OWASP LLM Top 10 Scorecard

What this scorecard is, and what it is not

This is a self assessment. You answer plain questions about your own LLM application and it turns the answers into a readiness grade. That makes it useful for finding gaps and starting a conversation, and it makes it useless as proof of anything. It is not a certification, not an audit, and not a guarantee. The grade only reflects how honestly and completely you answered, so a high score on self reported controls is not the same as a tested system. Treat a weak area as a prompt to go test, not as a finding you have closed.

The categories follow the OWASP Top 10 for LLM Applications 2025, published by the OWASP GenAI Security Project. Where it helps, each category notes the matching OWASP AI Testing Guide identifiers, written in the AITG-APP-01 form, so you know which concrete test procedure lines up with the gap you just found.

The ten categories at a glance

• LLM01 Prompt Injection. Untrusted input steers the model into behaviour the application never intended, including text hidden in retrieved documents or images.
• LLM02 Sensitive Information Disclosure. The model reveals secrets, training data, or personal data it should never have surfaced.
• LLM03 Supply Chain. Risk that rides in through third party models, datasets, adapters, and the packages around them.
• LLM04 Data and Model Poisoning. Tampered training, fine tuning, or retrieval data that bends the model toward an attacker goal.
• LLM05 Improper Output Handling. Treating model output as trusted and passing it straight into a browser, a shell, a database, or another system.
• LLM06 Excessive Agency. Too much permission, autonomy, or tool reach granted to the model, so a bad output becomes a real world action.
• LLM07 System Prompt Leakage. Relying on the system prompt to stay secret, when it can leak and may already hold things it should not.
• LLM08 Vector and Embedding Weaknesses. Flaws in how embeddings and vector stores are built and queried in a retrieval system.
• LLM09 Misinformation. Confident, well formed output that is simply wrong, and the overreliance that lets it through.
• LLM10 Unbounded Consumption. Unchecked inference cost, resource use, and abuse such as denial of wallet and model extraction.

How to read the grade

Each category holds a few control questions. A yes earns the full points, a partial earns half, and a no earns none. A category status is the share of its points you earned, and the overall readiness score is the share across every question you answered, shown out of one hundred. The letter grade uses the same banding as the other tools here: A for ninety and above, B for eighty, C for seventy, D for sixty, and F below that. The weakest areas list points you at the categories that lost the most ground, which is usually where the next hour of work pays off most.

Honesty is the whole game. A partial is the right answer when a control exists but is inconsistent, untested, or only covers part of the surface. Reaching for yes when you mean partial just hides the gap from yourself. If you want to move from a self check to verified coverage, the kind of reasoning an AI security testing approach brings is what turns a self reported yes into something you can actually trust.

Related reading

More free tools