Citadelo vulnerability stats 2021

Citadelo vulnerability stats 2021

Over the years, Citadelo has performed thousands of security assessments and penetration tests globally. This first-hand testing experience and the extensive sample size have allowed us to gain unique insights into the current state of cyber security and the prevalence of various vulnerabilities across different types of IT projects.

In 2021, the statistics we gathered from our own first-hand testing of over 275 projects revealed a total of 2,677 vulnerabilities of varying criticality. On average 50% of projects suffered from at least one critical vulnerability, and medium- to high-level vulnerabilities were found in nearly every project tested.

These results confirm the absolute necessity for comprehensive penetration testing for any IT project, regardless of vertical. The frequency and sophistication of cyber-attacks are constantly on the rise and penetration testing and full-stack security assessments are more crucial than ever in 2022.

Vulnerabilities found

In Citadelo’s penetration testing and full-stack security analysis, we identify a full range of project risks, from suggested best practices to critical vulnerabilities. We use the following risk types to categorize the vulnerabilities we identify, from lowest to highest risk:

  • Note
  • Low
  • Medium
  • High
  • Critical

On average, Note risks made up the highest proportion of vulnerabilities identified at 48%. These types of risks are still highly advisable to resolve but do not present an immediate threat to projects. Critical risks, on the other hand, made up just 5% of the vulnerabilities identified. However, these types of risks represent immediate threats to projects and must be remedied as quickly as possible.

Risks by project type

  • Web-based projects (websites or APIs) were the most common type of project tested, comprising over 50% of all projects. As the most common project type, they also suffer the most total vulnerabilities.

  • Combined projects were the next most common at 15%. Consisting of several different types of sub-projects, this project type contained the highest average number of vulnerabilities.

  • Infrastructure projects made up 12% of projects tested and contained a higher number of critical vulnerabilities, likely due to the fact that internal infrastructure projects are not connected to the Internet, leading to a false sense of security.

  • Mobile projects made up 9% of projects tested and suffered primarily from “note” vulnerabilities, due to their associated client-side layers being included in our analyses.

  • Cloud projects continued to rise in 2021, which also made up a significant portion of the “combined” project types in our study. Similarly to internal infrastructure projects, clients undertaking cloud projects suffer from a false sense of security that led to a higher number of critical vulnerabilities.

  • The remaining portion of projects tested was largely made up of desktop apps, ATMs, and social engineering projects.

Overall results

The following chart gives a full overview of the tests performed by Citadelo in 2021:

Overall results
Web API Mobile Infra Cloud Combined Other Total
Note 631 67 196 115 55 174 44 1282
Low 232 24 43 62 118 120 36 635
Medium 125 13 22 32 50 84 20 346
High 89 10 15 19 55 58 20 266
Critical 54 4 3 21 14 42 10 148
Total 1131 118 279 249 292 478 130 2677
Number of projects 118 22 24 32 18 41 20 275


Citadelo provided penetration testing and security audits for a wide range of industries in 2021. While the vast majority of projects (35%) fell under the broadly defined Technology sector, clients from the field of Finance were not far behind, making up 33% of all projects tested. The remaining sectors were fairly evenly distributed, each making up between 3 and 7% of all projects tested.


The over 2,677 vulnerabilities we found present a snapshot of the current state of cybersecurity and the importance of penetration testing in 2022. While less serious errors made up the vast majority of vulnerabilities, the 148 critical vulnerabilities discovered could have resulted in catastrophic consequences had they not been immediately remedied.

Above all, an important common theme was highlighted by our data: whenever the importance of security or penetration testing is overlooked or underestimated, more vulnerabilities inevitably emerge. Whether it be internal infrastructure applications assuming they are safe because they are not connected to the Internet, or cloud service applications that assume the internal audits of their

providers are sufficient, the overarching lesson from this data is that you can never be too careful. Comprehensive penetration testing from experienced agencies like Citadelo is an essential component of any security solution, and its importance will only increase in the years to come.

Download the full report with all of our statistics and analysis here.

To take your project’s security to the next level, get in touch, and we’ll get our hackers on the case ASAP: [email protected].

O autorovi

Citadelo je dom plný etických hackerov na vašej strane. Pomáhame otestovať ich informačnú bezpečnosť. Podrobte svoje IT prostredie výzve a odhaľte, do akej miery sú vaše citlivé dáta chránené.
Zobraziť viac od autora

Podobné blogy