llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors
OWASP LLM Top 10 · LLM04

Which LLM-security vendors cover LLM04 Data and Model Poisoning? (2026)

LLM04 Data and Model Poisoning — Tampered training or fine-tuning data corrupts how the model behaves. As of , 5 of 21 vendors llmthreat tracks score Covered for this risk, 11 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.

5/21
Covered
11
Partial
4
Not covered
1
Unverified

How it happens

This covers manipulation of training data, fine-tuning data, RAG corpora, or feedback signals so the model learns or retrieves attacker-shaped behavior. Classic case: an attacker seeds content on public web pages or wikis knowing it'll be scraped into a future training or fine-tuning run, or plants documents directly into a RAG knowledge base to steer answers toward a specific outcome (the pattern academic literature calls PoisonedRAG). Backdoor poisoning is stealthier: a specific trigger token or phrase in fine-tuning data causes bad output only when present, while the model scores fine on every normal benchmark. Feedback-loop poisoning — coordinated thumbs-up/down brigading — can also push an RLHF-tuned model toward attacker-preferred behavior over time.

How to test for it

There's no reliable automated "scan for poisoning" tool comparable to garak for injection — testing here is mostly data governance work: diff and version your training/fine-tuning datasets and review changes, run statistical outlier/anomaly detection on corpus additions, and track data lineage back to source. For RAG specifically, red-team it directly: inject a poisoned document into a test copy of the knowledge base and confirm the app's answers change in the expected malicious direction before you ship the ingestion pipeline.

How to mitigate it

Treat write access to any RAG knowledge base or fine-tuning dataset as a privileged action with access control and audit logging — ingestion pipelines are an attack surface, not just plumbing. Maintain dataset provenance/lineage, version datasets so a bad update can be rolled back, and require human review before fine-tuning on externally-sourced or user-contributed data. Be honest about the limit: detecting a well-hidden backdoor trigger after the fact is an open research problem, so prevention (controlling what gets in) matters more than detection (finding it once it's in).

Which vendors cover LLM04 Data and Model Poisoning?

Vendors covering LLM04 Data and Model Poisoning — as of 2026-07-13
VendorCategoryCoverageHow it's addressedSource
Lakera Guardrails / LLM Firewall Covered Identifies poisoning triggers and backdoor activation (per vendor mapping). https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment
Noma Security AI-SPM / Runtime Protection Covered Addresses model poisoning and unscanned code/data used for training. https://techcrunch.com/2024/10/31/noma-is-building-tools-to-spot-security-issues-with-ai-apps/
Mindgard AI Red Teaming Covered Offensive Security red-teaming explicitly tests for training-data/model poisoning as a core simulated attack class, with dedicated research/blog content on detection. https://mindgard.ai/blog/training-data-poisoning
Robust Intelligence AI Red Teaming Covered Detects data/model poisoning and integrity failures via automated validation. https://sequoiacap.com/article/robust-intelligence-spotlight/
Protect AI AI-SPM / Runtime Protection Covered Guardian detects deserialization attacks, architectural backdoors, and malicious model payloads. https://protectai.com/guardian
Straiker Agentic AI Security Partial Defend AI blocks agent memory poisoning at runtime; training-data poisoning not addressed. https://www.straiker.ai/
TrojAI AI Red Teaming Partial Detect red teams model behavior with adversarial/multi-turn attacks. https://www.prnewswire.com/news-releases/trojai-detect-advances-ai-red-teaming-with-agentic-and-multi-turn-attacks-302515382.html
Vijil Agentic AI Security Partial Adversarial-robustness testing; not a dedicated training-data poisoning tool. https://vijil.ai/
Enkrypt AI Guardrails / LLM Firewall Partial AI Data Risk Audit examines data, fine-tuning and embeddings for risk; live poisoning prevention less explicit. https://www.enkryptai.com/
NeuralTrust Guardrails / LLM Firewall Partial TrustTest's red-teaming catalog explicitly tests 'Context poisoning' and the Echo Chamber attack, but this is runtime conversational/context poisoning rather than training-data or model-weight poisoning as defined by OWASP LLM04. https://neuraltrust.ai/red-teaming
Akto Agentic AI Security Partial References model poisoning risk in testing scope. https://www.akto.io/agentic-security
HiddenLayer AI-SPM / Runtime Protection Partial Detects backdoored/tampered model weights via scanning; training-data poisoning of live pipelines less explicitly addressed. https://hiddenlayer.com/model-scanner/
Lasso Security Guardrails / LLM Firewall Partial Addresses tool poisoning in agentic environments. https://www.lasso.security/blog/owasp-ai-red-teaming-landscape
CalypsoAI AI Red Teaming Partial Same blog: helps identify poorly trained/poisoned models and provides protection for RAG systems during inference (training-phase poisoning explicitly out of scope). https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms
Apiiro AI-SPM / Runtime Protection Partial Malicious-dependency/component detection touches poisoned AI supply components. https://apiiro.com/
Cranium AI-SPM / Runtime Protection Partial Threat simulation/red teaming can surface poisoning-related weaknesses; not explicitly detailed. https://cranium.ai/

4 vendors score Not covered and 1 score Unverified for LLM04 — see the full coverage matrix.

Frequently asked questions

Which vendors cover LLM04 Data and Model Poisoning?

5 of the 21 vendors llmthreat tracks score Covered for LLM04 Data and Model Poisoning: Lakera, Noma Security, Mindgard, Robust Intelligence, Protect AI. 11 more score Partial, as of 2026-07-13.

What is LLM04 Data and Model Poisoning?

Tampered training or fine-tuning data corrupts how the model behaves.

Last verified . Sources: OWASP LLM Top 10 (2025, CC BY-SA 4.0), vendor documentation. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — coverage is llmthreat's editorial read of public documentation; verify each vendor's Data and Model Poisoning handling with the vendor directly before a decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.