It all started in 2013, when Tomáš Zaťko and I sat in our first “office”, a rented meeting room of 3 x 5m2, on Lazaretska street, and got down to business. We weren’t technically a company yet, but were eagerly awaiting the announcement of the registration of Citadel s.r.o. We didn’t have a coffee machine, but we had Sencha and “Matéčko”, which gave us the energy to write a report for a client in OpenOffice, without a template.
To help with projects, “Alino” (Marek Alakša) came along and despite the laws of physics, we managed to squeeze a third desk into the office. Soon after, we figured that now being a “large corporation”, Tomáš deserved a separate office, partly because he was the CEO and partly because he was always on the phone handling business. This freed up space for another junior reinforcement, Martin “Momo” Orem. Learning from the past, given the space, he got a children’s table from the kitchen, a no-phone policy, and a motivational poster. Now, as a multi-member team, we were ready to hack a bank. When we got there, they seated us in the developers’ open space at a small table with broken chairs, and instead of the promised testing iPhone, they gave us a Windows phone. These minor technical difficulties didn’t stop us from hacking, neither then nor in the next round when, for a change, they seated us by the coffee machine on a fit-ball. And so, we hacked the first bank!
We were expanding and HR Lucia kept wanting us to compile technical questions for applicants, but we, as technicians, had other plans. We agreed that we didn’t want theory but practice, and especially to have the computer do the work for us, so in 2014 our first CTF (Catch the Flag) was born. Nethemba was our big competition, so we went out for beers with them. We envied them for not having to do state projects, as we initially had to. For the imitation of company culture, we officially used Jabber OTR for communication but internally we used SILCi. We also thought it would be good to share what music played in our office, so the developers at the customer’s could better endure testing their applications. And so we created our last.fm.
Project management at our size of “multinational corporation” was no longer simple, so we had to mark our projects on a “board.” But to have at least some project management and not have to phone and email between hacking, in 2015 we brought in Marek Paták. He claimed to be Princ2, first he transferred our board to Excel, then instead of metal he played Depeche Mode for us, and eventually started hitting us on the head with a stick due to deadlines.
Martin Leskovjan then brought us 2 black suitcases from Prague like from action movies, which contained InteliGen NT controllers (control units for secure monitoring of critical infrastructure) from ComAp, with the words “It’s for free, but they’d like to see what all you could do with it.” And then he and Alino locked us in a small black meeting room for a month. But we did literally everything with it. Writing the report took us a week and reading it to the client even longer. But we’ve been friends ever since.
As it was fitting for “corporations” of our scale, we went to some conferences. First to Zero Nights in Moscow, where Alexander “Solar Designer” Peslyak waved at us for a photo. And then due to great success, we also went to OWASP Amsterdam at the end of the year, where we met Nicolas Grégoire while playing little game of football.
In 2016, Leskič came up with the best demonstration we ever had - with a hacked dam. Little plastic soldiers, who countless times sacrificed their lives to raise security awareness at professional conferences, and thus helped us open doors to white hacking in the energy industry.
When customers vacationed in the summer and there wasn’t much work, we went to get educated in Krakow at Confidence. Mainly to grill on the beach and socialize, for example with people from Akamai, who demonstrated incredible abilities of finding the right way (home) regardless of their state (intoxication) and still talked about novelties in the design for TLS. These events inspired us to create our own event, so we created Citadelo Security Evening(CSE). At the first evening, people applauded our lectures standing up, probably because there weren’t enough chairs in the meeting room… then they helped us finish rum and whiskey until morning out of solidarity.
A characteristic of a “large corporation” is that there is no time to get things done, so Tomáš came up with the idea to introduce 4DX. It seemed strange to do more when there wasn’t time, but it worked. Processes were recorded, estimates improved and there was still time for FROG. At the end of the year, it was “almost perfect”.
And when Leskič didn’t want to travel to Bratislava in 2017 and we wanted to travel to Paralelní Polis for coffee in exchange for LTC, we created Citadelo CZ. We brought in Roman Rossa to help, so Martin wouldn’t sit in Prague alone. Our expansion thus took on a strategic character. And like in every decent corporation, we reopened the idea of company t-shirts. Green polo shirts didn’t catch on, so we ended up with hoodies again. And to have someone to show off our new hoodies to, and also to learn new tricks with Burpsuit, we invited Nicolas Grégoire for training. It was a super two days full of hacking mixed drinks.
Some time has passed since then and our team has multiplied. We have pentest rooms full of expert hackers, classic departments like sales, marketing, and HR have emerged. We even have Country Managers, given the multiple locations in Prague, Bratislava, and Zug. We also acquired talented Swiss investors, and from small meeting “offices” we’ve grown into legitimate offices. The most important thing, however, is that we managed to gain the trust of clients not only at home but also around the world. We grew into an experienced and stable partner for our customers just as we imagined in the 3 x 5m2 meeting room on Lazaretska. And finally, we have a coffee machine.