All articles
GUIDE · 6 min read

Prompt Injection: The OWASP LLM #1 Risk

Prompt injection sits at #1 on the OWASP LLM Top 10 for a reason: the model can't tell the difference between trusted instructions and untrusted content. That single property breaks most naive AI integrations.

Direct vs indirect injection

Direct attacks live in the user's prompt. Indirect attacks live in the data your LLM reads — emails, web pages, PDFs, tool outputs. Indirect is what makes this dangerous at scale.

Real-world impact

Data exfiltration via tool calls, unauthorized actions in agentic workflows, prompt leakage, and bypassed safety guardrails — all without exploiting a single CVE.

Defense in depth

There is no silver bullet. Combine these controls:

  • Strict input/output validation and allowlists
  • Sandboxed tool execution with human approval for sensitive actions
  • Separate trust contexts for instructions vs. retrieved content
  • Continuous red-teaming with Garak / PyRIT / Promptfoo

Test like an attacker

Build a regression suite of jailbreaks. Re-run it on every model upgrade — guardrails that worked last quarter often fail today.

Tools mentioned

GarakPyRITPromptfooRebuffLLM Guard
⟩ takeaway

Treat every model output as untrusted, every retrieved document as hostile, and every tool call as a privilege escalation opportunity.

⟩ keep reading

Related articles