OWASP Mapping: ARES Intents
ARES aligns with OWASP guidelines by mapping attack goals, strategies and evaluations workflows to each LLM2025 Top 10 code.
This table provides a clear interpretation of what each OWASP code means and how ARES implements it.
Code |
Title |
Interpretation |
Ares Intent |
Example notebook |
|---|---|---|---|---|
LLM01 |
Prompt Injection |
Check if prompts can override intended behavior or security policies. |
owasp-llm-01:2025 |
|
LLM02 |
Sensitive Information Disclosure |
Verify if the system leaks secrets (e.g., API keys, PII) through responses or logs. |
owasp-llm-02 |
private |
LLM03 |
Supply Chain |
Validate integrity of dependencies and model artifacts (e.g., signatures, provenance). |
owasp-llm-03:2025 |
not supported |
LLM04 |
Data and Model Poisoning |
Assess if external inputs can corrupt training data or influence retrieval (RAG poisoning). |
owasp-llm-04:2025 |
|
LLM05 |
Improper Output Handling |
Check for unsafe outputs: injected prompts, broken dependencies, malformed code. |
owasp-llm-05:2025 |
|
LLM06 |
Excessive Agency |
Evaluate if the agent uses tools beyond intended scope or can be hijacked for harmful actions. |
owasp-llm-06:2025 |
|
LLM07 |
System Prompt Leakage |
Verify if system-level instructions or sensitive context are exposed in responses. |
owasp-llm-07:2025 |
|
LLM08 |
Vector and Embedding Weaknesses |
Check for leakage of sensitive data via embeddings or retrieval vectors. |
owasp-llm-08:2025 |
|
LLM09 |
Misinformation |
Test resilience against hallucinations or generation of malicious/incorrect content. |
owasp-llm-09:2025 |
|
LLM10 |
Unbounded Consumption |
Ensure the agent prevents resource exhaustion (e.g., DoS via unlimited requests). |
owasp-llm-10:2025 |