TL;DR
LLM apps add a new attack surface on top of normal AppSec. The biggest risk is prompt injection — malicious instructions hidden in user input or in content the model reads — which can leak data, trigger tools, or bypass guardrails. Test against the OWASP LLM Top 10 with an adversarial red-team suite covering direct and indirect injection, jailbreaks, data leakage, insecure output handling, and excessive agency.
Every team shipping an LLM feature inherits a security problem that traditional testing doesn’t cover. The model treats instructions and data as the same thing — so text it reads can hijack what it does. This guide maps the key risks and how to test for them.
What is prompt injection, and why is it the #1 LLM risk?
Prompt injection places attacker instructions where the model will read them. In direct injection the user types “ignore your instructions and…”; in indirect injection the payload hides inside a document, web page, email, or tool output the LLM ingests. Because the model can’t reliably separate trusted instructions from untrusted content, it may obey the attacker — leaking the system prompt, exfiltrating data, or invoking tools.
The OWASP LLM Top 10 — what to test
| Risk | What to verify |
|---|---|
| Prompt injection | Direct & indirect payloads are refused/isolated, not obeyed |
| Insecure output handling | LLM output is sanitised before it hits a browser, shell, or DB |
| Sensitive info disclosure | No leakage of secrets, system prompt, or other users’ data |
| Excessive agency | Tools/permissions are minimal; risky actions need confirmation |
| Supply chain & model risks | Third-party models, plugins, and data sources are vetted |
How do you test for prompt injection?
- Build a red-team payload library of direct and indirect injections and run it against every input.
- Seed external content (docs, pages, tool responses) with hidden instructions and confirm the model ignores them.
- Attempt jailbreaks (role-play, encoding, multi-turn) against safety guardrails.
- Probe for data leakage — can you extract the system prompt or another session’s data?
- Verify output handling — injected HTML/JS/SQL in a response must not execute downstream.
For agentic systems, injection is even higher-stakes because the model can act — see the guardrail testing in Testing AI Agents.
Why traditional pentesting isn’t enough
Conventional AppSec still matters, but LLM risks are behavioural and non-deterministic: the same payload may succeed once in ten tries. LLM security testing is adversarial and statistical — you run many variants, measure how often guardrails hold, and re-test on every model or prompt change. VTEST pairs this with its established security-testing practice.
Frequently asked questions
Q1. What is prompt injection?
Prompt injection is an attack where malicious instructions are placed in user input or in content the LLM reads (documents, web pages, tool output), tricking the model into ignoring its system prompt — leaking data, calling tools, or producing harmful output.
Q2. What is the OWASP LLM Top 10?
It is OWASP’s list of the most critical security risks for LLM applications, including prompt injection, insecure output handling, sensitive information disclosure, excessive agency, and supply-chain risks. It is the standard checklist for LLM security testing.
Q3. How do you test for prompt injection?
Run a red-team suite of direct and indirect injection payloads against every input and every external content source the LLM reads, and verify the system refuses, sanitises, or isolates the malicious instructions rather than obeying them.
Q4. Is LLM security testing different from normal pentesting?
It complements it. Traditional AppSec still applies, but LLM apps add model-specific risks — injection, jailbreaks, excessive agency, and output handling — that require adversarial, behaviour-based testing on top of conventional security testing.
Shipping an AI feature? VTEST red-teams LLM applications against the OWASP LLM Top 10 — injection, jailbreaks, leakage, and excessive agency. Talk to our team about LLM security testing →
Further reading
- Agentic Testing: The Complete Guide to AI-Powered Software Testing in 2026
- Testing AI Agents: Tool-Use, Multi-Step Reasoning and Guardrails
- How to Test LLM-Powered Features
- RAG System Testing: Retrieval Accuracy, Grounding & Hallucination
See how VTEST delivers this: VTEST as an AI Testing Partner
Akbar Shaikh — CTO, VTEST
Akbar is the CTO at VTEST and leads QA transformation engagements for enterprise clients across the UK, UAE, India, the US, and Singapore. He specialises in modernising legacy testing practices and implementing AI-augmented quality assurance at scale.
