Ethical Hacking Report 2024: Six Vulnerabilities in Almost Every Tested System

In 2024, we conducted nearly 500 penetration tests that revealed 2,820 vulnerabilities across web applications, infrastructure, cloud environments, and mobile platforms. This report offers a clear view of the cybersecurity landscape as we see it—through the eyes of certified ethical hackers whose mission is to expose vulnerabilities before malicious actors can exploit them. At Citadelo, we’re driven by a vision of a safer digital world, one where black hats have no place.

From banks to tech startups, our testing revealed the same uncomfortable truth: critical vulnerabilities are more common than most expect. Based on more than 468 penetration tests performed in 2024, we identified a total of 2,820 vulnerabilities of varying severity across our client base. We discovered critical flaws in approximately 30% of all tested projects, and nearly every system included at least one medium risk vulnerability. On average, each system contained six weaknesses. These findings confirm that organizations across all sectors continue to face significant cybersecurity threats.

The following chart gives a full overview of the tests performed by Citadelo in 2024:

Click HERE to download our full report.

“At first glance, the number of vulnerabilities we found last year might seem alarming. But I see it differently—we managed to uncover thousands of weaknesses before real hackers could exploit them,” says Tomáš Zaťko, CEO of Citadelo. “Moreover, the number of critical vulnerabilities dropped by 20%. That’s a clear sign that only regular testing provides organizations with real protection from cyberattacks.”

This chart shows a breakdown of the prevalence of the different types of vulnerabilities identified throughout our testing. Download the full report HERE.

Our findings show that web applications, infrastructure, and cloud environments remain the most common—and most critical—sources of vulnerabilities. Many companies continue to underestimate basic security practices, such as proper system configuration, regular updates, and access management.

From an industry perspective, the banking and finance sector dominated, accounting for over 56% of all projects. It was followed by companies in system integration, telecommunications, software development, and energy.

In the following sections of this article, we take a detailed look at the numbers, types of vulnerabilities, and recurring mistakes that should not be ignored.

Web Applications: Source of Critical Vulnerabilities

According to our data, web applications were the most commonly tested type of project in 2024 and also accounted for the highest number of vulnerabilities—including the greatest share of critical flaws across all categories.

SQL injection attacks, according to Statista, are the most frequent global threat and account for 23% of critical vulnerabilities in web applications worldwide. Other common issues include XSS (cross-site scripting), broken authentication, and misconfigured servers. If attackers manage to exploit a critical vulnerability, they can gain access to internal systems, user data, or administrative interfaces—resulting not only in financial losses but also in damaged customer trust and potential legal consequences.

Mobile Applications: Why Server-Side Testing Is Not Enough

Mobile apps represent a growing cybersecurity challenge, particularly due to their widespread use and access to sensitive data. In 2024, we saw a notable increase in the number of vulnerabilities discovered in mobile projects.

Our analysis often uncovers numerous low and note level vulnerabilities, particularly in client-side components (e.g., APK/AAB or IPA packages). While not immediately exploitable, these weaknesses can serve as entry points for further attacks.

Common issues include weak data encryption, poor user authentication, and a lack of protections against reverse engineering. These flaws can enable attackers to access internal APIs, extract sensitive data from the device, or tamper with the application’s logic.

While mobile applications were less likely to contain critical vulnerabilities compared to web applications, that doesn’t mean they are less risky. Quite the opposite—since these apps reside in users’ hands and often access personal or financial information, they must be tested regularly and secured thoroughly.

Cloud Environments: A Growing Cyberattack Target

Cloud projects are now a staple of corporate IT infrastructure, but their security is still frequently underestimated.

Moreover, in 2025, cloud security is becoming one of the most important trends in cybersecurity. Organizations worldwide face an increasing number of attacks targeting cloud infrastructures, leading to significantly higher investments in cloud protection. According to a Fortinet report, 63% of organizations plan to increase their cloud security budgets in the coming year, with cloud now accounting for roughly 35% of overall IT security spending.

Many businesses mistakenly rely on basic audits provided by cloud vendors, believing them to be sufficient. But they are not. This false sense of security results in the oversight of serious vulnerabilities that may go undetected for long periods. In our 2024 tests, we recorded 345 vulnerabilities in cloud-based projects—a significant portion of the total 2,820 findings.

Internal Infrastructure: Overlooked Security Area

IT infrastructure security is another crucial yet frequently overlooked area of corporate cybersecurity. Although infrastructure projects made up just 7.7% of all tests in 2024, they accounted for the second-highest number of critical vulnerabilities.

Companies often assume that isolated systems not connected to the public internet are immune to attacks. As a result, these environments often lack adequate protection.

But even offline internal infrastructure is not safe. Attackers can infiltrate such systems through compromised employee devices—for example, via phishing or malicious email attachments. A single infected laptop connected to the network can become a gateway for a wider attack.

This false sense of security leads to insecure services running on internal networks, exposed access endpoints, or outdated software. Once one segment of the infrastructure is compromised, attackers can quickly spread throughout the environment.

Our tests reveal not only technical vulnerabilities but also process-related weaknesses—such as poor access control segmentation and missing system monitoring.

Social Engineering: Employees Remain the Weakest Link

Social engineering remains one of the most widespread cyber threats. Hackers target human behavior because even the most secure infrastructure becomes vulnerable when one employee clicks a malicious link or downloads an infected file.

In 2025, these attacks are becoming even more sophisticated. With the widespread availability of large language models, cybercriminals can now generate personalized, grammatically flawless phishing emails. Vishing (voice phishing) and smishing (SMS phishing) are also on the rise—where attackers impersonate colleagues, banks, or executives using well-crafted social scenarios.

Despite the growing threat, we observed a decline in the demand for social engineering testing in 2024. That’s unfortunate, as our data shows that first-time test participants suffered successful compromises in up to 40% of cases. However, organizations that undergo repeated testing and targeted training see dramatically lower success rates for phishing attacks—often in the low single digits.

Cybersecurity Trends in 2025: Key Risks and How to Stay Ahead

And what can we expect from 2025? In addition to increased interest in cloud environments among attackers, we see significant momentum building around Threat-Led Penetration Testing and the security testing of large language models (LLMs).

Testing Language Models: How to Secure Your Data when Using Generative AI

Large language models, such as ChatGPT, became an integral part of corporate tools and workflows in 2024. But this rapid adoption brings with it a new set of security risks.

LLM vulnerabilities differ from traditional IT flaws. For example, prompt injection allows attackers to manipulate input data in a way that causes the model to change its behavior or reveal unintended information. Another risk is data poisoning, where attackers influence the model’s output by manipulating its training data—leading to misinformation or harmful recommendations.

Our testing approach for LLMs focuses not only on the model’s technical security, but also on how it is deployed, protected against unauthorized access, and how its input/output interfaces are secured. Initial tests have shown that without robust safeguards, even widely used LLM applications can be exploited to extract sensitive data or bypass company policies.

Threat-Led Penetration Testing: A Regulated Simulation of Real-World Attacks

Threat-Led Penetration Testing (TLPT) represents the next level of penetration testing, particularly in highly regulated sectors like banking and insurance. In 2025, TLPT is expected to become a key method for verifying how resilient organizations are to real-world attacks.

Unlike traditional testing, TLPT is based on real-time threat intelligence and simulates attacks as they would be carried out by motivated adversaries. This approach follows frameworks like TIBER-EU, which outlines specific methodologies and coordination requirements between the tested entity, the security team, and regulators. The goal is not just to uncover vulnerabilities but to assess how quickly and effectively an organization can respond to sophisticated threats.

Citadelo is ready to support large institutions in implementing TLPT. With our experience in large-scale security projects and a focus on realistic attack scenarios, we help organizations strengthen their defenses where it matters most.

The findings of the Ethical Hacking Report 2024 make one thing clear: no organization is immune to cyber risk. With an average of six vulnerabilities per system—and critical flaws present in the vast majority of tested environments—cybersecurity can no longer be treated as a reactive function.

Regular, structured testing is the key to tackling the evolving cybersecurity challenges of 2025. Companies that consistently test and adapt their defenses see a measurable reduction in critical vulnerabilities and significantly improve their resilience against real-world threats.

Want to know how many vulnerabilities are in your system? Contact us today and turn your weaknesses into strengths!