🧠🔐 LLMs in the security check: How AI helps – and at the same time becomes dangerous

How AI and LLMs simultaneously strengthen and endanger IT security

Image generated by OpenAI's DALL·E

AI everywhere – but does it always make sense?

Artificial intelligence, and especially large language models (LLMs), have long been more than just a gimmick. They write texts, generate source code, advise customers, and analyze log data. For many decision-makers, AI solutions are therefore a must-have – but the hype isn't always followed by a real use case. Especially in marketing and product communication, many things are currently being sold as 'AI,' which in reality are just classic rule sets, simple automation, or simple statistical models. The term "AI" is often used indiscriminately and deliberately strategically to position solutions as innovative or groundbreaking – even when there are no learning systems behind them. This marketing labeling not only complicates the objective assessment of technical risks but can also distort security decisions.

Especially in the cyber security environment, the discussion is two-pronged: On the one hand, AI models promise relief and precision, but on the other hand, they themselves have become a critical attack vector.

The OWASP report "Top 10 for LLM Applications 2025" provides what is probably the most precise overview to date of specific vulnerabilities that arise from the use of LLMs – and of risks that are often exacerbated by a lack of security architecture.

LLMs as security tools: Where AI already protects today

LLMs reveal their potential especially where large amounts of data need to be analyzed, contextualized, and evaluated. In the security context, this means:

• Log analysis : Models such as GPT or Claude can detect patterns in log files that indicate APTs or insider threats.

• Malware analysis : AI can semantically classify unknown binaries and extract unusual system APIs.

• Phishing Detection : LLMs detect social engineering in emails not only by IPs or headers, but also by linguistic context.

• Security Copilots : Microsoft's Security Copilot combines GPT-4 with M365 telemetry – analysts receive context-based suggestions for responses, correlations, and escalations.

  
  

These advances should not be underestimated – they demonstrate how AI is already being used productively in everyday cybersecurity. But that's only one side of the coin.

LLMs as a target: New risks from new technologies

The OWASP report identifies ten key vulnerability classes, three of which stand out in particular:

Prompt Injection (LLM01:2025)

Prompt injection is what SQL injection was for web apps—but in the context of language models. Attackers manipulate input so that the model executes statements it should block.

Model Poisoning (LLM04:2025)

LLMs can be compromised by manipulated training data – for example, by deliberately injecting faulty or malicious content.

Output Handling (LLM05:2025)

Many systems accept LLM responses without checking them – be it in code, configurations or decision logic.

External examples and real threats

Data exfiltration through LLMs – an underestimated risk

Especially in enterprise-wide LLM implementations such as GitHub Copilot or Microsoft Security Copilot, there is a risk that sensitive data can be shared unchecked or accessed by other users. The continuous input from different users creates a collective context that – if inadequately isolated – can lead to unintentional data leaks.

There is also a risk that attackers could use targeted prompts to access internal information available through previous conversations or contextual storage mechanisms. This represents a new form of data exfiltration, particularly in security-critical industries such as finance, healthcare, or Industry 4.0 – without traditional network access, but rather through semantic exploitation of the system.

GitHub Copilot

An AI-powered code assistant developed by GitHub and OpenAI. A 2021 study showed that 40% of Copilot-generated suggestions contain security vulnerabilities , including hardcoded secrets and SQL injection.

WormGPT & FraudGPT

These "darknet" offshoots of GPT architectures are specifically designed for attacks—without ethical barriers or content filters. According to SlashNext, criminals use these models for phishing, BEC (Business Email Compromise), and ransomware preparation.

OWASP Top 10 for LLM Applications 2025 – The Complete List

LLM01: Prompt Injection

Manipulated inputs can cause the LLM to disclose protected information or ignore instructions.

LLM02: Insecure Output Handling

Models output potentially malicious code or incorrect configurations – without further protection.

LLM03: Training Data Poisoning

Targeted manipulated training data influences the model’s behavior in the long term.

LLM04: Model Denial of Service (DoS)

Resource overload due to computationally intensive or recursive prompts.

LLM05: Supply Chain Vulnerabilities

Dependencies on external models and libraries pose integrity risks.

LLM06: Sensitive Information Disclosure

Accidentally exposing sensitive data – e.g., API keys, internal policies, or user data.

LLM07: Insecure Plugin Design

Insecure connection of external functions or APIs can create attack vectors.

LLM08: Excessive Agency

Models are allowed to perform too many actions – e.g., command line commands, file operations, HTTP requests.

LLM09: Overreliance

Too much trust in the model leads to wrong decisions, security gaps or process manipulation.

LLM10: Model Theft

Extraction of the underlying model via API abuse or memory exfiltration.

Conclusion: AI is not a panacea – but it is not an enemy either

LLMs are neither a blessing nor a curse – they are powerful tools whose impact arises directly from their integration into existing processes. Their security depends on how well they are understood, architecturally integrated, and continuously monitored. The OWASP report is an essential contribution to clarification and offers concrete recommendations for action, but it is not a substitute for individual security assessments. Companies must conduct their own risk analyses, implement technical safeguards, and adapt organizational processes – from prompt governance and logging to permissions assignment. One thing is clear: The integration of AI requires a rethinking of security – away from the classic perimeter model and toward more dynamic, context-sensitive protection mechanisms. Only those who actively shape this transformation will benefit from its potential in the long term – without blindly running into the new risks.