Which LLM-security vendors cover LLM03 Supply Chain? (2026)
LLM03 Supply Chain — Compromised models, datasets, plugins, or dependencies add risk before runtime. As of , 6 of 21 vendors llmthreat tracks score Covered for this risk, 12 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.
- 6/21
- Covered
- 12
- Partial
- 2
- Not covered
- 1
- Unverified
How it happens
LLM apps pull in pretrained models, LoRA/PEFT adapters, datasets, and tooling from third parties, and any of those can be tampered with before you ever load them. Real incidents: JFrog found roughly 100 malicious models on Hugging Face using unsafe pickle deserialization to run arbitrary code on load; the Ultralytics YOLO PyPI package was compromised in December 2024 (versions 8.3.41/8.3.42 shipped a cryptominer) showing the same pattern hits ML tooling, not just model weights. A backdoored LoRA adapter can behave normally until a specific trigger phrase flips its output — hard to catch by just eyeballing benchmark scores.
How to test for it
Run ModelScan (Protect AI, open source) against any pickle/H5/SavedModel file before it touches production — it flags unsafe deserialization code embedded in the file. Prefer safetensors over pickle where the model source supports it, since safetensors can't execute code on load. Run standard SCA tools (Snyk, OSV-Scanner) against your ML dependency tree the same way you would any other package, and maintain an AI-BOM (CycloneDX ML-BOM) so you can tell what's actually in your pipeline when a CVE or compromised-package advisory drops.
How to mitigate it
Pull models and adapters only from sources you can verify (signed commits, publisher checksums), scan every model file with ModelScan or equivalent in CI before deployment, and pin + hash-check package versions rather than trusting "latest." Re-scan on every model or dependency upgrade — a clean model today doesn't mean the next version is clean. This doesn't catch a backdoor baked into weights that pass a functional scan; that requires the poisoning-specific testing under LLM04.
Which vendors cover LLM03 Supply Chain?
| Vendor | Category | Coverage | How it's addressed | Source |
|---|---|---|---|---|
| Noma Security | AI-SPM / Runtime Protection | Covered | Identifies/remediates AI supply-chain risk: vulnerable data pipelines, misconfigured MLOps, malicious models. | https://techcrunch.com/2024/10/31/noma-is-building-tools-to-spot-security-issues-with-ai-apps/ |
| HiddenLayer | AI-SPM / Runtime Protection | Covered | Model Scanner scans for malicious models, backdoored weights and vulnerable dependencies before deployment. | https://hiddenlayer.com/model-scanner/ |
| Credo AI | AI Governance / Model Risk | Covered | AI Registry catalogs vendors/models with dependency mapping; vendor/third-party AI risk management. | https://www.credo.ai/ |
| Protect AI | AI-SPM / Runtime Protection | Covered | Guardian scans 35+ model formats and 1.5M+ Hugging Face models; huntr AI/ML bug bounty. | https://protectai.com/guardian |
| Apiiro | AI-SPM / Runtime Protection | Covered | Software supply-chain security, SCA/SBOM and malicious-code detection are core strengths. | https://apiiro.com/ |
| Cranium | AI-SPM / Runtime Protection | Covered | System-of-record for models, data, infra and vendors; third-party AI monitoring (AIBOM-style supply-chain inventory). | https://cranium.ai/ |
| Lakera | Guardrails / LLM Firewall | Partial | Vendor marks supply chain as outside runtime scope; Lakera Red offers limited behavior evaluation. | https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment |
| Straiker | Agentic AI Security | Partial | Discover AI maps MCP servers and flags dangerous/misconfigured MCP tools; not model-file supply-chain scanning. | https://www.straiker.ai/ |
| TrojAI | AI Red Teaming | Partial | JFrog DevSecOps integration scans models in the pipeline/supply chain. | https://troj.ai/blog/devsecops-ai-security-trojai-jfrog-integration |
| Vijil | Agentic AI Security | Partial | Depot provides hardened LLMs, reducing base-model provenance risk; broader supply-chain scanning not detailed. | https://vijil.ai/ |
| Enkrypt AI | Guardrails / LLM Firewall | Partial | MCP Scanner/Gateway secures Model Context Protocol; not full model-artifact supply-chain scanning. | https://www.enkryptai.com/ |
| Mindgard | AI Red Teaming | Partial | Discover produces AI-BOM and surfaces shadow AI; not full dependency supply-chain scanning. | https://mindgard.ai/ |
| NeuralTrust | Guardrails / LLM Firewall | Partial | Free MCP Scanner identifies vulnerabilities and misconfigurations (tool poisoning, RCE-chaining, data exfiltration) in MCP server setups — a narrow supply-chain-adjacent surface, not comprehensive model/dependency supply-chain scanning. | https://neuraltrust.ai/mcp-scanner |
| Akto | Agentic AI Security | Partial | Lists supply-chain vulnerabilities among covered attack surface. | https://www.akto.io/agentic-security |
| Lasso Security | Guardrails / LLM Firewall | Partial | Agent hardening includes mitigating supply-chain risks and misconfigurations. | https://www.lasso.security/blog/owasp-ai-red-teaming-landscape |
| Robust Intelligence | AI Red Teaming | Partial | Model validation scans models before deployment; supply-chain aspects partial. | https://sequoiacap.com/article/robust-intelligence-spotlight/ |
| WitnessAI | Guardrails / LLM Firewall | Partial | Observe discovers and catalogs AI apps, agents and MCP servers (usage inventory), not model supply-chain scanning. | https://witness.ai/ |
| CalypsoAI | AI Red Teaming | Partial | F5/CalypsoAI blog: mitigates risks from outdated models, vulnerable pre-trained models, and weak model provenance via red-teaming and continuous monitoring — not full supply-chain artifact scanning. | https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms |
2 vendors score Not covered and 1 score Unverified for LLM03 — see the full coverage matrix.
Open-source tools related to Supply Chain
These open-source projects also address supply chain, though we track them by repository health rather than scoring them like vendors:
- Agentic Security — Agentic LLM vulnerability scanner / AI red-teaming kit for testing autonomous agent pipelines against security threats
- garak — LLM vulnerability scanner — automated probing for jailbreaks, prompt injection, data leakage, hallucination, and other failure modes
- Giskard — Open-source evaluation and testing library for LLM agents/RAG — detects hallucination, bias, prompt injection, and other quality/security issues
- Guardrails — Framework for adding structural, type, and quality guardrails to LLM outputs, including input/output validators for security risks like prompt injection and PII leakage
- LLM Guard — Security toolkit for LLM interactions — input/output scanners for prompt injection, PII, toxicity, jailbreaks, and data leakage
- NeMo Guardrails — Open-source toolkit for adding programmable guardrails (topical, safety, security rails) to LLM-based conversational systems
Frequently asked questions
Which vendors cover LLM03 Supply Chain?
6 of the 21 vendors llmthreat tracks score Covered for LLM03 Supply Chain: Noma Security, HiddenLayer, Credo AI, Protect AI, Apiiro, and others. 12 more score Partial, as of 2026-07-13.
What is LLM03 Supply Chain?
Compromised models, datasets, plugins, or dependencies add risk before runtime.