The OWASP Top Ten lists vulnerabilities which can be generalized for most web application infrastructures. ASM doesn't offer attack signatures for the "OWASP Top Ten" exactly. When you build your policy, you need to specify the system(s) that are appropriate for your environment. For example, you might select Unix/Linux, Apache, PHP, and MySQL. By providing this info, ASM will apply attack signatures that are relevant to your operating system, framework, DB, and other elements of your enterprise. So, if you chose MySQL, you will get all of the attack signatures which match patterns for SQL injection--loosely defined as "Injection Attacks" by OWASP. It is also possible that not all of the OWASP vulnerabilities exist in your app(s). A recommended approach is to understand which vulnerabilities exist, and then tailor ASM to mitigate those vulnerabilities. Make sense?