Independent reference. We are independent of every vendor listed. No affiliate links. No sponsored placements.
Threat model

Prompt Injection Attacks: What They Are and Why They Cost Money

OWASP LLM01 is the number-one ranked risk for LLM applications. The attack manipulates the model into ignoring its system prompt and executing the attacker's instructions instead.

Snapshot

LLM01
OWASP rank
3
Variants: direct, indirect, stored
20
Vendors selling defence
$0.08
Cheapest published per-1K-unit rate

Definition

A prompt injection is any input that causes a Large Language Model to override its intended instructions. The OWASP Foundation maintains the canonical definition at genai.owasp.org/llmrisk/llm01-prompt-injection/. Unlike SQL injection, the input does not exploit a parsing bug; it exploits the model’s training to follow natural-language instructions.

Prompt injection vulnerabilities arise when user inputs alter the LLM's behavior or output in unintended ways.
OWASP Top 10 for LLM Applications 2025, genai.owasp.org

The three variants

Direct

User types the attack straight into the chat. The original DAN prompt is the canonical example.

Indirect

Attack hidden inside content the LLM retrieves: a webpage in a RAG corpus, an email an agent reads, an attachment summarised.

Stored

Attack persisted in the application’s memory or vector store, fired on a later turn or by a different user.

Why it costs money

  • Data leakage from system-prompt extraction or tool-call abuse.
  • Unauthorised actions when the LLM has tool access (LLM06 excessive agency).
  • Reputational damage when injected output reaches users.
  • Regulatory exposure under GDPR, HIPAA, the EU AI Act, depending on data class.

Quantify the downside at databreachcost.com. The IBM Cost of a Data Breach 2025 anchor is a useful reference point for board paper math.

Defence stages

  1. 1
    Discover
    Find every LLM call in your stack
  2. 2
    Filter
    Runtime guardrail in the request path
  3. 3
    Eval
    Red-team payloads, OWASP coverage
  4. 4
    Monitor
    Log to SIEM, alert SOC
  5. 5
    Iterate
    Re-eval after every policy change

What to do next

For a payload library, see /prompt-injection-examples. For the full vendor cost map across each OWASP LLM Top 10 entry, see /owasp-llm-top-10-cost-mapping.

Last verified June 2026Source: vendor pricing pages. See /methodology.