# Pentesting AI Models (Techniques & Checklist)

## Introduction

In this article, I’ll share some of the techniques I’ve been trying out to pentest AI models. As these models become more widespread, understanding their vulnerabilities is key — and testing them properly helps us spot potential risks before someone else does.

Along the way, I’ll also provide a practical checklist to guide your own assessments and make sure you cover the important bases.

### Owasp Top 10 LLM

The OWASP Top 10 LLM is a focused guide that outlines the most critical security risks related to Large Language Models. It helps researchers and testers identify common vulnerabilities and prioritize efforts to secure AI systems effectively. Knowing the OWASP Top 10 LLM vulnerabilities is essential when pentesting AI models because it helps focus testing on the most impactful and common security risks.

<table><thead><tr><th width="125.39996337890625">Code</th><th width="178.39996337890625">Vuln</th><th>Description</th><th>Impact</th></tr></thead><tbody><tr><td>LLM01:2025</td><td> Prompt Injection</td><td>Malicious input that manipulates the model’s behavior, altering responses or bypassing filters.</td><td>Unauthorized or harmful content generation</td></tr><tr><td>LLM02:2025 </td><td>Sensitive Information Disclosure</td><td>Risk of exposing personal, financial, or confidential data through model outputs or training data leaks.</td><td>Data breaches, privacy violations, IP loss</td></tr><tr><td>LLM03:2025</td><td>Supply Chain</td><td>Vulnerabilities in third-party models, training data, and deployment platforms affecting integrity.</td><td>Biased outputs, security breaches, system failures</td></tr><tr><td>LLM04:2025</td><td>Data and Model Poisoning</td><td>Manipulation of training or fine-tuning data to introduce biases, backdoors, or vulnerabilities.</td><td>Degraded performance, biased/toxic outputs, backdoors</td></tr><tr><td>LLM05:2025</td><td>Improper Output Handling</td><td>Insufficient validation or sanitization of model outputs before use, risking injection or escalation attacks.</td><td>XSS, CSRF, SSRF, privilege escalation, remote code exec</td></tr><tr><td>LLM06:2025</td><td>Excessive Agency</td><td>Too much autonomy or permission granted to LLM agents, risking harmful actions from manipulated or faulty outputs.</td><td>Confidentiality, integrity, and availability risks</td></tr><tr><td>LLM07:2025</td><td>System Prompt Leakage</td><td>Exposure of system prompts containing sensitive info or guardrails, leading to possible further attacks.</td><td>Enables bypass of security controls and privilege escalation</td></tr><tr><td>LLM08:2025</td><td>Vector and Embedding Weaknesses</td><td>Vulnerabilities in vector/embedding generation and handling in RAG systems that may lead to manipulation or data leaks.</td><td>Harmful content injection, output manipulation, data exposure</td></tr><tr><td>LLM09:2025</td><td>Misinformation</td><td>Generation of false or misleading content due to hallucinations, biases, or incomplete data.</td><td>Security breaches, reputational damage, legal liability</td></tr><tr><td>LLM10:2025</td><td>Unbounded Consumption</td><td>Excessive uncontrolled inferences causing service disruption, resource depletion, or model theft.</td><td>Denial of service, economic losses, IP theft</td></tr></tbody></table>

## Techniques

## Checklist


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xhuntr3ss.gitbook.io/xhuntr3sss-hack-vault/usd-vault/vaultusd-exploit-methods/pentesting-ai-models-techniques-and-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.