LLM08:2025 — Vector & Embedding Weaknesses

Slide 7 · LLM08 vs LLM04

Both involve poisoning. They’re not the same attack.

Understanding the difference matters for knowing which defenses apply.

LLM04 — Data & Model Poisoning

Target: the model’s weights during training or fine-tuning.

Access required: the training pipeline, training data, or fine-tuning process.

Persistence: baked into the model — every deployment is affected.

Detection: requires model evaluation and behavioral red-teaming.

LLM08 — Vector & Embedding Weaknesses

Target: the live knowledge base queried at runtime.

Access required: ability to add a document to an indexed folder — minimal privilege.

Persistence: until the knowledge base is reindexed or the embedding is removed.

Detection: retrieval monitoring and anomaly detection on ranking shifts.

Why This Matters

LLM04 requires deep access to attack. LLM08 requires only enough permission to upload a document — the bar for the attacker is dramatically lower. A contractor, a phished employee, or a public-facing form submission can all be entry points.

← Back Next → The misconception to unlearn