llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors
OWASP LLM Top 10 · LLM03

Which LLM-security vendors cover LLM03 Supply Chain? (2026)

LLM03 Supply Chain — Compromised models, datasets, plugins, or dependencies add risk before runtime. As of , 6 of 21 vendors llmthreat tracks score Covered for this risk, 12 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.

6/21
Covered
12
Partial
2
Not covered
1
Unverified

How it happens

LLM apps pull in pretrained models, LoRA/PEFT adapters, datasets, and tooling from third parties, and any of those can be tampered with before you ever load them. Real incidents: JFrog found roughly 100 malicious models on Hugging Face using unsafe pickle deserialization to run arbitrary code on load; the Ultralytics YOLO PyPI package was compromised in December 2024 (versions 8.3.41/8.3.42 shipped a cryptominer) showing the same pattern hits ML tooling, not just model weights. A backdoored LoRA adapter can behave normally until a specific trigger phrase flips its output — hard to catch by just eyeballing benchmark scores.

How to test for it

Run ModelScan (Protect AI, open source) against any pickle/H5/SavedModel file before it touches production — it flags unsafe deserialization code embedded in the file. Prefer safetensors over pickle where the model source supports it, since safetensors can't execute code on load. Run standard SCA tools (Snyk, OSV-Scanner) against your ML dependency tree the same way you would any other package, and maintain an AI-BOM (CycloneDX ML-BOM) so you can tell what's actually in your pipeline when a CVE or compromised-package advisory drops.

How to mitigate it

Pull models and adapters only from sources you can verify (signed commits, publisher checksums), scan every model file with ModelScan or equivalent in CI before deployment, and pin + hash-check package versions rather than trusting "latest." Re-scan on every model or dependency upgrade — a clean model today doesn't mean the next version is clean. This doesn't catch a backdoor baked into weights that pass a functional scan; that requires the poisoning-specific testing under LLM04.

Which vendors cover LLM03 Supply Chain?

Vendors covering LLM03 Supply Chain — as of 2026-07-13
VendorCategoryCoverageHow it's addressedSource
Noma Security AI-SPM / Runtime Protection Covered Identifies/remediates AI supply-chain risk: vulnerable data pipelines, misconfigured MLOps, malicious models. https://techcrunch.com/2024/10/31/noma-is-building-tools-to-spot-security-issues-with-ai-apps/
HiddenLayer AI-SPM / Runtime Protection Covered Model Scanner scans for malicious models, backdoored weights and vulnerable dependencies before deployment. https://hiddenlayer.com/model-scanner/
Credo AI AI Governance / Model Risk Covered AI Registry catalogs vendors/models with dependency mapping; vendor/third-party AI risk management. https://www.credo.ai/
Protect AI AI-SPM / Runtime Protection Covered Guardian scans 35+ model formats and 1.5M+ Hugging Face models; huntr AI/ML bug bounty. https://protectai.com/guardian
Apiiro AI-SPM / Runtime Protection Covered Software supply-chain security, SCA/SBOM and malicious-code detection are core strengths. https://apiiro.com/
Cranium AI-SPM / Runtime Protection Covered System-of-record for models, data, infra and vendors; third-party AI monitoring (AIBOM-style supply-chain inventory). https://cranium.ai/
Lakera Guardrails / LLM Firewall Partial Vendor marks supply chain as outside runtime scope; Lakera Red offers limited behavior evaluation. https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment
Straiker Agentic AI Security Partial Discover AI maps MCP servers and flags dangerous/misconfigured MCP tools; not model-file supply-chain scanning. https://www.straiker.ai/
TrojAI AI Red Teaming Partial JFrog DevSecOps integration scans models in the pipeline/supply chain. https://troj.ai/blog/devsecops-ai-security-trojai-jfrog-integration
Vijil Agentic AI Security Partial Depot provides hardened LLMs, reducing base-model provenance risk; broader supply-chain scanning not detailed. https://vijil.ai/
Enkrypt AI Guardrails / LLM Firewall Partial MCP Scanner/Gateway secures Model Context Protocol; not full model-artifact supply-chain scanning. https://www.enkryptai.com/
Mindgard AI Red Teaming Partial Discover produces AI-BOM and surfaces shadow AI; not full dependency supply-chain scanning. https://mindgard.ai/
NeuralTrust Guardrails / LLM Firewall Partial Free MCP Scanner identifies vulnerabilities and misconfigurations (tool poisoning, RCE-chaining, data exfiltration) in MCP server setups — a narrow supply-chain-adjacent surface, not comprehensive model/dependency supply-chain scanning. https://neuraltrust.ai/mcp-scanner
Akto Agentic AI Security Partial Lists supply-chain vulnerabilities among covered attack surface. https://www.akto.io/agentic-security
Lasso Security Guardrails / LLM Firewall Partial Agent hardening includes mitigating supply-chain risks and misconfigurations. https://www.lasso.security/blog/owasp-ai-red-teaming-landscape
Robust Intelligence AI Red Teaming Partial Model validation scans models before deployment; supply-chain aspects partial. https://sequoiacap.com/article/robust-intelligence-spotlight/
WitnessAI Guardrails / LLM Firewall Partial Observe discovers and catalogs AI apps, agents and MCP servers (usage inventory), not model supply-chain scanning. https://witness.ai/
CalypsoAI AI Red Teaming Partial F5/CalypsoAI blog: mitigates risks from outdated models, vulnerable pre-trained models, and weak model provenance via red-teaming and continuous monitoring — not full supply-chain artifact scanning. https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms

2 vendors score Not covered and 1 score Unverified for LLM03 — see the full coverage matrix.

Open-source tools related to Supply Chain

These open-source projects also address supply chain, though we track them by repository health rather than scoring them like vendors:

Frequently asked questions

Which vendors cover LLM03 Supply Chain?

6 of the 21 vendors llmthreat tracks score Covered for LLM03 Supply Chain: Noma Security, HiddenLayer, Credo AI, Protect AI, Apiiro, and others. 12 more score Partial, as of 2026-07-13.

What is LLM03 Supply Chain?

Compromised models, datasets, plugins, or dependencies add risk before runtime.

Last verified . Sources: OWASP LLM Top 10 (2025, CC BY-SA 4.0), vendor documentation. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — coverage is llmthreat's editorial read of public documentation; verify each vendor's Supply Chain handling with the vendor directly before a decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.