Skip to content

OWASP LLM Top 10 and MITRE ATLAS Threat Model

Maps the ai-agent-eval-harness-healthtech reference implementation against the OWASP Top 10 for LLM Applications (2025) and the MITRE ATLAS adversarial threat matrix. This document identifies which threats are mitigated by existing controls, which are partially addressed, and which require additional work for production deployment.

Read alongside the regulatory posture, the NIST AI RMF mapping, and the guardrails decision.

This threat model covers the conversational agent surface: user input entering via the POST /chat endpoint, processing through the six-node LangGraph pipeline, and the response returned to the user. The model does not cover infrastructure-level threats (network, host, container) beyond noting that the reference implementation runs on a managed serverless platform (Google Cloud Run) and is not designed for production infrastructure security.

OWASP Top 10 for LLM Applications (2025) Mapping

Section titled “OWASP Top 10 for LLM Applications (2025) Mapping”
PropertyValue
ThreatUser input contains instructions designed to override the system prompt or manipulate the LLM’s behaviour
Mitigations in placeThe scope classifier rejects out-of-scope inputs before the LLM; refusal templates for known injection patterns; the Promptfoo nightly red-team exercises 13 OWASP LLM Top 10 injection templates plus 25 hand-crafted adversarial cases
Residual riskNovel prompt-injection techniques not covered by the scope classifier or adversarial seed bank may bypass deterministic guardrails; the LLM itself may comply with well-crafted jailbreaks after the guardrail layer
ControlScope classifier, refusal templates, and the adversarial seed bank
PropertyValue
ThreatThe LLM reveals system prompts, internal architecture details, or user PII in its responses
Mitigations in placePII redaction at input and output covering email, phone (US/Chile/Brazil), RUT, CPF, DNI, SSN, credit card (Luhn), MRN, DOB; system-prompt extraction detection in the scope classifier; privacy invariant: user message text never enters OpenTelemetry spans (enforced by an automated test); secret scanning prevents secrets in the repository
Residual riskPII patterns are regex-based and may miss novel formats or contextual PII; the LLM may infer PII from non-PII context
ControlPII redaction stage and scope classifier
PropertyValue
ThreatCompromised LLM provider, poisoned model weights, or malicious dependency
Mitigations in placeThe LLM client Protocol abstraction (see the LLM vendor abstraction decision) allows provider switching without code changes; the dependency lockfile pins all dependencies; automated dependency monitoring is enabled; no runtime model downloads (pre-trained models accessed via API)
Residual riskNo verification of LLM provider integrity; no model provenance attestation; dependency pinning prevents drift but does not prevent initial compromise
ControlThe LLM client layer, the dependency lockfile, and automated dependency monitoring
PropertyValue
ThreatTraining data or KB content manipulated to produce harmful outputs
Mitigations in place100% synthetic data with documented provenance (the data statement); KB cards carry a source URL and source license; the eval harness detects behavioural regressions; corpus changes are gated on review
Residual riskSynthetic data generation uses LLM output (inheriting model biases); no automated detection of KB content drift from source material
ControlThe synthetic data corpus and the eval harness
PropertyValue
ThreatLLM output is rendered or executed without sanitisation (XSS, code execution)
Mitigations in placeSVG rendering uses createElementNS and textContent, never innerHTML; the API returns structured JSON; no dynamic code evaluation on LLM output; the chat response schema is locked
Residual riskIf downstream consumers render markdown from LLM output without sanitisation, XSS is possible; this is a consumer-side concern
ControlThe frontend rendering layer and the API layer
PropertyValue
ThreatThe LLM agent has more permissions or capabilities than necessary
Mitigations in placeThe scope classifier limits the agent to medication-adherence topics; refusal templates block dosing, diagnosis, prescription change, lab interpretation; no tool-use capabilities (no function calling, no API integrations, no file system access); the agent cannot initiate outbound network calls
Residual riskThe agent’s conversational capability is itself the “agency”; the risk is bounded by the refusal surface but not eliminated for novel request types
ControlScope classifier and refusal templates
PropertyValue
ThreatUser extracts the system prompt through clever prompting
Mitigations in placeThe scope classifier includes system-prompt extraction detection patterns; adversarial cases in the eval corpus test for prompt extraction; the nightly Promptfoo red-team includes extraction attempts
Residual riskDeterministic extraction detection may miss novel techniques; the system prompt content is not secret (it is in the source code), but exposure could aid targeted attacks
ControlScope classifier and the adversarial seed bank
PropertyValue
ThreatPoisoned embeddings, indirect injection through KB content, or retrieval manipulation
Mitigations in placeKB cards are 100% synthetic and committed (no dynamic ingestion); retrieval returns source text with citation enforcement; the eval harness verifies citation correctness
Residual riskNear-miss off-corpus retrieval is a known gap (documented in the model card); no embedding-poisoning detection; the small 38-card corpus makes similarity thresholds unreliable
ControlThe retrieval layer and the committed KB corpus
PropertyValue
ThreatThe LLM generates plausible but incorrect health information
Mitigations in placeCitation enforcement: every clinical assertion must cite a KB card; refusal on retrieval no-match; the eval harness scores faithfulness and hallucination against CI-enforced gates with published pass/fail semantics; demo disclaimer on every response
Residual riskThe model may generate incorrect information that cites a valid card but misrepresents its content; the hallucination scorer catches most but not all instances
ControlThe guardrail layer and the eval harness
PropertyValue
ThreatResource exhaustion through excessive input length, recursive prompts, or denial-of-service
Mitigations in placeInput length limits in the intake node; cost/latency gates in the eval harness (4K tokens in, 1K out, 8s per turn); per-session rate limiting available (off by default for determinism); the managed platform host (Google Cloud Run, single-instance) bounds concurrent load
Residual riskNo recursive-prompt detection; no input-length-based circuit breaker at the HTTP layer
ControlThe agent graph and the eval harness cost gates

The MITRE ATLAS matrix adapts the MITRE ATT&CK framework for AI-specific adversarial techniques. The following table maps ATLAS techniques relevant to this system.

ATLAS TechniqueApplicabilityMitigationStatus
AML.T0000: ReconnaissanceAttacker studies the open-source repo to understand architectureRepository is public; the architecture decision records and specification are transparent by designAccepted — transparency is a feature
AML.T0002: Collect Public DataAttacker gathers KB cards, eval corpus, system prompt from repoPublic data; synthetic only; no sensitive contentAccepted
AML.T0010: ML Supply Chain CompromiseCompromised LLM provider or dependencyThe LLM client Protocol allows provider switching; the dependency lockfile pins dependenciesPartially mitigated
AML.T0020: Poison Training DataManipulate KB cards to inject adversarial content100% synthetic data; review-gated corpus; provenance metadataMitigated
AML.T0043: Craft Adversarial DataCreate inputs specifically designed to bypass guardrailsThe eval corpus includes 25 adversarial cases; the Promptfoo nightly red-team; the scope classifier rejects known patternsPartially mitigated — novel techniques may bypass
AML.T0044: Full Memory ExtractionExtract system prompt through conversationThe scope classifier includes extraction detectionPartially mitigated
AML.T0048: Prompt InjectionInject instructions to override system behaviourScope classifier, refusal templates, pre-LLM guardrailsPartially mitigated
AML.T0051: LLM JailbreakBypass safety controls to generate harmful contentGuardrails-before-LLM architecture; refusal on out-of-scope; escalation on acute red flagsPartially mitigated
AML.T0054: Manipulate ContentInfluence LLM output through KB manipulationThe KB is committed synthetic data; no dynamic ingestionMitigated
AML.T0058: Impact on Model OutputCause the model to produce incorrect or harmful outputCitation enforcement; faithfulness and hallucination scoring; eval harness regression detectionPartially mitigated

The reference implementation mitigates the most critical OWASP LLM risks through a defense-in-depth approach:

  1. Guardrails before LLM: The scope classifier, PII redaction, escalation detection, and refusal templates run as deterministic graph nodes before the LLM is invoked. This means the most safety-critical decisions do not depend on model behaviour.

  2. Continuous adversarial testing: The Promptfoo nightly red-team, the 25 adversarial eval cases, and the 13 OWASP LLM Top 10 injection templates exercise the system against known attack patterns. New patterns discovered by red-team runs are folded back into the adversarial seed bank.

  3. Transparent architecture: The architecture decision records, the model card, the regulatory posture, and the public source code make the system’s design and limitations visible. Transparency reduces the asymmetry between attacker and defender.

  4. Eval harness as regression gate: Every code PR (the eval workflow is paths-filtered to application code, eval definitions, data, and the dependency manifests) runs the $0 judge-OFF eval floor (deterministic safety, citation, and escalation checks); a regression there fails that CI job. The judge-ON, full-corpus regression gate (LLM-judge) runs on the nightly schedule + manual dispatch, not as an enforced PR barrier - the repository has no branch protection (free GitHub plan), so no status check is a hard merge block.

The honest assessment is that these mitigations are reference-implementation-grade. They demonstrate the pattern of defense-in-depth for LLM applications; they do not provide the same assurance as a production security programme with dedicated red-team resources, penetration testing, and formal security assessment.

A production deployment would need to strengthen mitigations across several dimensions:

  1. Model supply chain verification: Model provenance attestation, provider integrity checks, regular provider security assessments, contractual security requirements

  2. Output filtering at scale: Real-time output filtering beyond the current citation-check and refusal patterns; toxicity detection; content safety classifiers; automated escalation of flagged outputs for human review

  3. Advanced adversarial testing: Dedicated red-team resources beyond Promptfoo automation; manual penetration testing; bounty programme; continuous adversarial testing against emerging techniques

  4. Embedding security: Embedding-poisoning detection; retrieval-result integrity verification; similarity-threshold tuning for larger corpora

  5. Rate limiting and resource protection: Input-length circuit breakers; recursive-prompt detection; request-rate limiting; cost anomaly detection; graceful degradation under load

  6. Incident response: Formal security incident playbook; severity classification; notification procedures for affected users; forensic analysis capability; post-incident review process

  7. Monitoring and alerting: Real-time anomaly detection on LLM outputs; automated alerting on guardrail bypass patterns; dashboard for security-relevant metrics