Prompt Injection Attacks: What They Are and Why They Cost Money
OWASP LLM01 is the number-one ranked risk for LLM applications. The attack manipulates the model into ignoring its system prompt and executing the attacker's instructions instead.
Snapshot
Definition
A prompt injection is any input that causes a Large Language Model to override its intended instructions. The OWASP Foundation maintains the canonical definition at genai.owasp.org/llmrisk/llm01-prompt-injection/. Unlike SQL injection, the input does not exploit a parsing bug; it exploits the model’s training to follow natural-language instructions.
“Prompt injection vulnerabilities arise when user inputs alter the LLM's behavior or output in unintended ways.”
The three variants
Direct
User types the attack straight into the chat. The original DAN prompt is the canonical example.
Indirect
Attack hidden inside content the LLM retrieves: a webpage in a RAG corpus, an email an agent reads, an attachment summarised.
Stored
Attack persisted in the application’s memory or vector store, fired on a later turn or by a different user.
Why it costs money
- Data leakage from system-prompt extraction or tool-call abuse.
- Unauthorised actions when the LLM has tool access (LLM06 excessive agency).
- Reputational damage when injected output reaches users.
- Regulatory exposure under GDPR, HIPAA, the EU AI Act, depending on data class.
Quantify the downside at databreachcost.com. The IBM Cost of a Data Breach 2025 anchor is a useful reference point for board paper math.
Defence stages
- 1DiscoverFind every LLM call in your stack
- 2FilterRuntime guardrail in the request path
- 3EvalRed-team payloads, OWASP coverage
- 4MonitorLog to SIEM, alert SOC
- 5IterateRe-eval after every policy change
What to do next
For a payload library, see /prompt-injection-examples. For the full vendor cost map across each OWASP LLM Top 10 entry, see /owasp-llm-top-10-cost-mapping.