TrojAI threat coverage: OWASP LLM Top 10 & MITRE ATLAS (2026)
Acquired · A10 NetworksTrojAI is an AI Red Teaming vendor. Its flagship product is TrojAI Detect (red teaming) + TrojAI Defend (AI firewall). Against the OWASP LLM Top 10 (2025) we score it Covered on 5 of 10 risks, Partial on 4, with 6 MITRE ATLAS techniques mapped as of . It now operates under A10 Networks.
- 5/10
- Risks covered
- 4
- Partial
- 6
- ATLAS techniques
- —
- Funding
- Acquired
- Status
At a glance
- Category
- AI Red Teaming
- Headquarters
- Undisclosed
- Founded
- Undisclosed
- Employees
- Undisclosed
- Flagship product
- TrojAI Detect (red teaming) + TrojAI Defend (AI firewall)
- Deployment
- SaaS and self-hosted; runtime firewall (Defend), incl. MCP
- Best for
- Enterprises wanting model/agent red teaming with OWASP mapping plus runtime firewall for LLM and MCP/agentic workflows
- Funding to date
- Undisclosed
- Last round
- Undisclosed
- Status
- Acquired by A10 Networks
Facts as of .
What does TrojAI do?
Two products, one loop: Detect red-teams models at build time, Defend firewalls them at runtime, both mapped to OWASP. It ships as SaaS and self-hosted; runtime firewall (Defend), incl. MCP, and it's built for enterprises wanting model/agent red teaming with OWASP mapping plus runtime firewall for LLM and MCP/agentic workflows. It's a weaker fit for buyers needing full ASPM/source-code AppSec; TrojAI centers on model behavior and runtime.
Which OWASP LLM Top 10 risks does TrojAI cover?
TrojAI's strongest verdict is LLM01Prompt Injection. The two tables below come from our editorial read of TrojAI's public documentation as of (it's what the docs support, not a hands-on lab test), and this row also sits in the full matrix across all 21 vendors.
| OWASP LLM Risk | What it is | TrojAI coverage | How it's addressed | Source |
|---|---|---|---|---|
| LLM01 Prompt Injection | User or hidden input overrides the model's rules or intended behavior. | Covered | Detect assesses prompt injection; Defend blocks at runtime; results mapped to OWASP 2025. | https://troj.ai/products/detect |
| LLM02 Sensitive Information Disclosure | The model leaks secrets, personal data, or proprietary content in its output. | Covered | Detect finds data and PII leakages. | https://troj.ai/products/detect |
| LLM03 Supply Chain | Compromised models, datasets, plugins, or dependencies add risk before runtime. | Partial | JFrog DevSecOps integration scans models in the pipeline/supply chain. | https://troj.ai/blog/devsecops-ai-security-trojai-jfrog-integration |
| LLM04 Data and Model Poisoning | Tampered training or fine-tuning data corrupts how the model behaves. | Partial | Detect red teams model behavior with adversarial/multi-turn attacks. | https://www.prnewswire.com/news-releases/trojai-detect-advances-ai-red-teaming-with-agentic-and-multi-turn-attacks-302515382.html |
| LLM05 Improper Output Handling | Downstream systems trust model output without checking it, enabling injection or code execution. | Partial | Assesses/filters toxic, unwanted or harmful content. | https://troj.ai/products/detect |
| LLM06 Excessive Agency | An agent holds more permissions, tools, or autonomy than the task needs. | Covered | Defend for MCP and agent-led red teaming secure agentic workflows. | https://www.troj.ai/blog/agentic-ai-defend-for-mcp-model-context-protocol |
| LLM07 System Prompt Leakage | The system prompt or the secrets inside it get exposed to users. | Covered | TrojAI Defend's product page explicitly lists system prompt leakage among the attack vectors it addresses: 'TrojAI Defend reduces the risk that the system prompts or instructions used to steer the behavior of the model may contain sensitive information or secrets.' | https://troj.ai/products/defend |
| LLM08 Vector and Embedding Weaknesses | Flaws in RAG stores let attackers poison, extract, or infer data. | Covered | TrojAI Defend's product page explicitly documents vector/embedding weakness protection: 'The system stops weaknesses in how vectors and embeddings are generated, stored, or retrieved from being exploited to inject harmful content, manipulate models, or access sensitive data.' | https://troj.ai/products/defend |
| LLM09 Misinformation | The model produces false or fabricated content that users act on. | Partial | Detect flags unwanted/harmful content; explicit misinformation/hallucination scope unconfirmed. | https://troj.ai/products/detect |
| LLM10 Unbounded Consumption | Uncontrolled requests drive cost, denial of service, or model extraction. | Unverified | Runtime firewall exists but rate-limit/consumption controls not explicitly documented. | None found |
| ATLAS Technique (ID) | Tactic | TrojAI coverage | Notes | Source |
|---|---|---|---|---|
| LLM Prompt Injection (AML.T0051) | Initial Access / Execution | Covered | Detect tests and Defend blocks prompt injection. | https://troj.ai/products/defend |
| LLM Data Leakage (AML.T0057) | Exfiltration | Covered | Detect uncovers PII/data leakage. | https://troj.ai/products/detect |
| Craft Adversarial Data (AML.T0043) | ML Attack Staging | Covered | Automated multi-turn/agentic adversarial red teaming. | https://www.prnewswire.com/news-releases/trojai-detect-advances-ai-red-teaming-with-agentic-and-multi-turn-attacks-302515382.html |
| LLM Jailbreak (AML.T0054) | Defense Evasion | Partial | Red teaming exercises jailbreak/harmful-content bypass. | https://troj.ai/products/detect |
| LLM Plugin Compromise (AML.T0053) | Execution | Partial | Defend for MCP protects tool/agent workflows. | https://www.troj.ai/blog/agentic-ai-defend-for-mcp-model-context-protocol |
| ML Supply Chain Compromise (AML.T0010) | Initial Access | Partial | JFrog integration scans models in the supply chain. | https://troj.ai/blog/devsecops-ai-security-trojai-jfrog-integration |
Is TrojAI independent, and how is it funded?
TrojAI was acquired by A10 Networks for Undisclosed (2026-06-15) and now operates as a brand of A10 Networks. Packaging, pricing, and support can shift under new ownership, so confirm current terms with A10 Networks before you buy.
TrojAI alternatives
The closest alternatives we track in AI Red Teaming are CalypsoAI, Giskard, Mindgard. On the open-source side, garak covers similar ground.
Frequently asked questions
What is TrojAI used for?
TrojAI is an AI Red Teaming vendor. Its flagship product is TrojAI Detect (red teaming) + TrojAI Defend (AI firewall). It ships as SaaS and self-hosted; runtime firewall (Defend), incl. MCP, and it's built for enterprises wanting model/agent red teaming with OWASP mapping plus runtime firewall for LLM and MCP/agentic workflows.
Is TrojAI independent or acquired?
TrojAI was acquired by A10 Networks and now operates as a subsidiary, as of 2026-07-13.
How many OWASP LLM Top 10 risks does TrojAI cover?
We score TrojAI as Covered on 5 of the ten OWASP LLM Top 10 (2025) risks, with 4 more Partial, as of 2026-07-13. The table on this page breaks down every risk, including the ones marked Not covered or Unverified.
How is TrojAI deployed?
TrojAI ships as SaaS and self-hosted; runtime firewall (Defend), incl. MCP.
What are the best alternatives to TrojAI?
The closest AI Red Teaming alternatives llmthreat tracks are CalypsoAI, Giskard, Mindgard. On the open-source side, garak covers similar ground.