Bots and AI have long been joined at the hip. The earliest CAPTCHA tests, invented to deter bots, were designed as problems that are easy to solve for humans but hard for AI—a distinction that harks back to a 1950 Alan Turing publication on computer intelligence. More recently, security firms, including F5, have deployed AI to detect bots just as bot creators have applied AI to bypass detection and solve CAPTCHA challenges. With generative AI, the linkages between bots and AI continue to evolve, with bots extracting content from the Internet to feed large language models (LLMs) and AI agents—essentially smart bots—interacting with apps in unintended ways. We also see this tight intertwining of bots and AI when we consider the 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps.
Bots are certainly not the only means of exploiting LLM vulnerabilities. LLM security is a complex, rapidly evolving field in cybersecurity, and I do not want to simplify the challenge by posing a single cause or solution. Nonetheless, we know that adversaries nearly always use bots in one form or another to scale cyberattacks, and so mitigating bots removes an important tool from the cybercriminal’s arsenal. To understand why bot mitigation is as relevant to LLM security as it is for web, mobile, and API security, let’s walk through the OWASP Top 10 security risks for LLMs for 2025 and consider how an adversary might apply bots to exploit each vulnerability.
1. Prompt injection
A Prompt injection attack seeks to alter the behavior of LLMs in malicious ways that, according to OWASP, may cause the models “to violate guidelines, generate harmful content, enable unauthorized access, or influence critical decisions.” To impact the behavior of models through prompts, it may well be necessary for the adversary to inject many prompts—flooding the model with harmful prompts to either maximize the harm or hit upon a prompt that achieves the desired outcome. To input a sufficiently large number of malicious prompts, adversaries will require bots for automation.
2. Sensitive information disclosure
In the race to build LLMs that provide business value to employees and customers, organizations will train models on vast data stores proprietary to the organization. However, these data stores may contain sensitive information, including personal data and trade secrets. Adversaries will almost certainly probe these models hoping to disclose that sensitive data. And because adversaries may not know exactly what data they are looking for and how to specifically prompt for it, they may take a brute force approach, issuing many prompts in the hope that one discloses valuable sensitive information. To run a large number of prompts against models, adversaries looking to scale their attacks will deploy bots.
3. Supply chain
Like any information system, LLMs have dependencies, including training data, foundation models, and deployment platforms, which means that adversaries can compromise an LLM by compromising its supply chain. To compromise dependencies, adversaries will likely use bots to manipulate data stores with fake information, crack authentication systems with credential stuffing or real-time phishing proxies, and probe for authorization vulnerabilities.
4. Data and model poisoning
In data poisoning, adversaries manipulate pre-training, fine-tuning, or embedding data to introduce vulnerabilities, backdoors, or biases. According to OWASP, “this manipulation can compromise model security, performance, or ethical behavior, leading to harmful outputs or impaired capabilities.” While there are many methods adversaries may employ to manipulate data, bots are a common tool across many attack types, from breaking authentication or authorization to inserting fake data into data stores through applications that lack bot protection.
5. Improper output handling
Improper output handling refers to a failure to check if the output of an LLM model could harm a system that relies on that output. While the vulnerabilities of supply chain and data and model poisoning refer to compromises to systems upstream of the LLM model, improper output handling impacts systems downstream; that is, systems that depend on output from the LLM model. According to OWASP, “successful exploitation of an improper output handling vulnerability can result in cross-site scripting (XSS) and cross-site request forgery (CSRF) in web browsers as well as server-side request forgery (SSRF), privilege escalation, or remote code execution on backend systems.”
To look at this another way, the adversary uses the LLM to attack another application that relies on the LLM output. While an attacker may exploit this vulnerability through carefully handcrafted inputs to an application, the attacker may attempt to brute force the attack through automation, trying many variations to discover an input that produces an output that harms a downstream application. The automation will try to force malicious output from the model and test whether the output had the desired ill effect on the application. To scale this type of probing will require bots.
6. Excessive agency
Excessive agency is a form of privilege escalation carried out through an LLM-based system. The vulnerability derives from an LLM-based system running with elevated privileges, enabling it to call functions or interface with other systems. The adversary, not knowing where the LLM-based system has escalated privileges or how to exploit that escalation, will likely use automation to input multiple prompts, hoping to trigger and exploit a privilege escalation.
7. System prompt leakage
Applications built on LLMs often provide the LLM with system prompt instructions that guide the model’s behavior to meet the application’s requirements. In practice, system prompts may contain secrets: connection strings to databases, proprietary code, intellectual property, or other content that enterprises should keep secure. System prompt leakage, then, is a specific form of prompt injection that triggers an application to inadvertently reveal its system instructions.
Causing an LLM to expose these secrets through prompts is not trivial, and almost certainly adversaries will develop automated scripts to more effectively probe for sensitive data embedded in system prompts.
8. Vector and embedding weaknesses
LLM applications often enhance model output through enhanced context, provided to the models through a technique referred to as retrieval-augmented generation (RAG). The content provided to LLMs via RAG is not raw text, but rather preprocessed vectors with embedded metadata and content. According to OWASP, “weaknesses in how vectors and embeddings are generated, stored, or retrieved can be exploited by malicious actions (intentional or unintentional) to inject harmful content, manipulate model outputs, or access sensitive information.” In other words, adversaries can go after the RAG content and its processing to attack the LLM system.
Enterprises implement their own processes and define the scope for RAG content to meet the specific needs of their organization, meaning the content and its flaws will be unique to the organization. From the adversary's perspective, discovering these flaws will not be easy, so it will certainly require automated exploration, meaning the use of bots.
9. Misinformation
When LLMs produce false or misleading information, systems that rely on that information may malfunction, resulting in security breaches, reputational damage, and legal liability. LLMs may produce misinformation through hallucinations or because of biases and gaps in training data.
Adversaries looking to exploit hallucinations will likely automate their prompting and response analysis. For example, by automating the code generation process—that is using an LLM to to generate many instances of computer code—adversaries can find code references to software libraries that do not actually exist. The adversary can then create a malicious software library in whatever code repository the LLM hallucinated. If the code that the LLM generates is not adequately reviewed, the malicious library will be embedded in the released product.
Adversaries can likewise use bots to manipulate training data, intentionally inputting massive amounts of data intended to bias the model.
10. Unbounded consumption
The tenth OWASP LLM vulnerability, unbounded consumption, is a close match to the OWASP API vulnerability named unrestricted resource consumption as well as to the OWASP automated threat called denial of service. The adversary exceeds the expected number of requests to such an extent that the inference service experiences a denial of service, performance degradation, and excess costs. According to OWASP, “the high computational demands of LLMs, especially in cloud environments, make them vulnerable to resource exploitation and unauthorized usage.” To exceed the expected usage, adversaries will almost certainly use bots to scale the request volume.
Implementing bot protections
With many organizations facing pressure to move fast in bringing AI capabilities to market and with the security implications of LLMs not fully understood, they should consider implementing bot protections in front of LLM-based applications as well as the applications that feed data into LLM models. The more attacks adversaries can launch, the greater their chance of success. F5 provides a particularly effective bot protection service, F5 Distributed Cloud Bot Defense, itself built on AI, that helps organizations gain the upper hand against adversaries that use bots and automation to target LLM applications.
Learn more about Distributed Cloud Bot Defense.