Over Half of Companies’ IT Projects Contain Serious Vulnerabilities, Citadelo Report Finds

In total, we identified 3,293 vulnerabilities – 17% more than in 2024. This report offers a view of the cybersecurity landscape as we see it: a team of certified ethical hackers whose mission is to uncover vulnerabilities before real attackers can exploit them.

             — Gabriel Lachmann, CEO, Citadelo

As a general rule, the lower the severity of a risk, the more frequently it appears. On average, vulnerabilities rated “Note” made up the second-largest share of all findings at 32%. While remediation is recommended, they pose no immediate threat to project operations. “Low” severity vulnerabilities accounted for 33% of all identified issues.

Year-over-year, critical vulnerabilities rose by 42% – they represent 6% of all findings and require immediate remediation. "High" severity vulnerabilities increased by 14%, while "Medium" risks were up 44% compared to 2024.

Click HERE to download our full report.

 A concerning signal is a false sense of security around internal infrastructure and cloud environments – these categories showed the highest average number of vulnerabilities per project across all tested types.

A significant trend is the sharp rise in security testing of AI-powered solutions and large language models (LLMs). The number of such engagements doubled year over year. While AI is fundamentally changing how businesses operate, it also introduces new classes of vulnerabilities – such as prompt injection, sensitive data leakage, and inadequate access controls.

Most Common Risks by Project Type

Web projects were by far the most common type we tested, accounting for 55% of all projects. Infrastructure projects ranked second at 17%, followed by API projects at 8%, and cloud and mobile applications at 6% each.

Web

In today’s digital landscape, web applications are the most frequently tested type of solution – and they also recorded the highest number of identified vulnerabilities across all categories. This segment also showed the second-highest share of medium and high-severity vulnerabilities among all project types. 

Mobile and Desktop Applications

As mobile app usage continues to grow, so has the number of confirmed vulnerabilities. The higher occurrence of "Medium" severity findings is largely due to our analysis of client-side layers (APK/AAB and IPA). For desktop applications, we saw a 25% increase in critical vulnerabilities and a 66% increase in "High" severity findings.

Red Teaming

Red Teaming is the most comprehensive and realistic simulation of a real-world cyberattack – it tests a company’s security holistically, covering not just systems, but also people, processes, and physical security. In 2025, Red Teaming engagements saw a 33% increase in vulnerabilities overall, with critical vulnerabilities up by 50%.

Infrastructure

Infrastructure projects accounted for 17% of all engagements. This category had the highest number of critical and "High" severity vulnerabilities – even more than web projects. A troubling pattern here is a false sense of security: organizations assume their internal infrastructure is safe simply because it isn’t directly internet-facing, and as a result, test it less frequently. The reality tells a different story – 71% of infrastructure projects contained a critical vulnerability, as did 42% of cloud projects. Both categories also showed the highest average number of vulnerabilities per project. 

Cloud

Much like internal infrastructure, clients running cloud environments tend to suffer from a false sense of security. The mistaken belief that audits built into cloud services are sufficient has, in practice, led to critical vulnerabilities being overlooked – ones we only uncovered during our own testing.

Social Engineering

In 2025, we tested four times as many social engineering engagements as the year before – and 57% of them contained a critical vulnerability. Our data shows that in first-time assessments, breaches occur in up to 40% of cases. However, regular testing combined with targeted employee training can significantly reduce that rate. 

             — Tomáš Horváth, Sales Director, Citadelo

We test across all industries. In 2025, 54% of our projects came from the financial sector. Software development was the second-largest segment, accounting for more than 11% of all assessed projects.

The 3,293+ vulnerabilities we identified reflect the current state of cybersecurity – and underscore why systematic penetration testing is more important in 2026 than ever before. While lower-severity findings made up the majority of our discoveries, 187 critical vulnerabilities represented the potential for serious security incidents had they not been addressed in time.

Our data also points to a key common denominator: where security is underestimated, we consistently find more vulnerabilities. This is especially true for internal infrastructure and cloud environments. The conclusion is clear: security cannot be taken lightly.

Want to know how many vulnerabilities are hiding in your systems?