llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors
OWASP LLM Top 10 · LLM10

Which LLM-security vendors cover LLM10 Unbounded Consumption? (2026)

LLM10 Unbounded Consumption — Uncontrolled requests drive cost, denial of service, or model extraction. As of , 4 of 21 vendors llmthreat tracks score Covered for this risk, 9 more score Partial. Scores are llmthreat's editorial read of public documentation, not a third-party audit.

4/21
Covered
9
Partial
4
Not covered
4
Unverified

How it happens

Attackers don't need to break the model, just make it expensive or unavailable. Variable-length input flood sends a stream of maximum-context requests to burn GPU time and inflate API bills (denial of wallet), which is especially damaging on pay-per-token pricing. Recursive/unbounded context expansion — an agent loop that keeps re-summarizing its own prior output, or a chain with no turn cap — balloons token counts every round until it times out or costs a fortune. Model extraction is the quieter version: systematically querying the API across a wide input distribution and distilling the outputs into a student model, effectively cloning functional behavior without touching the weights.

How to test for it

Load-test the API with k6, Locust, or Vegeta using maximum-size and variable-length payloads to confirm rate limits, per-request token caps, and timeouts actually fire — most teams discover their 'rate limit' only throttles requests/minute, not tokens/minute, and still blows the budget. Check agent configs for a hard step-count and token-budget ceiling by scripting a loop that repeatedly invokes the agent and watching whether it terminates on its own. For extraction exposure, run a high-volume, systematically varied query campaign against your own API and estimate how closely a shadow model trained on the outputs could approximate it — this mirrors published model-stealing methodology.

How to mitigate it

Enforce hard limits at the gateway: max input/output tokens per request, requests-per-minute AND tokens-per-minute per API key, and request timeouts — a limiter that only counts requests misses token-flood attacks entirely. Cap agent loop iterations and total token budget per session, not just per call. Set per-account spend ceilings with billing alerts so a runaway loop can't generate a five-figure bill overnight. Monitor for extraction-style traffic: high volume, systematically varied inputs, low diversity of apparent intent. Limits: tight limits also throttle legitimate power users with long documents or deep agent chains — this is a tuning tradeoff, not a one-time fix.

Which vendors cover LLM10 Unbounded Consumption?

Vendors covering LLM10 Unbounded Consumption — as of 2026-07-13
VendorCategoryCoverageHow it's addressedSource
Lakera Guardrails / LLM Firewall Covered Detects suspicious usage patterns and resource-exhaustion attacks. https://www.lakera.ai/blog/owasp-top-10-for-llm-applications-lakera-alignment
Vijil Agentic AI Security Covered Vijil Dome's documented policy domains explicitly list 'Input Sanitization: Prompt classification, rate limiting, and DoS filtering.' https://vijil.ai/blog/vijil-dome-securing-the-future-of-ai-agents
Giskard AI Red Teaming Covered Dedicated documentation page 'Denial of Service (OWASP LLM 10)' describes scanner tests for resource-exhaustion/performance-degradation attacks. https://docs.giskard.ai/hub/ui/scan/vulnerability-categories/denial-of-service.html
Prompt Security Guardrails / LLM Firewall Covered Protects homegrown apps against Denial of Wallet / unbounded consumption. https://prompt.security/solutions/homegrown-genai-apps
Noma Security AI-SPM / Runtime Protection Partial Noma's runtime guardrails documentation discusses enforcing rate limits to resist overload attempts and blocking risky tool calls to prevent resource-exhaustion/'denial of wallet' abuse, though not detailed as a standalone product feature page. https://noma.security/agentic-security/series-3-addressing-agentic-risk/blog-3-2-addressing-agentic-risk-part-2/
Straiker Agentic AI Security Partial Defend AI blocks resource exploitation and identity abuse at runtime. https://www.straiker.ai/
Enkrypt AI Guardrails / LLM Firewall Partial MCP Servers Hosting product is documented with built-in rate limiting, and the company's agent-guardrails framework addresses resource-overload risks (prompt storms, runaway recursion) mapped to OWASP resource-overload risk, though not a comprehensive platform-wide unbounded-consumption control. https://medium.com/enkrypt-ai/securing-ai-agents-a-comprehensive-framework-for-agent-guardrails-a75671e0d7c9
Mindgard AI Red Teaming Partial Mindgard published its own research demonstrating red-team testing of resource-exhaustion/unbounded-consumption attacks (reasoning-loop exhaustion) against DeepSeek-R1, showing the capability exists but not documented as a broad, general unbounded-consumption test category. https://mindgard.ai/blog/deepseek-r1s-susceptibility-to-exhaustion-attacks
NeuralTrust Guardrails / LLM Firewall Partial Gateway (TrustGate) enforces policy at scale (20K rps/node); rate-limit style controls implied but not detailed. https://neuraltrust.ai/
Akto Agentic AI Security Partial API-security heritage includes rate-limit/DoS testing; not GenAI-specific in docs. https://www.akto.io/api-security
HiddenLayer AI-SPM / Runtime Protection Partial Prevents model extraction/theft (mapped to Unbounded Consumption); explicit rate/DoS controls not documented. https://www.hiddenlayer.com/aisec-platform/
Pangea Guardrails / LLM Firewall Partial Vendor claims coverage of 8/10 OWASP LLM risks; specific consumption controls not detailed. https://www.prnewswire.com/news-releases/pangea-unveils-suite-of-ai-security-guardrails-to-address-llm-software-risks-and-accelerate-ai-development-debuts-10-000-jailbreak-competition-302379049.html
CalypsoAI AI Red Teaming Partial Blog states platform "prevents excessive API usage and abuse, ensuring efficient and secure resource utilization" — general claim, no rate-limiting/cost-control detail. https://www.f5.com/company/blog/protecting-the-future-how-calypsoai-aligns-with-the-owasp-top-10-for-llms

4 vendors score Not covered and 4 score Unverified for LLM10 — see the full coverage matrix.

Frequently asked questions

Which vendors cover LLM10 Unbounded Consumption?

4 of the 21 vendors llmthreat tracks score Covered for LLM10 Unbounded Consumption: Lakera, Vijil, Giskard, Prompt Security. 9 more score Partial, as of 2026-07-13.

What is LLM10 Unbounded Consumption?

Uncontrolled requests drive cost, denial of service, or model extraction.

Last verified . Sources: OWASP LLM Top 10 (2025, CC BY-SA 4.0), vendor documentation. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — coverage is llmthreat's editorial read of public documentation; verify each vendor's Unbounded Consumption handling with the vendor directly before a decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.