Which LLM-security vendors cover LLM04 Data and Model Poisoning? (2026)
LLM04 Data and Model Poisoning — Tampered training or fine-tuning data corrupts how the model behaves. As of , 5 of 21 vendors llmthreat tracks score Covered for this risk, 11 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.
- 5/21
- Covered
- 11
- Partial
- 4
- Not covered
- 1
- Unverified
How it happens
This covers manipulation of training data, fine-tuning data, RAG corpora, or feedback signals so the model learns or retrieves attacker-shaped behavior. Classic case: an attacker seeds content on public web pages or wikis knowing it'll be scraped into a future training or fine-tuning run, or plants documents directly into a RAG knowledge base to steer answers toward a specific outcome (the pattern academic literature calls PoisonedRAG). Backdoor poisoning is stealthier: a specific trigger token or phrase in fine-tuning data causes bad output only when present, while the model scores fine on every normal benchmark. Feedback-loop poisoning — coordinated thumbs-up/down brigading — can also push an RLHF-tuned model toward attacker-preferred behavior over time.
How to test for it
There's no reliable automated "scan for poisoning" tool comparable to garak for injection — testing here is mostly data governance work: diff and version your training/fine-tuning datasets and review changes, run statistical outlier/anomaly detection on corpus additions, and track data lineage back to source. For RAG specifically, red-team it directly: inject a poisoned document into a test copy of the knowledge base and confirm the app's answers change in the expected malicious direction before you ship the ingestion pipeline.
How to mitigate it
Treat write access to any RAG knowledge base or fine-tuning dataset as a privileged action with access control and audit logging — ingestion pipelines are an attack surface, not just plumbing. Maintain dataset provenance/lineage, version datasets so a bad update can be rolled back, and require human review before fine-tuning on externally-sourced or user-contributed data. Be honest about the limit: detecting a well-hidden backdoor trigger after the fact is an open research problem, so prevention (controlling what gets in) matters more than detection (finding it once it's in).
Which vendors cover LLM04 Data and Model Poisoning?
| Vendor | Category | Coverage | How it's addressed | Source |
|---|---|---|---|---|
| Lakera | Guardrails / LLM Firewall | Covered | Identifies poisoning triggers and backdoor activation (per vendor mapping). | https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment |
| Noma Security | AI-SPM / Runtime Protection | Covered | Addresses model poisoning and unscanned code/data used for training. | https://techcrunch.com/2024/10/31/noma-is-building-tools-to-spot-security-issues-with-ai-apps/ |
| Mindgard | AI Red Teaming | Covered | Offensive Security red-teaming explicitly tests for training-data/model poisoning as a core simulated attack class, with dedicated research/blog content on detection. | https://mindgard.ai/blog/training-data-poisoning |
| Robust Intelligence | AI Red Teaming | Covered | Detects data/model poisoning and integrity failures via automated validation. | https://sequoiacap.com/article/robust-intelligence-spotlight/ |
| Protect AI | AI-SPM / Runtime Protection | Covered | Guardian detects deserialization attacks, architectural backdoors, and malicious model payloads. | https://protectai.com/guardian |
| Straiker | Agentic AI Security | Partial | Defend AI blocks agent memory poisoning at runtime; training-data poisoning not addressed. | https://www.straiker.ai/ |
| TrojAI | AI Red Teaming | Partial | Detect red teams model behavior with adversarial/multi-turn attacks. | https://www.prnewswire.com/news-releases/trojai-detect-advances-ai-red-teaming-with-agentic-and-multi-turn-attacks-302515382.html |
| Vijil | Agentic AI Security | Partial | Adversarial-robustness testing; not a dedicated training-data poisoning tool. | https://vijil.ai/ |
| Enkrypt AI | Guardrails / LLM Firewall | Partial | AI Data Risk Audit examines data, fine-tuning and embeddings for risk; live poisoning prevention less explicit. | https://www.enkryptai.com/ |
| NeuralTrust | Guardrails / LLM Firewall | Partial | TrustTest's red-teaming catalog explicitly tests 'Context poisoning' and the Echo Chamber attack, but this is runtime conversational/context poisoning rather than training-data or model-weight poisoning as defined by OWASP LLM04. | https://neuraltrust.ai/red-teaming |
| Akto | Agentic AI Security | Partial | References model poisoning risk in testing scope. | https://www.akto.io/agentic-security |
| HiddenLayer | AI-SPM / Runtime Protection | Partial | Detects backdoored/tampered model weights via scanning; training-data poisoning of live pipelines less explicitly addressed. | https://hiddenlayer.com/model-scanner/ |
| Lasso Security | Guardrails / LLM Firewall | Partial | Addresses tool poisoning in agentic environments. | https://www.lasso.security/blog/owasp-ai-red-teaming-landscape |
| CalypsoAI | AI Red Teaming | Partial | Same blog: helps identify poorly trained/poisoned models and provides protection for RAG systems during inference (training-phase poisoning explicitly out of scope). | https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms |
| Apiiro | AI-SPM / Runtime Protection | Partial | Malicious-dependency/component detection touches poisoned AI supply components. | https://apiiro.com/ |
| Cranium | AI-SPM / Runtime Protection | Partial | Threat simulation/red teaming can surface poisoning-related weaknesses; not explicitly detailed. | https://cranium.ai/ |
4 vendors score Not covered and 1 score Unverified for LLM04 — see the full coverage matrix.
Frequently asked questions
Which vendors cover LLM04 Data and Model Poisoning?
5 of the 21 vendors llmthreat tracks score Covered for LLM04 Data and Model Poisoning: Lakera, Noma Security, Mindgard, Robust Intelligence, Protect AI. 11 more score Partial, as of 2026-07-13.
What is LLM04 Data and Model Poisoning?
Tampered training or fine-tuning data corrupts how the model behaves.