Which LLM-security vendors cover LLM10 Unbounded Consumption? (2026)
LLM10 Unbounded Consumption — Uncontrolled requests drive cost, denial of service, or model extraction. As of , 4 of 21 vendors llmthreat tracks score Covered for this risk, 9 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.
- 4/21
- Covered
- 9
- Partial
- 4
- Not covered
- 4
- Unverified
How it happens
Attackers don't need to break the model, just make it expensive or unavailable. Variable-length input flood sends a stream of maximum-context requests to burn GPU time and inflate API bills (denial of wallet), which is especially damaging on pay-per-token pricing. Recursive/unbounded context expansion — an agent loop that keeps re-summarizing its own prior output, or a chain with no turn cap — balloons token counts every round until it times out or costs a fortune. Model extraction is the quieter version: systematically querying the API across a wide input distribution and distilling the outputs into a student model, effectively cloning functional behavior without touching the weights.
How to test for it
Load-test the API with k6, Locust, or Vegeta using maximum-size and variable-length payloads to confirm rate limits, per-request token caps, and timeouts actually fire — most teams discover their 'rate limit' only throttles requests/minute, not tokens/minute, and still blows the budget. Check agent configs for a hard step-count and token-budget ceiling by scripting a loop that repeatedly invokes the agent and watching whether it terminates on its own. For extraction exposure, run a high-volume, systematically varied query campaign against your own API and estimate how closely a shadow model trained on the outputs could approximate it — this mirrors published model-stealing methodology.
How to mitigate it
Enforce hard limits at the gateway: max input/output tokens per request, requests-per-minute AND tokens-per-minute per API key, and request timeouts — a limiter that only counts requests misses token-flood attacks entirely. Cap agent loop iterations and total token budget per session, not just per call. Set per-account spend ceilings with billing alerts so a runaway loop can't generate a five-figure bill overnight. Monitor for extraction-style traffic: high volume, systematically varied inputs, low diversity of apparent intent. Limits: tight limits also throttle legitimate power users with long documents or deep agent chains — this is a tuning tradeoff, not a one-time fix.
Which vendors cover LLM10 Unbounded Consumption?
| Vendor | Category | Coverage | How it's addressed | Source |
|---|---|---|---|---|
| Lakera | Guardrails / LLM Firewall | Covered | Detects suspicious usage patterns and resource-exhaustion attacks. | https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment |
| Vijil | Agentic AI Security | Covered | Vijil Dome's documented policy domains explicitly list 'Input Sanitization: Prompt classification, rate limiting, and DoS filtering.' | https://vijil.ai/blog/vijil-dome-securing-the-future-of-ai-agents |
| Giskard | AI Red Teaming | Covered | Dedicated documentation page 'Denial of Service (OWASP LLM 10)' describes scanner tests for resource-exhaustion/performance-degradation attacks. | https://docs.giskard.ai/hub/ui/scan/vulnerability-categories/denial-of-service.html |
| Prompt Security | Guardrails / LLM Firewall | Covered | Protects homegrown apps against Denial of Wallet / unbounded consumption. | https://prompt.security/solutions/homegrown-genai-apps |
| Noma Security | AI-SPM / Runtime Protection | Partial | Noma's runtime guardrails documentation discusses enforcing rate limits to resist overload attempts and blocking risky tool calls to prevent resource-exhaustion/'denial of wallet' abuse, though not detailed as a standalone product feature page. | https://noma.security/agentic-security/series-3-addressing-agentic-risk/blog-3-2-addressing-agentic-risk-part-2/ |
| Straiker | Agentic AI Security | Partial | Defend AI blocks resource exploitation and identity abuse at runtime. | https://www.straiker.ai/ |
| Enkrypt AI | Guardrails / LLM Firewall | Partial | MCP Servers Hosting product is documented with built-in rate limiting, and the company's agent-guardrails framework addresses resource-overload risks (prompt storms, runaway recursion) mapped to OWASP resource-overload risk, though not a comprehensive platform-wide unbounded-consumption control. | https://medium.com/enkrypt-ai/securing-ai-agents-a-comprehensive-framework-for-agent-guardrails-a75671e0d7c9 |
| Mindgard | AI Red Teaming | Partial | Mindgard published its own research demonstrating red-team testing of resource-exhaustion/unbounded-consumption attacks (reasoning-loop exhaustion) against DeepSeek-R1, showing the capability exists but not documented as a broad, general unbounded-consumption test category. | https://mindgard.ai/blog/deepseek-r1s-susceptibility-to-exhaustion-attacks |
| NeuralTrust | Guardrails / LLM Firewall | Partial | Gateway (TrustGate) enforces policy at scale (20K rps/node); rate-limit style controls implied but not detailed. | https://neuraltrust.ai/ |
| Akto | Agentic AI Security | Partial | API-security heritage includes rate-limit/DoS testing; not GenAI-specific in docs. | https://www.akto.io/api-security |
| HiddenLayer | AI-SPM / Runtime Protection | Partial | Prevents model extraction/theft (mapped to Unbounded Consumption); explicit rate/DoS controls not documented. | https://www.hiddenlayer.com/aisec-platform/ |
| Pangea | Guardrails / LLM Firewall | Partial | Vendor claims coverage of 8/10 OWASP LLM risks; specific consumption controls not detailed. | https://www.prnewswire.com/news-releases/pangea-unveils-suite-of-ai-security-guardrails-to-address-llm-software-risks-and-accelerate-ai-development-debuts-10-000-jailbreak-competition-302379049.html |
| CalypsoAI | AI Red Teaming | Partial | Blog states platform "prevents excessive API usage and abuse, ensuring efficient and secure resource utilization" — general claim, no rate-limiting/cost-control detail. | https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms |
4 vendors score Not covered and 4 score Unverified for LLM10 — see the full coverage matrix.
Frequently asked questions
Which vendors cover LLM10 Unbounded Consumption?
4 of the 21 vendors llmthreat tracks score Covered for LLM10 Unbounded Consumption: Lakera, Vijil, Giskard, Prompt Security. 9 more score Partial, as of 2026-07-13.
What is LLM10 Unbounded Consumption?
Uncontrolled requests drive cost, denial of service, or model extraction.