Frameworks, Tools, Competitive Landscape
OWASP LLM Top 10 (2025), MITRE ATLAS, the 5 vendor pillars, and the 2024-25 acquisition wave.
Established Security Frameworks
| Framework | What It Is | Why It Matters |
|---|---|---|
| OWASP LLM Top 10 (2025) | Updated list of LLM vulnerabilities | The default taxonomy |
| OWASP Top 10 for Agentic Applications | NEW — agent-specific threats | Critical for agent security |
| OWASP State of Agentic AI Security and Governance | Industry landscape report | Strategic reference |
| MITRE ATLAS | ”MITRE ATT&CK for AI” — adversarial tactics matrix | Used by enterprise security teams |
| NIST AI RMF | Risk Management Framework | Compliance/governance angle |
| AIUC-1 | New AI controls standard, crosswalks with OWASP | Audit/compliance reference |
OWASP LLM Top 10 (2025)
The 2025 OWASP release prioritizes threats based on current threat intelligence, reflecting a rise in supply chain and data disclosure incidents.
LLM01:2025 Prompt Injection
LLM02:2025 Sensitive Information Disclosure
LLM03:2025 Supply Chain
LLM04:2025 Data and Model Poisoning
LLM05:2025 Improper Output Handling
LLM06:2025 Excessive Agency ← key for agents
LLM07:2025 System Prompt Leakage ← NEW in 2025
LLM08:2025 Vector and Embedding Weaknesses ← NEW
LLM09:2025 Misinformation
LLM10:2025 Unbounded Consumption
Key Updates from Prior Versions:
- Added System Prompt Leakage (LLM07) — emphasizing that system prompts should not be relied upon as access control boundaries.
- Added Vector and Embedding Weaknesses (LLM08) — representing RAG and database injection threat vectors.
- Refocused Model DoS as Unbounded Consumption (LLM10) — addressing resource exhaustion exploits.
- Increased priority for Excessive Agency (shifted from LLM08 to LLM06).
The OWASP Agentic Security Initiative
OWASP launched a separate Agentic Security Initiative in 2025 because LLM Top 10 wasn’t sufficient for autonomous agents. Key resources:
- State of Agentic AI Security and Governance v2.01 — landscape report
- OWASP Top 10 for Agentic Applications — agent-specific threats
- AI Security Solutions Landscape for Agentic AI — vendor map
- AIUC-1 Crosswalks — bidirectional mapping to enterprise controls
This initiative reflects an industry-wide recognition that autonomous workflows introduce unique execution risks. Multi-agent frameworks (e.g., LangGraph, CrewAI) introduce multi-step plans, recursive loops, and cascading execution paths that are outside the scope of single-turn LLM safety boundaries.
Market Dynamics and Consolidation
The market has consolidated heavily — every major network/cyber incumbent acquired an AI security startup. This is a maturation signal: AI security is being absorbed into broader cybersecurity platforms.
| Original Startup | Acquired By | Focus |
|---|---|---|
| Protect AI | Palo Alto Networks (2025) | Broad AI security platform |
| Robust Intelligence | Cisco (2024) | Adversarial testing → “Cisco AI Defense” |
| Lakera | Check Point (announced 2025) | Runtime AI security |
| HiddenLayer | Independent (well-funded) | Model security, attack simulation |
| CalypsoAI | Independent | AI moderation + red teaming |
| Cranium AI | Independent | AI security posture management |
| Various agentic-focused startups | Multiple cybersecurity incumbents | Various |
Market Implications: This consolidation indicates a transition from niche startup products to integrated features within enterprise security suites. Development teams increasingly procure AI security as part of their unified security posture management.
Core Security Platform Pillars
Across the vendor landscape, enterprise platforms typically map to five core functional pillars:
┌─────────────────────────────────────────────────────────────┐
│ PILLAR 1: AI DISCOVERY / VISIBILITY (Shadow AI) │
│ - Find unsanctioned AI use across the org │
│ - Browser extensions, endpoint agents, network monitoring │
│ - Maps to: Bucket 1 (Shadow AI / DLP for AI) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ PILLAR 2: AI POSTURE / SUPPLY CHAIN │
│ - Scan models for vulnerabilities (model integrity) │
│ - Check model artifacts (HuggingFace scanning, etc.) │
│ - Secure the AI development pipeline │
│ - Maps to: Bucket 2 (Attacks on AI itself, esp. supply chain│
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ PILLAR 3: AI RED TEAMING / ATTACK SIMULATION │
│ - Continuously test AI apps for vulnerabilities │
│ - Generate adversarial inputs │
│ - Pre-deployment validation │
│ - Maps to: Pre-production testing │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ PILLAR 4: AI RUNTIME SECURITY (THE CORE) │
│ - Inline detection at input, context, output, tool calls │
│ - Prompt injection detection, output guardrails │
│ - MCP/agent runtime inspection │
│ - Maps to: Buckets 2 + 3 (the live defense layer) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ PILLAR 5: GOVERNANCE / COMPLIANCE │
│ - Policy management │
│ - Audit logs and forensics │
│ - Regulatory reporting (EU AI Act, NIST AI RMF) │
│ - Maps to: Org-level controls │
└─────────────────────────────────────────────────────────────┘
Most enterprise solutions map to these five functional areas, differing primarily in deployment hooks and classification performance.
Strategic Directions in AI Security
Three major shifts visible across all vendors:
Shift 1: From access control to outcome control
“Controlling what AI can access isn’t enough. Control what it does.”
Earlier AI security focused on input filtering and DLP-style data controls. The new framing emphasizes what the agent ACTUALLY DOES — the actions it takes, the tool calls it makes — not just what it sees.
This aligns with the principle of least privilege applied to agents: detection alone is insufficient; you need authorization on actions.
Shift 2: From single-turn LLM safety to multi-step agent safety
The original LLM Top 10 focused on chatbots and single-prompt apps. The 2026 frame is agents executing multi-step plans with tools, which is a different threat model:
- Cumulative drift across steps
- Attack chains that span multiple tool calls
- Cross-server confused deputy patterns
Shift 3: From point solutions to platforms
Vendors no longer ship single products (just a prompt injection classifier, just model scanning). They ship integrated platforms that span all 4-5 pillars. This consolidation is partly market maturity, partly enterprise procurement preference.
Useful Resources for Further Reading
- Simon Willison’s blog on prompt injection (best plain-English writeup)
- Embrace The Red blog (Johann Rehberger’s red-team posts)
- OWASP LLM Top 10 2025 —
genai.owasp.org/llm-top-10/ - OWASP Agentic Security Initiative —
genai.owasp.org/initiatives/agentic-security-initiative/ - OWASP State of Agentic AI Security and Governance (2.01 report)
- MITRE ATLAS knowledge base —
atlas.mitre.org - HuggingFace transformers library docs (for fine-tuning recipes)
- Anthropic’s MCP documentation — official protocol spec
- Protect AI’s open-source tools —
LLM Guard,ModelScan(free, useful)