handling only public data. Consider both explicit inputs and implicit exposure through fine-tuning or retrieval augmentation. Action capability determines impact potential. Read-only models that provide analysis create different risks than models with tool access that can modify systems, send communications, or trigger automated responses. Excessive agency—granting models more capability than their task requires—multiplies the impact of any successful attack. Exposure surface determines attacker accessibility. Internal tools used only by trained analysts face different threats than customer-facing chatbots or systems that process external data. Broader exposure requires stronger controls on the assumption that some users will be malicious. Integration depth determines blast radius. Models that integrate with authentication systems, security controls, or production infrastructure create more severe compromise scenarios than isolated analysis tools. Deep integration requires treating the AI system with the same criticality as the systems it accesses.

Control Selection Based on Risk

Risk assessment informs control selection. Critical-risk deployments—those with sensitive data access, action capability, broad exposure, and deep integration—require maximum controls: defense-in-depth input filtering, comprehensive output validation, strict guardrails, human approval for all actions, and continuous monitoring. High-risk deployments with some but not all risk factors can implement proportionally reduced controls while still exceeding baseline security. Medium and low-risk deployments can accept some residual risk in exchange for reduced operational friction, though baseline security hygiene remains essential. No LLM deployment should proceed without explicit risk assessment and documented acceptance of residual risk. The novel nature of LLM vulnerabilities means that intuitions from traditional application security may not accurately predict risk.

Defensive Principles and Anti-Patterns

Securing LLM deployments requires internalizing principles that guide control selection and architecture decisions. Equally important is recognizing anti-patterns that create false confidence or inadequate protection.

Security Principles for LLM Deployments

Assume manipulation attempts will occur. Any LLM exposed to external input—including input from trusted sources that might be compromised—should be assumed to face manipulation attempts. Design controls assuming attackers know your system prompt, understand your architecture, and will attempt exploitation. Apply least privilege to model capabilities. LLMs should have access only to the data and actions required for their specific task. Tool access, system integrations, and data exposure should be minimized even when broader access would be convenient. Validate all outputs before action. Never trust LLM outputs for security decisions or automated actions without validation. Output validation should verify format correctness, semantic validity, factual accuracy, and safety before any output influences downstream systems. Implement defense in depth. No single control reliably prevents all LLM attacks. Layer input filtering, system prompt hardening, output validation, action gating, and monitoring to ensure that multiple controls must fail simultaneously for attacks to succeed. Monitor for behavioral anomalies. LLM attacks often manifest as subtle behavioral changes rather than obvious errors. Continuous monitoring should establish behavioral baselines and alert on deviations that might indicate manipulation.

Anti-Patterns to Avoid

Security through prompt obscurity assumes that keeping system prompts secret provides security. Attackers can and do extract system prompts from production systems. Design prompts assuming they will be disclosed, and don’t rely on prompt secrecy for any security property. Trusting model confidence scores assumes that high confidence indicates accuracy. Models produce confident outputs for hallucinated content—confidence reflects fluency, not correctness. Validation must occur regardless of expressed confidence. Filtering only known attack patterns creates an arms race that defenders lose. New injection techniques, jailbreaks, and manipulation strategies emerge continuously. Defenses must include behavior-based detection and validation, not just pattern matching. Assuming internal users are safe ignores insider threats and compromised accounts. Internal security AI tools often face reduced controls despite processing sensitive data and having significant capabilities. Apply appropriate controls based on risk, not user trust. Treating LLM security as a one-time assessment ignores the evolving threat landscape. Models update, capabilities expand, and attack techniques advance. Security assessment must be continuous, not a one-time certification.

References

Frameworks and Standards

Research and Analysis

Practical Resources