Chapter 9

Frameworks, Tools, Competitive Landscape

OWASP LLM Top 10 (2025), MITRE ATLAS, the 5 vendor pillars, and the 2024-25 acquisition wave.

Established Security Frameworks

FrameworkWhat It IsWhy It Matters
OWASP LLM Top 10 (2025)Updated list of LLM vulnerabilitiesThe default taxonomy
OWASP Top 10 for Agentic ApplicationsNEW — agent-specific threatsCritical for agent security
OWASP State of Agentic AI Security and GovernanceIndustry landscape reportStrategic reference
MITRE ATLAS”MITRE ATT&CK for AI” — adversarial tactics matrixUsed by enterprise security teams
NIST AI RMFRisk Management FrameworkCompliance/governance angle
AIUC-1New AI controls standard, crosswalks with OWASPAudit/compliance reference

OWASP LLM Top 10 (2025)

The 2025 OWASP release prioritizes threats based on current threat intelligence, reflecting a rise in supply chain and data disclosure incidents.

LLM01:2025  Prompt Injection
LLM02:2025  Sensitive Information Disclosure
LLM03:2025  Supply Chain
LLM04:2025  Data and Model Poisoning
LLM05:2025  Improper Output Handling
LLM06:2025  Excessive Agency           ← key for agents
LLM07:2025  System Prompt Leakage      ← NEW in 2025
LLM08:2025  Vector and Embedding Weaknesses ← NEW
LLM09:2025  Misinformation
LLM10:2025  Unbounded Consumption

Key Updates from Prior Versions:

  • Added System Prompt Leakage (LLM07) — emphasizing that system prompts should not be relied upon as access control boundaries.
  • Added Vector and Embedding Weaknesses (LLM08) — representing RAG and database injection threat vectors.
  • Refocused Model DoS as Unbounded Consumption (LLM10) — addressing resource exhaustion exploits.
  • Increased priority for Excessive Agency (shifted from LLM08 to LLM06).

The OWASP Agentic Security Initiative

OWASP launched a separate Agentic Security Initiative in 2025 because LLM Top 10 wasn’t sufficient for autonomous agents. Key resources:

  • State of Agentic AI Security and Governance v2.01 — landscape report
  • OWASP Top 10 for Agentic Applications — agent-specific threats
  • AI Security Solutions Landscape for Agentic AI — vendor map
  • AIUC-1 Crosswalks — bidirectional mapping to enterprise controls

This initiative reflects an industry-wide recognition that autonomous workflows introduce unique execution risks. Multi-agent frameworks (e.g., LangGraph, CrewAI) introduce multi-step plans, recursive loops, and cascading execution paths that are outside the scope of single-turn LLM safety boundaries.


Market Dynamics and Consolidation

The market has consolidated heavily — every major network/cyber incumbent acquired an AI security startup. This is a maturation signal: AI security is being absorbed into broader cybersecurity platforms.

Original StartupAcquired ByFocus
Protect AIPalo Alto Networks (2025)Broad AI security platform
Robust IntelligenceCisco (2024)Adversarial testing → “Cisco AI Defense”
LakeraCheck Point (announced 2025)Runtime AI security
HiddenLayerIndependent (well-funded)Model security, attack simulation
CalypsoAIIndependentAI moderation + red teaming
Cranium AIIndependentAI security posture management
Various agentic-focused startupsMultiple cybersecurity incumbentsVarious

Market Implications: This consolidation indicates a transition from niche startup products to integrated features within enterprise security suites. Development teams increasingly procure AI security as part of their unified security posture management.


Core Security Platform Pillars

Across the vendor landscape, enterprise platforms typically map to five core functional pillars:

┌─────────────────────────────────────────────────────────────┐
│ PILLAR 1: AI DISCOVERY / VISIBILITY (Shadow AI)             │
│ - Find unsanctioned AI use across the org                   │
│ - Browser extensions, endpoint agents, network monitoring   │
│ - Maps to: Bucket 1 (Shadow AI / DLP for AI)                │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ PILLAR 2: AI POSTURE / SUPPLY CHAIN                         │
│ - Scan models for vulnerabilities (model integrity)         │
│ - Check model artifacts (HuggingFace scanning, etc.)        │
│ - Secure the AI development pipeline                        │
│ - Maps to: Bucket 2 (Attacks on AI itself, esp. supply chain│
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ PILLAR 3: AI RED TEAMING / ATTACK SIMULATION                │
│ - Continuously test AI apps for vulnerabilities             │
│ - Generate adversarial inputs                               │
│ - Pre-deployment validation                                 │
│ - Maps to: Pre-production testing                           │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ PILLAR 4: AI RUNTIME SECURITY (THE CORE)                    │
│ - Inline detection at input, context, output, tool calls    │
│ - Prompt injection detection, output guardrails             │
│ - MCP/agent runtime inspection                              │
│ - Maps to: Buckets 2 + 3 (the live defense layer)           │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ PILLAR 5: GOVERNANCE / COMPLIANCE                           │
│ - Policy management                                         │
│ - Audit logs and forensics                                  │
│ - Regulatory reporting (EU AI Act, NIST AI RMF)             │
│ - Maps to: Org-level controls                               │
└─────────────────────────────────────────────────────────────┘

Most enterprise solutions map to these five functional areas, differing primarily in deployment hooks and classification performance.


Strategic Directions in AI Security

Three major shifts visible across all vendors:

Shift 1: From access control to outcome control

“Controlling what AI can access isn’t enough. Control what it does.”

Earlier AI security focused on input filtering and DLP-style data controls. The new framing emphasizes what the agent ACTUALLY DOES — the actions it takes, the tool calls it makes — not just what it sees.

This aligns with the principle of least privilege applied to agents: detection alone is insufficient; you need authorization on actions.

Shift 2: From single-turn LLM safety to multi-step agent safety

The original LLM Top 10 focused on chatbots and single-prompt apps. The 2026 frame is agents executing multi-step plans with tools, which is a different threat model:

  • Cumulative drift across steps
  • Attack chains that span multiple tool calls
  • Cross-server confused deputy patterns

Shift 3: From point solutions to platforms

Vendors no longer ship single products (just a prompt injection classifier, just model scanning). They ship integrated platforms that span all 4-5 pillars. This consolidation is partly market maturity, partly enterprise procurement preference.


Useful Resources for Further Reading

  • Simon Willison’s blog on prompt injection (best plain-English writeup)
  • Embrace The Red blog (Johann Rehberger’s red-team posts)
  • OWASP LLM Top 10 2025genai.owasp.org/llm-top-10/
  • OWASP Agentic Security Initiativegenai.owasp.org/initiatives/agentic-security-initiative/
  • OWASP State of Agentic AI Security and Governance (2.01 report)
  • MITRE ATLAS knowledge base — atlas.mitre.org
  • HuggingFace transformers library docs (for fine-tuning recipes)
  • Anthropic’s MCP documentation — official protocol spec
  • Protect AI’s open-source toolsLLM Guard, ModelScan (free, useful)
Nerchuko Academy · Free DS Interview Prep