As Japanese enterprises rapidly deploy AI and LLM-powered applications — from customer-facing chatbots to internal copilots and AI-assisted decision systems — a fundamentally new attack surface emerges. The OWASP Top 10 for LLM Applications 2025 provides the framework for understanding and testing these AI-specific risks.
Why AI Security Testing Is Different
Traditional application security testing focuses on input validation, authentication, and authorisation in deterministic systems. LLM-powered applications are probabilistic — the same input can produce different outputs depending on context, conversation history, and model state. This means traditional VAPT techniques remain necessary for the application layer but are insufficient for the AI-specific attack surface.
The OWASP Top 10 for LLM Applications 2025
The 2025 edition, updated from the 2023 original, includes ten categories of AI-specific risk. Key categories include Prompt Injection (direct and indirect manipulation of model behaviour), Sensitive Information Disclosure (extraction of system prompts, API keys, or training data), Excessive Agency (LLMs invoking unintended tools or executing actions without authorisation), System Prompt Leakage (new in 2025 — exposure of internal instructions and credentials), and Vector and Embedding Weaknesses (new in 2025 — attacks on RAG retrieval pipelines).
Japan-Specific Context
Japanese enterprises deploying AI face particular considerations. The Active Cyber Defense Law (enacted May 2025) creates heightened cybersecurity expectations for critical infrastructure operators, many of whom are now incorporating AI into their operations. The APPI amendments currently in progress specifically address the use of personal data for AI training. As AI regulation develops in Japan, demonstrating that AI applications have been rigorously security-tested becomes both a technical necessity and a governance imperative.
What We Test
Our AI/LLM VAPT covers the full OWASP Top 10 for LLM Applications 2025: prompt injection across all data sources, training data extraction, system prompt leakage, RAG pipeline integrity, excessive agency and tool-use abuse, output handling and downstream injection, and model denial of service. We test both cloud-hosted models (OpenAI, Anthropic, Google) and self-hosted deployments.
How Simuna Infosec Helps
Our AI/LLM VAPT service combines traditional application security expertise with AI-specific attack techniques — the combination required to test these systems the way sophisticated adversaries would. We have secured the infrastructure of a global precision-technology manufacturer with operations in Japan, and we bring this enterprise experience to the emerging discipline of AI security testing.
*This article references the OWASP Top 10 for LLM Applications 2025. The AI security landscape evolves rapidly.*