genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/LLM01.json ADDED
@@ -0,0 +1,975 @@
1
+ {
2
+ "id": "LLM01",
3
+ "name": "Prompt Injection",
4
+ "source_list": "LLM-Top10-2025",
5
+ "version": "2026-Q1",
6
+ "severity": "Critical",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "developer",
12
+ "ml-engineer",
13
+ "ot-engineer",
14
+ "ciso",
15
+ "compliance",
16
+ "auditor"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0051.000",
22
+ "control_name": "Direct Prompt Injection",
23
+ "tier": "Foundational",
24
+ "scope": "Both",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0051.000",
26
+ "notes": "Attacker directly manipulates user-facing prompt to alter model behaviour"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0051.001",
31
+ "control_name": "Indirect Prompt Injection",
32
+ "tier": "Foundational",
33
+ "scope": "Both",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0051.001",
35
+ "notes": "Hidden instructions in content the model processes (documents, web, RAG)"
36
+ },
37
+ {
38
+ "framework": "MITRE ATLAS",
39
+ "control_id": "AML.T0054",
40
+ "control_name": "LLM Jailbreak",
41
+ "tier": "Foundational",
42
+ "scope": "Both",
43
+ "url": "https://atlas.mitre.org/techniques/AML.T0054",
44
+ "notes": "Circumventing model safety guardrails via crafted prompt sequences"
45
+ },
46
+ {
47
+ "framework": "NIST AI RMF 1.0",
48
+ "control_id": "GV-1.7",
49
+ "control_name": "Policies for trustworthy AI characteristics",
50
+ "tier": "Foundational",
51
+ "scope": "Both",
52
+ "notes": "Organisational policies explicitly address adversarial input risks including prompt injection"
53
+ },
54
+ {
55
+ "framework": "NIST AI RMF 1.0",
56
+ "control_id": "MP-2.3",
57
+ "control_name": "Risk categorisation",
58
+ "tier": "Foundational",
59
+ "scope": "Both",
60
+ "notes": "Prompt injection categorised as a high-priority risk in the AI system risk register"
61
+ },
62
+ {
63
+ "framework": "NIST AI RMF 1.0",
64
+ "control_id": "MS-2.5",
65
+ "control_name": "Testing and evaluation — adversarial",
66
+ "tier": "Foundational",
67
+ "scope": "Both",
68
+ "notes": "Adversarial testing programme validates model resilience to prompt injection at each release"
69
+ },
70
+ {
71
+ "framework": "NIST AI RMF 1.0",
72
+ "control_id": "MG-2.2",
73
+ "control_name": "Risk response — incident",
74
+ "tier": "Foundational",
75
+ "scope": "Both",
76
+ "notes": "Defined incident response procedures for detected prompt injection attacks"
77
+ },
78
+ {
79
+ "framework": "EU AI Act",
80
+ "control_id": "Providers of high-risk AI must implement a risk management system covering all reasonably foreseeable risks",
81
+ "control_name": "Art. 9 — Risk management",
82
+ "tier": "Foundational",
83
+ "scope": "Both",
84
+ "notes": "Prompt injection must be identified, analysed, and mitigated in the risk management system"
85
+ },
86
+ {
87
+ "framework": "EU AI Act",
88
+ "control_id": "High-risk AI systems must be resilient to adversarial inputs and attempts to alter outputs or performance",
89
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
90
+ "tier": "Foundational",
91
+ "scope": "Both",
92
+ "notes": "Robustness against prompt injection is a technical compliance requirement — not optional"
93
+ },
94
+ {
95
+ "framework": "EU AI Act",
96
+ "control_id": "Providers of systemic risk GPAI models must conduct adversarial testing to identify and mitigate systemic risks",
97
+ "control_name": "Art. 55(1)(b) — Systemic risk GPAI",
98
+ "tier": "Foundational",
99
+ "scope": "Both",
100
+ "notes": "Prompt injection adversarial testing is a binding obligation for systemic risk models"
101
+ },
102
+ {
103
+ "framework": "ISO/IEC 27001:2022",
104
+ "control_id": "A.8.28",
105
+ "control_name": "Secure coding",
106
+ "tier": "Foundational",
107
+ "scope": "Both",
108
+ "notes": "Secure coding requirements for all LLM integration code — input validation, sanitisation, context separation"
109
+ },
110
+ {
111
+ "framework": "ISO/IEC 27001:2022",
112
+ "control_id": "A.8.29",
113
+ "control_name": "Security testing",
114
+ "tier": "Foundational",
115
+ "scope": "Both",
116
+ "notes": "Adversarial testing programme covering prompt injection scenarios before each release"
117
+ },
118
+ {
119
+ "framework": "ISO/IEC 27001:2022",
120
+ "control_id": "A.5.7",
121
+ "control_name": "Threat intelligence",
122
+ "tier": "Foundational",
123
+ "scope": "Both",
124
+ "notes": "Active intelligence on prompt injection techniques — new attack patterns inform detection controls"
125
+ },
126
+ {
127
+ "framework": "ISO/IEC 27001:2022",
128
+ "control_id": "A.8.16",
129
+ "control_name": "Monitoring activities",
130
+ "tier": "Foundational",
131
+ "scope": "Both",
132
+ "notes": "Runtime monitoring for prompt injection indicators in LLM inputs and outputs"
133
+ },
134
+ {
135
+ "framework": "ISO/IEC 42001:2023",
136
+ "control_id": "A.6.2.3",
137
+ "control_name": "AI system security",
138
+ "tier": "Foundational",
139
+ "scope": "Both",
140
+ "notes": "AI systems designed with security controls — input validation, context separation, injection detection as AIMS design requirements"
141
+ },
142
+ {
143
+ "framework": "ISO/IEC 42001:2023",
144
+ "control_id": "A.6.2.6",
145
+ "control_name": "Testing of AI systems",
146
+ "tier": "Foundational",
147
+ "scope": "Both",
148
+ "notes": "AI systems tested before deployment — adversarial testing for prompt injection as AIMS testing requirement"
149
+ },
150
+ {
151
+ "framework": "ISO/IEC 42001:2023",
152
+ "control_id": "A.6.2.8",
153
+ "control_name": "Monitoring of AI systems",
154
+ "tier": "Foundational",
155
+ "scope": "Both",
156
+ "notes": "AI systems monitored in operation — runtime injection detection as AIMS monitoring control"
157
+ },
158
+ {
159
+ "framework": "ISO/IEC 42001:2023",
160
+ "control_id": "Cl.6.1",
161
+ "control_name": "Risk assessment",
162
+ "tier": "Foundational",
163
+ "scope": "Both",
164
+ "notes": "Prompt injection included in AI risk assessment — risk owner, treatment, review cadence documented"
165
+ },
166
+ {
167
+ "framework": "CIS Controls v8.1",
168
+ "control_id": "16.1 Establish secure application development standards",
169
+ "control_name": "CIS 16 — Application Software Security",
170
+ "tier": "Foundational",
171
+ "scope": "Both",
172
+ "notes": "Secure development standards covering LLM integration — input validation, context separation"
173
+ },
174
+ {
175
+ "framework": "CIS Controls v8.1",
176
+ "control_id": "16.2 Implement code review",
177
+ "control_name": "CIS 16 — Application Software Security",
178
+ "tier": "Foundational",
179
+ "scope": "Both",
180
+ "notes": "Code review for all LLM integration code — prompt injection patterns reviewed"
181
+ },
182
+ {
183
+ "framework": "CIS Controls v8.1",
184
+ "control_id": "18.1 Establish penetration testing programme",
185
+ "control_name": "CIS 18 — Penetration Testing",
186
+ "tier": "Foundational",
187
+ "scope": "Both",
188
+ "notes": "Adversarial testing programme covering prompt injection scenarios"
189
+ },
190
+ {
191
+ "framework": "CIS Controls v8.1",
192
+ "control_id": "8.2 Collect audit logs",
193
+ "control_name": "CIS 8 — Audit Log Management",
194
+ "tier": "Foundational",
195
+ "scope": "Both",
196
+ "notes": "Runtime logging of all LLM inputs — injection attempts detectable through log analysis"
197
+ },
198
+ {
199
+ "framework": "OWASP ASVS 4.0.3",
200
+ "control_id": "V5.1.1",
201
+ "control_name": "Verify all user input validated against an allowlist or rejected",
202
+ "tier": "Foundational",
203
+ "scope": "Both",
204
+ "notes": "All inputs to LLMs validated — indirect injection through processed content equally in scope"
205
+ },
206
+ {
207
+ "framework": "OWASP ASVS 4.0.3",
208
+ "control_id": "V5.1.2",
209
+ "control_name": "Verify that HTTP request parts are validated, sanitised, or rejected",
210
+ "tier": "Foundational",
211
+ "scope": "Both",
212
+ "notes": "LLM API request validation — prompt structure, content type, and character set enforced"
213
+ },
214
+ {
215
+ "framework": "OWASP ASVS 4.0.3",
216
+ "control_id": "V5.2.1",
217
+ "control_name": "Verify output encoding prevents injection attacks",
218
+ "tier": "Foundational",
219
+ "scope": "Both",
220
+ "notes": "LLM output encoding before passing to downstream renderers or interpreters"
221
+ },
222
+ {
223
+ "framework": "OWASP ASVS 4.0.3",
224
+ "control_id": "V5.2.5",
225
+ "control_name": "Verify application protects against OS command injection",
226
+ "tier": "Foundational",
227
+ "scope": "Both",
228
+ "notes": "LLM-generated content validated before execution in any shell or interpreter context"
229
+ },
230
+ {
231
+ "framework": "OWASP ASVS 4.0.3",
232
+ "control_id": "V1.1.2",
233
+ "control_name": "Threat modelling of all data flows",
234
+ "tier": "Foundational",
235
+ "scope": "Both",
236
+ "notes": "LLM data flows threat-modelled — all injection paths identified and documented"
237
+ },
238
+ {
239
+ "framework": "OWASP ASVS 4.0.3",
240
+ "control_id": "V11.1.2",
241
+ "control_name": "Verify business logic limits prevent abuse of LLM functions",
242
+ "tier": "Foundational",
243
+ "scope": "Both",
244
+ "notes": "Business logic controls preventing prompt injection from triggering unauthorised actions"
245
+ },
246
+ {
247
+ "framework": "ISA/IEC 62443",
248
+ "control_id": "SR 3.3",
249
+ "control_name": "Software and information integrity",
250
+ "tier": "Foundational",
251
+ "scope": "Both",
252
+ "notes": "All inputs to LLMs connected to OT systems validated for integrity — crafted inputs rejected"
253
+ },
254
+ {
255
+ "framework": "ISA/IEC 62443",
256
+ "control_id": "SR 2.2",
257
+ "control_name": "Least privilege",
258
+ "tier": "Foundational",
259
+ "scope": "Both",
260
+ "notes": "LLMs granted minimum necessary access to OT data — cannot read or write to control systems without explicit scoping"
261
+ },
262
+ {
263
+ "framework": "ISA/IEC 62443",
264
+ "control_id": "SR 2.1",
265
+ "control_name": "Use control enforcement",
266
+ "tier": "Foundational",
267
+ "scope": "Both",
268
+ "notes": "Enforcement of permitted use of LLM within OT context — out-of-scope requests rejected at the gateway layer"
269
+ },
270
+ {
271
+ "framework": "ISA/IEC 62443",
272
+ "control_id": "SR 1.6",
273
+ "control_name": "Authenticator feedback",
274
+ "tier": "Foundational",
275
+ "scope": "Both",
276
+ "notes": "LLM interactions logged with user identity — injection attempts attributable to specific sessions"
277
+ },
278
+ {
279
+ "framework": "ISA/IEC 62443",
280
+ "control_id": "SR 1.9",
281
+ "control_name": "Remote session termination",
282
+ "tier": "Foundational",
283
+ "scope": "Both",
284
+ "notes": "Ability to terminate LLM sessions immediately on detection of suspicious behaviour"
285
+ },
286
+ {
287
+ "framework": "NIST SP 800-82 Rev 3",
288
+ "control_id": "Malicious code and logic attacks via IT/OT convergence",
289
+ "control_name": "Section 5.3 — Threats",
290
+ "tier": "Foundational",
291
+ "scope": "Both",
292
+ "notes": "Prompt injection as a new logic attack vector through LLM at the IT/OT boundary"
293
+ },
294
+ {
295
+ "framework": "NIST SP 800-82 Rev 3",
296
+ "control_id": "Identify threats, vulnerabilities, and impacts for all OT systems",
297
+ "control_name": "Section 6.2 — Risk assessment",
298
+ "tier": "Foundational",
299
+ "scope": "Both",
300
+ "notes": "Prompt injection documented in OT risk assessment for each LLM integration"
301
+ },
302
+ {
303
+ "framework": "NIST SP 800-82 Rev 3",
304
+ "control_id": "Defense-in-depth network architecture with validated data flows",
305
+ "control_name": "Section 7.2 — Network segmentation",
306
+ "tier": "Foundational",
307
+ "scope": "Both",
308
+ "notes": "Input validation layer at the DMZ/control zone boundary — prompt injection filtered before reaching LLM"
309
+ },
310
+ {
311
+ "framework": "NIST SP 800-82 Rev 3",
312
+ "control_id": "Title",
313
+ "control_name": "Control",
314
+ "tier": "Foundational",
315
+ "scope": "Both",
316
+ "notes": "Application"
317
+ },
318
+ {
319
+ "framework": "NIST SP 800-82 Rev 3",
320
+ "control_id": "Information Input Validation",
321
+ "control_name": "SI-10",
322
+ "tier": "Foundational",
323
+ "scope": "Both",
324
+ "notes": "Validate all inputs to LLMs connected to OT systems — reject inputs containing injection indicators"
325
+ },
326
+ {
327
+ "framework": "NIST SP 800-82 Rev 3",
328
+ "control_id": "Malicious Code Protection",
329
+ "control_name": "SI-3",
330
+ "tier": "Foundational",
331
+ "scope": "Both",
332
+ "notes": "Treat prompt injection as a malicious code analog — detection and response controls required"
333
+ },
334
+ {
335
+ "framework": "NIST SP 800-82 Rev 3",
336
+ "control_id": "Access Enforcement",
337
+ "control_name": "AC-3",
338
+ "tier": "Foundational",
339
+ "scope": "Both",
340
+ "notes": "LLM access to OT systems enforced by policy — injection cannot escalate LLM access beyond defined scope"
341
+ },
342
+ {
343
+ "framework": "NIST CSF 2.0",
344
+ "control_id": "PR.PS-04",
345
+ "control_name": "Platform Security",
346
+ "tier": "Foundational",
347
+ "scope": "Both",
348
+ "notes": "Secure software development practices applied to LLM integrations — input validation as a platform security control"
349
+ },
350
+ {
351
+ "framework": "NIST CSF 2.0",
352
+ "control_id": "DE.CM-01",
353
+ "control_name": "Continuous Monitoring",
354
+ "tier": "Foundational",
355
+ "scope": "Both",
356
+ "notes": "Networks and assets monitored for anomalies — LLM input channels monitored for injection indicators"
357
+ },
358
+ {
359
+ "framework": "NIST CSF 2.0",
360
+ "control_id": "ID.RA-01",
361
+ "control_name": "Risk Assessment",
362
+ "tier": "Foundational",
363
+ "scope": "Both",
364
+ "notes": "Vulnerabilities in assets identified and documented — prompt injection as a documented vulnerability class for all LLM deployments"
365
+ },
366
+ {
367
+ "framework": "NIST CSF 2.0",
368
+ "control_id": "GV.OC-01",
369
+ "control_name": "Organisational Context",
370
+ "tier": "Foundational",
371
+ "scope": "Both",
372
+ "notes": "Mission and stakeholder expectations inform cybersecurity risk decisions — acceptable LLM use scope defines injection risk surface"
373
+ },
374
+ {
375
+ "framework": "SOC 2",
376
+ "control_id": "Prompt injection documented as a threat in LLM application risk assessment — vectors, likelihood, impact assessed",
377
+ "control_name": "CC3.2 — Risk assessment identifies threats and vulnerabilities",
378
+ "tier": "Foundational",
379
+ "scope": "Both"
380
+ },
381
+ {
382
+ "framework": "SOC 2",
383
+ "control_id": "Runtime monitoring for prompt injection indicators on all LLM input channels — alerts integrated into SOC monitoring",
384
+ "control_name": "CC7.2 — Anomaly and threat detection",
385
+ "tier": "Foundational",
386
+ "scope": "Both"
387
+ },
388
+ {
389
+ "framework": "SOC 2",
390
+ "control_id": "Input validation procedures documented for all LLM integrations — implemented, tested, and reviewed",
391
+ "control_name": "CC5.2 — Select and develop control activities",
392
+ "tier": "Foundational",
393
+ "scope": "Both"
394
+ },
395
+ {
396
+ "framework": "SOC 2",
397
+ "control_id": "LLM access controls limit the blast radius of successful injection — least privilege enforced on all tool access",
398
+ "control_name": "CC6.1 — Logical access restrictions",
399
+ "tier": "Foundational",
400
+ "scope": "Both"
401
+ },
402
+ {
403
+ "framework": "PCI DSS v4.0",
404
+ "control_id": "Req 6.2.4",
405
+ "control_name": "Secure software development",
406
+ "tier": "Foundational",
407
+ "scope": "Both",
408
+ "notes": "All injection vulnerabilities addressed in LLM integration code — prompt injection as a known injection class"
409
+ },
410
+ {
411
+ "framework": "PCI DSS v4.0",
412
+ "control_id": "Req 6.4.1",
413
+ "control_name": "Public-facing application protection",
414
+ "tier": "Foundational",
415
+ "scope": "Both",
416
+ "notes": "LLM-powered customer-facing applications protected against prompt injection — WAF or equivalent, security testing"
417
+ },
418
+ {
419
+ "framework": "PCI DSS v4.0",
420
+ "control_id": "Req 10.6.1",
421
+ "control_name": "Audit log review",
422
+ "tier": "Foundational",
423
+ "scope": "Both",
424
+ "notes": "Automated log analysis covering LLM injection indicators — anomalous inputs detected and reviewed"
425
+ },
426
+ {
427
+ "framework": "PCI DSS v4.0",
428
+ "control_id": "Req 11.3.1",
429
+ "control_name": "External and internal penetration testing",
430
+ "tier": "Foundational",
431
+ "scope": "Both",
432
+ "notes": "Penetration testing includes prompt injection scenarios for all LLM applications in PCI scope"
433
+ },
434
+ {
435
+ "framework": "ENISA Multilayer Framework",
436
+ "control_id": "L2",
437
+ "control_name": "AI System Integrity (ASI)",
438
+ "tier": "Foundational",
439
+ "scope": "Both",
440
+ "notes": "LLM applications tested against prompt injection before deployment — adversarial inputs validated as part of AI system integrity verification"
441
+ },
442
+ {
443
+ "framework": "ENISA Multilayer Framework",
444
+ "control_id": "MON",
445
+ "control_name": "Monitoring and Detection",
446
+ "tier": "Foundational",
447
+ "scope": "Both",
448
+ "notes": "Runtime monitoring for injection indicators across all LLM input channels — AI-specific anomaly detection"
449
+ },
450
+ {
451
+ "framework": "ENISA Multilayer Framework",
452
+ "control_id": "L2",
453
+ "control_name": "Governance and Risk (GOV)",
454
+ "tier": "Foundational",
455
+ "scope": "Both",
456
+ "notes": "Prompt injection documented in AI risk register — risk assessment per deployment, treatment controls, review cadence"
457
+ },
458
+ {
459
+ "framework": "ENISA Multilayer Framework",
460
+ "control_id": "L1",
461
+ "control_name": "General ICT — Secure Development",
462
+ "tier": "Foundational",
463
+ "scope": "Both",
464
+ "notes": "Input validation and context separation as secure development requirements for all LLM integrations"
465
+ },
466
+ {
467
+ "framework": "OWASP SAMM v2.0",
468
+ "control_id": "D-TA",
469
+ "control_name": "Threat Assessment",
470
+ "tier": "Foundational",
471
+ "scope": "Both",
472
+ "notes": "LLM data flows threat-modelled — all injection paths (direct, indirect, multi-turn) identified and documented"
473
+ },
474
+ {
475
+ "framework": "OWASP SAMM v2.0",
476
+ "control_id": "I-SB",
477
+ "control_name": "Secure Build",
478
+ "tier": "Foundational",
479
+ "scope": "Both",
480
+ "notes": "Input validation and context separation as secure build requirements — reviewed in CI/CD before merge"
481
+ },
482
+ {
483
+ "framework": "OWASP SAMM v2.0",
484
+ "control_id": "V-ST",
485
+ "control_name": "Security Testing",
486
+ "tier": "Foundational",
487
+ "scope": "Both",
488
+ "notes": "Adversarial testing programme covering prompt injection — direct, indirect, RAG-specific, jailbreak scenarios"
489
+ },
490
+ {
491
+ "framework": "OWASP SAMM v2.0",
492
+ "control_id": "O-IM",
493
+ "control_name": "Incident Management",
494
+ "tier": "Foundational",
495
+ "scope": "Both",
496
+ "notes": "Runtime injection detection as operational monitoring — alerts integrated into incident management"
497
+ },
498
+ {
499
+ "framework": "STRIDE",
500
+ "control_id": "S",
501
+ "control_name": "Instruction Spoofing",
502
+ "tier": "Foundational",
503
+ "scope": "Both"
504
+ },
505
+ {
506
+ "framework": "STRIDE",
507
+ "control_id": "T",
508
+ "control_name": "Behaviour Tampering",
509
+ "tier": "Foundational",
510
+ "scope": "Both"
511
+ },
512
+ {
513
+ "framework": "STRIDE",
514
+ "control_id": "E",
515
+ "control_name": "Privilege Elevation via Injection",
516
+ "tier": "Foundational",
517
+ "scope": "Both"
518
+ },
519
+ {
520
+ "framework": "CWE/CVE",
521
+ "control_id": "CWE-20",
522
+ "control_name": "CWE-20",
523
+ "tier": "Foundational",
524
+ "scope": "Both",
525
+ "url": "https://cwe.mitre.org/data/definitions/20.html"
526
+ },
527
+ {
528
+ "framework": "CWE/CVE",
529
+ "control_id": "CWE-74",
530
+ "control_name": "CWE-74",
531
+ "tier": "Foundational",
532
+ "scope": "Both",
533
+ "url": "https://cwe.mitre.org/data/definitions/74.html"
534
+ },
535
+ {
536
+ "framework": "CWE/CVE",
537
+ "control_id": "CWE-77",
538
+ "control_name": "CWE-77",
539
+ "tier": "Foundational",
540
+ "scope": "Both",
541
+ "url": "https://cwe.mitre.org/data/definitions/77.html"
542
+ },
543
+ {
544
+ "framework": "OWASP AI Testing Guide",
545
+ "control_id": "Injection via all input channels",
546
+ "control_name": "IHT — Input Handling",
547
+ "tier": "Foundational",
548
+ "scope": "Both",
549
+ "notes": "Inject instruction-overriding content through user prompt, RAG-retrieved documents, tool return values, uploaded files, and any other data source the LLM processes"
550
+ },
551
+ {
552
+ "framework": "OWASP AI Testing Guide",
553
+ "control_id": "Goal consistency under adversarial input",
554
+ "control_name": "MBT — Model Behaviour",
555
+ "tier": "Foundational",
556
+ "scope": "Both",
557
+ "notes": "Verify the LLM's task framing at request start matches its actions and outputs at completion — test divergence after injection"
558
+ },
559
+ {
560
+ "framework": "OWASP AI Testing Guide",
561
+ "control_id": "Injection detection audit trail",
562
+ "control_name": "LMT — Logging & Monitoring",
563
+ "tier": "Foundational",
564
+ "scope": "Both",
565
+ "notes": "Verify that injection attempts are flagged in monitoring and appear in audit logs with sufficient detail for incident response"
566
+ },
567
+ {
568
+ "framework": "MAESTRO",
569
+ "control_id": "L1",
570
+ "control_name": "Foundation Models",
571
+ "tier": "Foundational",
572
+ "scope": "Both"
573
+ },
574
+ {
575
+ "framework": "MAESTRO",
576
+ "control_id": "L2",
577
+ "control_name": "Data Operations",
578
+ "tier": "Foundational",
579
+ "scope": "Both"
580
+ },
581
+ {
582
+ "framework": "MAESTRO",
583
+ "control_id": "L3",
584
+ "control_name": "Agent Frameworks",
585
+ "tier": "Foundational",
586
+ "scope": "Both"
587
+ },
588
+ {
589
+ "framework": "AIUC-1",
590
+ "control_id": "B001",
591
+ "control_name": "Third-party adversarial robustness testing",
592
+ "tier": "Foundational",
593
+ "scope": "Both",
594
+ "notes": "Foundational"
595
+ },
596
+ {
597
+ "framework": "AIUC-1",
598
+ "control_id": "B002",
599
+ "control_name": "Detect adversarial input",
600
+ "tier": "Foundational",
601
+ "scope": "Both",
602
+ "notes": "Hardening"
603
+ },
604
+ {
605
+ "framework": "AIUC-1",
606
+ "control_id": "B005",
607
+ "control_name": "Implement real-time input filtering",
608
+ "tier": "Foundational",
609
+ "scope": "Both",
610
+ "notes": "Foundational"
611
+ },
612
+ {
613
+ "framework": "AIUC-1",
614
+ "control_id": "B006",
615
+ "control_name": "Prevent unauthorized AI actions",
616
+ "tier": "Foundational",
617
+ "scope": "Both",
618
+ "notes": "Foundational"
619
+ },
620
+ {
621
+ "framework": "OWASP NHI Top 10",
622
+ "control_id": "Injection blast radius proportional to credential scope",
623
+ "control_name": "NHI-5 Over-Privileged NHI",
624
+ "tier": "Foundational",
625
+ "scope": "Both",
626
+ "notes": "Apply least-privilege to all LLM application credentials"
627
+ },
628
+ {
629
+ "framework": "OWASP NHI Top 10",
630
+ "control_id": "Injected session can use stolen long-lived tokens for extended period",
631
+ "control_name": "NHI-7 Long-Lived Credentials",
632
+ "tier": "Foundational",
633
+ "scope": "Both",
634
+ "notes": "Rotate all LLM application tokens; implement short-lived token pattern"
635
+ },
636
+ {
637
+ "framework": "NIST SP 800-218A",
638
+ "control_id": "PW.2.1-PS",
639
+ "control_name": "Design software to meet security requirements — adversarial input",
640
+ "tier": "Foundational",
641
+ "scope": "Both",
642
+ "notes": "Threat model the AI pipeline for adversarial input vectors including direct and indirect prompt injection; document mitigating design decisions"
643
+ },
644
+ {
645
+ "framework": "NIST SP 800-218A",
646
+ "control_id": "PW.7.2-PS",
647
+ "control_name": "Review the software for security vulnerabilities — model behaviour",
648
+ "tier": "Foundational",
649
+ "scope": "Both",
650
+ "notes": "Review model outputs and system behaviour for unexpected responses to adversarial inputs; include injection bypass scenarios in code and design reviews"
651
+ },
652
+ {
653
+ "framework": "NIST SP 800-218A",
654
+ "control_id": "PW.8.2-PS",
655
+ "control_name": "Test for security vulnerabilities — adversarial / red-team",
656
+ "tier": "Foundational",
657
+ "scope": "Both",
658
+ "notes": "Conduct adversarial testing (red-teaming) against prompt injection vectors before each production release; cover direct, indirect, and multimodal injection paths"
659
+ },
660
+ {
661
+ "framework": "NIST SP 800-218A",
662
+ "control_id": "RV.1.1-PS",
663
+ "control_name": "Identify and confirm vulnerabilities — AI-specific",
664
+ "tier": "Foundational",
665
+ "scope": "Both",
666
+ "notes": "Establish procedures to identify prompt injection incidents in production including monitoring, triage, and confirmation workflows"
667
+ },
668
+ {
669
+ "framework": "FedRAMP",
670
+ "control_id": "SI-3",
671
+ "control_name": "Malicious Code Protection — adversarial AI inputs",
672
+ "tier": "Foundational",
673
+ "scope": "Both",
674
+ "notes": "Extend malicious code protection to detect and block adversarial inputs including direct and indirect prompt injection payloads"
675
+ },
676
+ {
677
+ "framework": "FedRAMP",
678
+ "control_id": "SI-10",
679
+ "control_name": "Information Input Validation — prompt validation",
680
+ "tier": "Foundational",
681
+ "scope": "Both",
682
+ "notes": "Validate all inputs to LLM inference endpoints; enforce structural separation between instruction and data contexts; reject known injection patterns"
683
+ },
684
+ {
685
+ "framework": "FedRAMP",
686
+ "control_id": "RA-5",
687
+ "control_name": "Vulnerability Scanning — AI red-teaming",
688
+ "tier": "Foundational",
689
+ "scope": "Both",
690
+ "notes": "Include prompt injection vectors in vulnerability scanning programme; conduct regular automated and manual injection testing"
691
+ },
692
+ {
693
+ "framework": "FedRAMP",
694
+ "control_id": "CA-8",
695
+ "control_name": "Penetration Testing — AI adversarial testing",
696
+ "tier": "Foundational",
697
+ "scope": "Both",
698
+ "notes": "Include prompt injection scenarios in penetration testing engagements; cover direct, indirect, and multimodal injection paths"
699
+ },
700
+ {
701
+ "framework": "DORA",
702
+ "control_id": "Art. 9",
703
+ "control_name": "Protection and Prevention — adversarial input controls",
704
+ "tier": "Foundational",
705
+ "scope": "Both",
706
+ "notes": "Implement ICT security controls to detect and block adversarial inputs including direct and indirect prompt injection; treat as a mandatory protection measure"
707
+ },
708
+ {
709
+ "framework": "DORA",
710
+ "control_id": "Art. 24–27",
711
+ "control_name": "Digital Operational Resilience Testing — AI red-teaming",
712
+ "tier": "Foundational",
713
+ "scope": "Both",
714
+ "notes": "Include prompt injection scenarios in threat-led penetration testing (TLPT); cover direct, indirect, and multimodal injection vectors targeting financial AI services"
715
+ },
716
+ {
717
+ "framework": "DORA",
718
+ "control_id": "Art. 10",
719
+ "control_name": "Detection — injection monitoring",
720
+ "tier": "Foundational",
721
+ "scope": "Both",
722
+ "notes": "Deploy detection mechanisms for prompt injection attempts; monitor inference requests for adversarial patterns and alert security operations"
723
+ },
724
+ {
725
+ "framework": "DORA",
726
+ "control_id": "Art. 45",
727
+ "control_name": "Information Sharing — injection threat intelligence",
728
+ "tier": "Foundational",
729
+ "scope": "Both",
730
+ "notes": "Share prompt injection threat intelligence with sector peers through DORA information sharing arrangements"
731
+ }
732
+ ],
733
+ "tools": [
734
+ {
735
+ "name": "Garak",
736
+ "type": "open-source",
737
+ "url": "https://github.com/leondz/garak"
738
+ },
739
+ {
740
+ "name": "PromptBench",
741
+ "type": "open-source",
742
+ "url": "https://github.com/microsoft/promptbench"
743
+ },
744
+ {
745
+ "name": "LLM Guard",
746
+ "type": "open-source",
747
+ "url": "https://github.com/protectai/llm-guard"
748
+ },
749
+ {
750
+ "name": "Rebuff",
751
+ "type": "open-source",
752
+ "url": "https://github.com/protectai/rebuff"
753
+ },
754
+ {
755
+ "name": "NIST AI RMF Playbook",
756
+ "type": "open-source",
757
+ "url": "https://airc.nist.gov/Docs/2"
758
+ },
759
+ {
760
+ "name": "OWASP ZAP (for API testing)",
761
+ "type": "open-source",
762
+ "url": "https://www.zaproxy.org"
763
+ },
764
+ {
765
+ "name": "Claroty",
766
+ "type": "commercial",
767
+ "url": "https://claroty.com"
768
+ },
769
+ {
770
+ "name": "Dragos",
771
+ "type": "commercial",
772
+ "url": "https://www.dragos.com"
773
+ },
774
+ {
775
+ "name": "Garak (for adversarial testing)",
776
+ "type": "open-source",
777
+ "url": "https://github.com/leondz/garak"
778
+ },
779
+ {
780
+ "name": "Promptfoo",
781
+ "type": "open-source",
782
+ "url": "https://github.com/promptfoo/promptfoo"
783
+ },
784
+ {
785
+ "name": "PyRIT",
786
+ "type": "open-source",
787
+ "url": "https://github.com/Azure/PyRIT"
788
+ },
789
+ {
790
+ "name": "NIST SP 800-218A",
791
+ "type": "open-source",
792
+ "url": "https://doi.org/10.6028/NIST.SP.800-218A.ipd"
793
+ },
794
+ {
795
+ "name": "NIST SP 800-53A",
796
+ "type": "open-source",
797
+ "url": "https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final"
798
+ },
799
+ {
800
+ "name": "DORA RTS/ITS",
801
+ "type": "open-source",
802
+ "url": "https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-act-dora"
803
+ },
804
+ {
805
+ "name": "LAAF v2.0",
806
+ "url": "https://github.com/qorvexconsulting1/laaf-V2.0",
807
+ "type": "open-source"
808
+ }
809
+ ],
810
+ "incidents": [
811
+ {
812
+ "name": "Bing Chat 'Sydney' jailbreak — persona escape and threatening behaviour",
813
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
814
+ "year": 2023,
815
+ "incident_id": "INC-002"
816
+ },
817
+ {
818
+ "name": "ChatGPT indirect prompt injection via attacker-controlled web content",
819
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
820
+ "year": 2023,
821
+ "incident_id": "INC-003"
822
+ },
823
+ {
824
+ "name": "Chevrolet dealership chatbot agrees to sell car for $1",
825
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
826
+ "year": 2023,
827
+ "incident_id": "INC-005"
828
+ },
829
+ {
830
+ "name": "Indirect prompt injection in LLM email assistant via malicious email body",
831
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
832
+ "year": 2024,
833
+ "incident_id": "INC-007"
834
+ },
835
+ {
836
+ "name": "Microsoft Copilot for M365 — document exfiltration via indirect injection",
837
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
838
+ "year": 2024,
839
+ "incident_id": "INC-010"
840
+ },
841
+ {
842
+ "name": "WormGPT — uncensored LLM sold for cybercrime on dark web forums",
843
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
844
+ "year": 2023,
845
+ "incident_id": "INC-011"
846
+ },
847
+ {
848
+ "name": "LangChain and LlamaIndex RCE — agent code execution via prompt injection",
849
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
850
+ "year": 2023,
851
+ "incident_id": "INC-012"
852
+ },
853
+ {
854
+ "name": "Perez & Ribeiro — 'Ignore Previous Prompt': foundational direct injection study",
855
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
856
+ "year": 2022,
857
+ "incident_id": "INC-013"
858
+ },
859
+ {
860
+ "name": "Multimodal indirect injection — image-embedded instructions in GPT-4V",
861
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
862
+ "year": 2023,
863
+ "incident_id": "INC-015"
864
+ },
865
+ {
866
+ "name": "RAG corpus poisoning — embedding-space manipulation to force retrieval",
867
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
868
+ "year": 2024,
869
+ "incident_id": "INC-016"
870
+ },
871
+ {
872
+ "name": "GPT-4 system prompt extraction via jailbreak in production deployments",
873
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
874
+ "year": 2023,
875
+ "incident_id": "INC-018"
876
+ },
877
+ {
878
+ "name": "Multi-agent prompt injection cascade — demonstrated cross-agent goal propagation",
879
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
880
+ "year": 2024,
881
+ "incident_id": "INC-020"
882
+ },
883
+ {
884
+ "name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
885
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
886
+ "year": 2026,
887
+ "incident_id": "INC-021"
888
+ },
889
+ {
890
+ "name": "Greshake et al. \"Not What You've Signed Up For\" indirect prompt injection paper",
891
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
892
+ "year": 2023,
893
+ "incident_id": "INC-022"
894
+ },
895
+ {
896
+ "name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
897
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
898
+ "year": 2024,
899
+ "incident_id": "INC-023"
900
+ },
901
+ {
902
+ "name": "Slack AI indirect injection via channel content",
903
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
904
+ "year": 2024,
905
+ "incident_id": "INC-024"
906
+ },
907
+ {
908
+ "name": "GitHub Copilot Workspace prompt injection via repository content",
909
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
910
+ "year": 2024,
911
+ "incident_id": "INC-025"
912
+ },
913
+ {
914
+ "name": "MathPrompt: symbolic mathematics jailbreak attack",
915
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
916
+ "year": 2024,
917
+ "incident_id": "INC-027"
918
+ },
919
+ {
920
+ "name": "Many-shot jailbreaking (Anthropic research)",
921
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
922
+ "year": 2024,
923
+ "incident_id": "INC-028"
924
+ },
925
+ {
926
+ "name": "Crescendo: multi-turn escalation attack (Microsoft)",
927
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
928
+ "year": 2024,
929
+ "incident_id": "INC-029"
930
+ },
931
+ {
932
+ "name": "Skeleton Key: direct system prompt override (Microsoft)",
933
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
934
+ "year": 2024,
935
+ "incident_id": "INC-030"
936
+ },
937
+ {
938
+ "name": "OpenAI o1/o3 reasoning chain jailbreak via chain-of-thought manipulation",
939
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
940
+ "year": 2025,
941
+ "incident_id": "INC-033"
942
+ },
943
+ {
944
+ "name": "Azure OpenAI content filter bypass via structured output mode",
945
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
946
+ "year": 2025,
947
+ "incident_id": "INC-037"
948
+ },
949
+ {
950
+ "name": "Adversarial embedding attacks on production RAG systems",
951
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
952
+ "year": 2024,
953
+ "incident_id": "INC-046"
954
+ }
955
+ ],
956
+ "crossrefs": {
957
+ "agentic_top10": [
958
+ "ASI01",
959
+ "ASI02"
960
+ ],
961
+ "dsgai_2026": [
962
+ "DSGAI01",
963
+ "DSGAI15",
964
+ "DSGAI12"
965
+ ]
966
+ },
967
+ "changelog": [
968
+ {
969
+ "date": "2026-03-27",
970
+ "version": "1.0.0",
971
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
972
+ "author": "emmanuelgjr"
973
+ }
974
+ ]
975
+ }