The OWASP Top 10 for LLMs — A Pentester's Practical Guide

By Latent Breach | February 2026 The OWASP Top 10 for LLM Applications got a major overhaul in late 2024. Version 2025 (v2.0) dropped two categories, added two new ones, and reframed the entire list around how LLMs are actually deployed today — as autonomous agents with API access, not just chatbots answering questions. I've been testing LLM-powered applications for the past year. This is the guide I wish I'd had when I started: each OWASP category mapped to what I actually test, the tools I use, and real vulnerabilities that demonstrate why each one matters. What Changed From v1 to v2 Before we dive in, here's the delta that matters: Removed: Insecure Plugin Design (absorbed into Excessive Agency and Supply Chain) Model Theft (dropped — considered less of an application-level risk) Added: System Prompt Leakage (LLM07) — extracting hidden instructions Vector and Embedding Weaknesses (LLM08) — attacking RAG pipelines Reframed: "Over-reliance" became Misinformation — hallucinations are n