Guide to the OWASP Top 10 for LLMs: Vulnerability mitigation with Elastic

Industries, governments, and enterprises of all kinds have adopted large language models (LLMs) and generative AI (GenAI) into their operations and workflows, unlocking new possibilities for everything from customer interaction to complex data analysis. But with this innovation comes new challenges for security, observability, and data science teams. As organizations embed LLMs deeper into critical operations, they expose themselves to a new class of vulnerabilities that traditional security measures are often ill-equipped to handle.¹ Recognizing this challenge, the Open Web Application Security Project (OWASP) has defined the definitive framework for navigating these risks in the OWASP Top 10 for LLM Applications.

Securing these complex AI ecosystems demands a unified platform approach that combines deep observability with powerful security analytics. The Search AI Platform is uniquely positioned to address modern threats. By providing a single, integrated solution for security, observability, and data management, Elastic enables organizations to protect the entire LLM application stack. Elastic provides coverage from the prompts and responses to the underlying infrastructure, APIs, data, and downstream systems that the models interact with.² This blog provides a guide on using Elastic's capabilities to mitigate each vulnerability in the OWASP Top 10 for LLMs.

Securing a modern GenAI application isn’t a matter of addressing a single layer. It requires an in-depth strategy that provides visibility and control points at every stage of an LLM-powered transaction. Elastic provides the unified foundation for such an architecture, correlating signals from the user's prompt all the way to the backend infrastructure — a feature only available via a combination of data management, observability, and security along with software engineering best practices.

This architecture demonstrates how Elastic serves as the central nervous system for GenAI security:

1. Input and application layer: User prompts and external data enter the LLM application. Elastic application performance monitoring (APM) instruments this layer, providing transaction tracing and the opportunity for proactive data filtering to mitigate sensitive data disclosure (LLM02).

2. LLM and retrieval augmented generation (RAG) layer: The application interacts with the LLM and Elasticsearch as a vector database. Logs and metrics from the LLM provider are ingested, enabling detection of unbounded consumption (LLM10). Within Elasticsearch, native features like document level security (DLS) enforce permission-aware RAG, mitigating vector and embedding weaknesses (LLM08).

3. Downstream systems: The LLM agent may interact with backend APIs, databases, or other servers. These systems are monitored by Elastic Defend and APM, which detect the effects of attacks like improper output handling (LLM05) or excessive agency (LLM06).

4. The Elastic Search AI Lake: All of this telemetry consisting of logs, metrics, traces, and security events is ingested and normalized into a single Elasticsearch data store.

5. Analytics and action layer: Atop this unified data, Elastic Security and Elastic Observability work in conjunction. The detection engine — powered by Event Query Language (EQL) and machine learning (ML) — correlates events across layers to find complex attacks like prompt injection leading to remote code execution (RCE) (LLM01). Observability dashboards and alerts provide the tools to monitor misinformation (LLM09), supply chain vulnerabilities (LLM03), and model poisoning (LLM04). It also provides proactive warnings for financial and resource consumption risks.

Sources

1. OWSAP, “OWASP Top 10 for LLM Applications 2025,” https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025, 2024.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.