Citadelo

👏 Our colleague Oliver V. has earned the prestigious 𝐂𝐞𝐫𝐭𝐢𝐟𝐢𝐞𝐝 𝐑𝐞𝐝 𝐓𝐞𝐚𝐦 𝐎𝐩𝐞𝐫𝐚𝐭𝐨𝐫 (𝐂𝐑𝐓𝐎) certification from Zero Point Security. 𝐂𝐑𝐓𝐎 𝐢𝐬𝐧’𝐭 𝐣𝐮𝐬𝐭 𝐚𝐧𝐨𝐭𝐡𝐞𝐫 𝐋𝐢𝐧𝐤𝐞𝐝𝐈𝐧 𝐛𝐚𝐝𝐠𝐞. It’s a 24-hour hands-on exam in a simulated environment, no multiple choice, just a 𝐫𝐞𝐚𝐥 𝐚𝐭𝐭𝐚𝐜𝐤 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐚𝐧 𝐀𝐜𝐭𝐢𝐯𝐞 𝐃𝐢𝐫𝐞𝐜𝐭𝐨𝐫𝐲 𝐢𝐧𝐟𝐫𝐚𝐬𝐭𝐫𝐮𝐜𝐭𝐮𝐫𝐞 with using tools such as Cobalt Strike. 𝐈𝐭 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐬 𝐚𝐧 𝐚𝐭𝐭𝐚𝐜𝐤𝐞𝐫’𝐬 𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐭𝐨: ✔️ gain initial access to the environment ✔️ move laterally across the infrastructure ✔️ escalate privileges ✔️ evade detection (OPSEC) ✔️ achieve objectives and report findings 𝐀𝐜𝐜𝐨𝐫𝐝𝐢𝐧𝐠 𝐭𝐨 𝐙𝐞𝐫𝐨 𝐏𝐨𝐢𝐧𝐭 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: “Holders of the CRTO have the knowledge and skills necessary to perform adversary simulation and emulation exercises with Cobalt Strike. They can carry out every stage of an engagement from initial access to acting on the objective and reporting.” 𝐓𝐡𝐢𝐬 𝐢𝐬 𝐞𝐱𝐚𝐜𝐭𝐥𝐲 𝐭𝐡𝐞 𝐥𝐞𝐯𝐞𝐥 𝐨𝐟 𝐞𝐱𝐩𝐞𝐫𝐭𝐢𝐬𝐞 𝐭𝐡𝐚𝐭 𝐝𝐞𝐭𝐞𝐫𝐦𝐢𝐧𝐞𝐬 𝐰𝐡𝐞𝐭𝐡𝐞𝐫 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐮𝐧𝐜𝐨𝐯𝐞𝐫𝐬 𝐫𝐞𝐚𝐥 𝐫𝐢𝐬𝐤𝐬, 𝐨𝐫 𝐣𝐮𝐬𝐭 𝐜𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭-𝐥𝐞𝐯𝐞𝐥 𝐢𝐬𝐬𝐮𝐞𝐬. This is Citadelo’s second CRTO certification. 👏 𝐂𝐨𝐧𝐠𝐫𝐚𝐭𝐮𝐥𝐚𝐭𝐢𝐨𝐧𝐬, 𝐎𝐥𝐢𝐯𝐞𝐫! Learn more about the certification: #acc.6lDknurf" target="_blank" rel="nofollow noopener">certs.zeropointsecurity.co.uk/3063be98-9bc2-… #cybersecurity #redteam #ethicalhacking #pentesting #certification #Citadelo

𝐎𝐧𝐞 𝐨𝐟 𝐭𝐡𝐞 𝐦𝐨𝐬𝐭 𝐰𝐢𝐝𝐞𝐥𝐲 𝐮𝐬𝐞𝐝 𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭 𝐥𝐢𝐛𝐫𝐚𝐫𝐢𝐞𝐬 𝐢𝐧 𝐭𝐡𝐞 𝐰𝐨𝐫𝐥𝐝 𝐡𝐚𝐬 𝐛𝐞𝐞𝐧 𝐜𝐨𝐦𝐩𝐫𝐨𝐦𝐢𝐬𝐞𝐝 and most people don’t even know about it. 𝐓𝐡𝐞 𝐝𝐫𝐚𝐦𝐚 𝐟𝐚𝐜𝐭𝐨𝐫 𝐨𝐟 𝐭𝐡𝐢𝐬 𝐢𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐢𝐬 𝟏𝟎/𝟏𝟎. ❗ 𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝? An attacker gained access to a maintainer account of the Axios library and published malicious versions of the package. These versions included a hidden dependency that could execute malware during installation and give the attacker remote access to systems. 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐀𝐱𝐢𝐨𝐬? Axios is a library developers use to enable communication between applications and servers (APIs). It is embedded in a massive number of websites and applications, from e-commerce platforms to internal enterprise systems. 𝐖𝐡𝐲 𝐝𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐦𝐚𝐭𝐭𝐞𝐫 𝐟𝐨𝐫 𝐞𝐯𝐞𝐫𝐲𝐝𝐚𝐲 𝐮𝐬𝐞𝐫𝐬? This is not an attack on developers. This is a software supply chain attack. If an affected application or company infrastructure was compromised, the consequences may include: ▪️ exposure of personal data ▪️ account compromise ▪️ increased phishing and fraud attempts ▪️ disruption of services people rely on daily ❗ 𝐓𝐡𝐞 𝐦𝐨𝐬𝐭 𝐝𝐚𝐧𝐠𝐞𝐫𝐨𝐮𝐬 𝐩𝐚𝐫𝐭: ▪️ You don’t have to do anything wrong. ▪️ You don’t have to click anything. ▪️ Simply using a service that was affected may be enough. Comment from our ethical hacker, Martin Hanic, on the incident: “𝑇ℎ𝑒 𝑑𝑟𝑎𝑚𝑎 𝑓𝑎𝑐𝑡𝑜𝑟 𝑜𝑓 𝑡ℎ𝑖𝑠 𝑖𝑛𝑐𝑖𝑑𝑒𝑛𝑡 𝑖𝑠 10/10. 𝑇ℎ𝑒 𝑢𝑟𝑔𝑒𝑛𝑐𝑦 𝑠𝑡𝑒𝑚𝑠 𝑓𝑟𝑜𝑚 𝑡ℎ𝑒 𝑓𝑎𝑐𝑡 𝑡ℎ𝑎𝑡 𝐴𝑥𝑖𝑜𝑠, 𝑎𝑠 𝑎 𝑑𝑒𝑝𝑒𝑛𝑑𝑒𝑛𝑐𝑦, 𝑖𝑠 𝑢𝑠𝑒𝑑 𝑏𝑦 𝑣𝑖𝑟𝑡𝑢𝑎𝑙𝑙𝑦 𝑎𝑙𝑙 𝑤𝑒𝑏 𝑓𝑟𝑜𝑛𝑡𝑒𝑛𝑑 𝑙𝑖𝑏𝑟𝑎𝑟𝑖𝑒𝑠—𝑒𝑠𝑠𝑒𝑛𝑡𝑖𝑎𝑙𝑙𝑦 𝑎𝑙𝑚𝑜𝑠𝑡 𝑒𝑣𝑒𝑟𝑦𝑜𝑛𝑒 𝑏𝑢𝑖𝑙𝑑𝑖𝑛𝑔 𝑓𝑜𝑟 𝑡ℎ𝑒 𝑤𝑒𝑏. 𝑇ℎ𝑒 𝐴𝑥𝑖𝑜𝑠 𝑖𝑛𝑐𝑖𝑑𝑒𝑛𝑡, 𝑎𝑙𝑜𝑛𝑔 𝑤𝑖𝑡ℎ 𝑜𝑡ℎ𝑒𝑟 𝑠𝑢𝑝𝑝𝑙𝑦 𝑐ℎ𝑎𝑖𝑛 𝑎𝑡𝑡𝑎𝑐𝑘𝑠 𝑖𝑛 𝑟𝑒𝑐𝑒𝑛𝑡 𝑤𝑒𝑒𝑘𝑠, 𝑐𝑙𝑒𝑎𝑟𝑙𝑦 𝑑𝑒𝑚𝑜𝑛𝑠𝑡𝑟𝑎𝑡𝑒𝑠 𝑡ℎ𝑒 𝑠𝑒𝑣𝑒𝑟𝑖𝑡𝑦 𝑜𝑓 𝑡ℎ𝑖𝑠 𝑖𝑠𝑠𝑢𝑒 𝑎𝑛𝑑 𝑖𝑡𝑠 𝑖𝑚𝑝𝑎𝑐𝑡. 𝑇ℎ𝑒𝑠𝑒 𝑖𝑚𝑝𝑎𝑐𝑡𝑠 𝑟𝑒𝑠𝑒𝑚𝑏𝑙𝑒 𝑐ℎ𝑎𝑖𝑛 𝑟𝑒𝑎𝑐𝑡𝑖𝑜𝑛𝑠, 𝑑𝑟𝑖𝑣𝑒𝑛 𝑏𝑦 𝑡𝑟𝑎𝑛𝑠𝑖𝑡𝑖𝑣𝑒 𝑑𝑒𝑝𝑒𝑛𝑑𝑒𝑛𝑐𝑖𝑒𝑠 𝑏𝑒𝑡𝑤𝑒𝑒𝑛 𝑙𝑖𝑏𝑟𝑎𝑟𝑖𝑒𝑠 𝑡ℎ𝑎𝑡 𝑢𝑙𝑡𝑖𝑚𝑎𝑡𝑒𝑙𝑦 𝑙𝑒𝑑 𝑡𝑜 𝑡ℎ𝑒 𝑝𝑟𝑜𝑏𝑙𝑒𝑚. 𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑡𝑒𝑎𝑚𝑠, 𝐷𝑒𝑣𝑂𝑝𝑠 𝑒𝑛𝑔𝑖𝑛𝑒𝑒𝑟𝑠, 𝑎𝑛𝑑 𝑑𝑒𝑣𝑒𝑙𝑜𝑝𝑒𝑟𝑠 𝑎𝑟𝑒 𝑓𝑟𝑎𝑛𝑡𝑖𝑐𝑎𝑙𝑙𝑦 𝑐ℎ𝑒𝑐𝑘𝑖𝑛𝑔 𝑡ℎ𝑒𝑖𝑟 𝑝𝑖𝑝𝑒𝑙𝑖𝑛𝑒𝑠, 𝑣𝑒𝑟𝑖𝑓𝑦𝑖𝑛𝑔 𝑝𝑎𝑐𝑘𝑎𝑔𝑒 𝑖𝑛𝑡𝑒𝑔𝑟𝑖𝑡𝑦 𝑎𝑛𝑑 𝑣𝑒𝑟𝑠𝑖𝑜𝑛 𝑝𝑖𝑛𝑛𝑖𝑛𝑔, 𝑖𝑚𝑝𝑙𝑒𝑚𝑒𝑛𝑡𝑖𝑛𝑔 𝑠𝑡𝑟𝑜𝑛𝑔𝑒𝑟 𝑖𝑠𝑜𝑙𝑎𝑡𝑖𝑜𝑛 (𝑠𝑎𝑛𝑑𝑏𝑜𝑥𝑖𝑛𝑔) 𝑎𝑛𝑑 𝑘𝑒𝑦 𝑚𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡, 𝑎𝑛𝑑 𝑟𝑒𝑝𝑒𝑎𝑡𝑒𝑑𝑙𝑦 𝑟𝑒𝑣𝑖𝑒𝑤𝑖𝑛𝑔 𝑡ℎ𝑒𝑖𝑟 𝑖𝑛𝑐𝑖𝑑𝑒𝑛𝑡 𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒 𝑠𝑐𝑒𝑛𝑎𝑟𝑖𝑜𝑠.” 𝐊𝐞𝐲 𝐭𝐚𝐤𝐞𝐚𝐰𝐚𝐲: ▪️ Security is no longer just about protecting your own systems. ▪️ It’s about understanding and managing the entire ecosystem you depend on. #cybersecurity #supplychain #axios #datasecurity

𝐘𝐨𝐮𝐫 𝐬𝐮𝐩𝐩𝐥𝐢𝐞𝐫 𝐰𝐢𝐥𝐥 𝐛𝐞𝐭𝐫𝐚𝐲 𝐲𝐨𝐮 𝐛𝐞𝐟𝐨𝐫𝐞 𝐚 𝐡𝐚𝐜𝐤𝐞𝐫 𝐝𝐨𝐞𝐬! Our colleague Jakub Novák will present at the 𝐎𝐮𝐭𝐬𝐨𝐮𝐫𝐜𝐢𝐧𝐠 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐂𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞 (April 16–17, High Tatras, Slovakia, covering the topic: “Blackbox Penetration Testing of Third Parties, or Why Your Supplier Will Betray You Before a Hacker.” 𝐍𝐨 𝐦𝐚𝐫𝐤𝐞𝐭𝐢𝐧𝐠, 𝐣𝐮𝐬𝐭 𝐫𝐞𝐚𝐥𝐢𝐭𝐲: – why vendor assessment is not enough without technical testing – what blackbox testing actually reveals (and what it never will) – the difference between compliance and real attack simulation – who is responsible when a supplier fails 𝐇𝐚𝐫𝐝 𝐭𝐫𝐮𝐭𝐡: ▪️ “We audited the supplier” ≠ we control the risk ▪️“We have an SLA” ≠ we can handle an incident ▪️“We are compliant” ≠ we will survive an attack If you're dealing with outsourced security, this is exactly where illusion meets reality. 𝐏𝐫𝐨𝐠𝐫𝐚𝐦 (in Slovak): efocus.eu/security26/

𝐀𝐩𝐩𝐥𝐞 𝐮𝐫𝐠𝐞𝐬 𝐢𝐏𝐡𝐨𝐧𝐞 𝐮𝐬𝐞𝐫𝐬 𝐭𝐨 𝐮𝐩𝐝𝐚𝐭𝐞 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐚𝐬 𝐡𝐚𝐜𝐤𝐞𝐫𝐬 𝐭𝐚𝐫𝐠𝐞𝐭 𝐩𝐡𝐨𝐧𝐞𝐬 𝐰𝐢𝐭𝐡 𝐨𝐥𝐝𝐞𝐫 𝐢𝐎𝐒 Last week, an exploit kit called 𝐃𝐚𝐫𝐤𝐒𝐰𝐨𝐫𝐝 appeared on GitHub, a tool that can compromise iPhones. The worst part? No technical skills are required. Just an HTML file, JavaScript, and a few minutes. 𝐖𝐡𝐚𝐭 𝐝𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐦𝐞𝐚𝐧 𝐢𝐧 𝐩𝐫𝐚𝐜𝐭𝐢𝐜𝐞? DarkSword exploits vulnerabilities in WebKit and the iOS sandbox, allowing attackers to 𝐟𝐮𝐥𝐥𝐲 𝐭𝐚𝐤𝐞 𝐜𝐨𝐧𝐭𝐫𝐨𝐥 𝐨𝐟 𝐚 𝐝𝐞𝐯𝐢𝐜𝐞 - 𝐬𝐭𝐞𝐚𝐥𝐢𝐧𝐠 𝐜𝐨𝐧𝐭𝐚𝐜𝐭𝐬, 𝐦𝐞𝐬𝐬𝐚𝐠𝐞𝐬, 𝐜𝐚𝐥𝐥 𝐡𝐢𝐬𝐭𝐨𝐫𝐲, 𝐚𝐧𝐝 𝐞𝐯𝐞𝐧 𝐭𝐡𝐞 𝐢𝐎𝐒 𝐤𝐞𝐲𝐜𝐡𝐚𝐢𝐧 𝐰𝐢𝐭𝐡 𝐖𝐢-𝐅𝐢 𝐩𝐚𝐬𝐬𝐰𝐨𝐫𝐝𝐬 𝐚𝐧𝐝 𝐨𝐭𝐡𝐞𝐫 𝐬𝐞𝐧𝐬𝐢𝐭𝐢𝐯𝐞 𝐝𝐚𝐭𝐚. Affected devices include those running iOS 18.4 to 18.7, as well as older versions like 15.8.7 and 16.7.15. According to Apple, around a quarter of all active iPhones and iPads are still running these vulnerable versions, representing hundreds of millions of potential targets. 𝐀𝐧𝐝 𝐡𝐞𝐫𝐞’𝐬 𝐭𝐡𝐞 𝐦𝐨𝐬𝐭 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭 𝐩𝐚𝐫𝐭: This isn’t just an iPhone issue. It’s a reminder that updates are your first line of defense, whether it’s a smartphone, laptop, server, or IoT device. 𝐖𝐡𝐲 𝐮𝐩𝐝𝐚𝐭𝐞? ✔️ Most exploits target known vulnerabilities ✔️ Vendors regularly release patches to fix them At Citadelo, we regularly see during penetration tests that attackers often don’t rely on advanced techniques, but rather on outdated software with publicly known vulnerabilities. Do you have questions about the security of your infrastructure of IoT? Contact us at info@citadelo.com. #cybersecurity #softwatesecurity #updates #pentest #citadelo #ethicalhacking

𝐖𝐞𝐛 𝐡𝐚𝐜𝐤𝐢𝐧𝐠 𝐢𝐧 𝟐𝟎𝟐𝟓 𝐰𝐚𝐬 𝐧𝐨 𝐥𝐨𝐧𝐠𝐞𝐫 𝐚𝐛𝐨𝐮𝐭 “𝐜𝐥𝐚𝐬𝐬𝐢𝐜” 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬. PortSwigger has published a selection of the most interesting techniques from the past year and one thing is clear: attackers are moving from “known bugs” to sophisticated combinations and edge-case exploits. 𝐖𝐡𝐚𝐭 𝐝𝐨𝐦𝐢𝐧𝐚𝐭𝐞𝐝 𝐢𝐧 𝟐𝟎𝟐𝟓? • protocol-level attacks (e.g. HTTP/2, parsing discrepancies) • side-channel and leak-based techniques (e.g. ETag, XS-Leaks) • exploitation of modern frameworks (Next.js, cache poisoning) 𝐈𝐧 𝐨𝐭𝐡𝐞𝐫 𝐰𝐨𝐫𝐝𝐬: ▪️ it’s not enough to simply “check off” the OWASP Top 10 ✔️ you need to simulate real-world attacks in the context of the application This is exactly where advanced 𝐩𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐚𝐧𝐝 𝐫𝐞𝐝 𝐭𝐞𝐚𝐦𝐢𝐧𝐠 𝐜𝐨𝐦𝐞 𝐢𝐧𝐭𝐨 𝐩𝐥𝐚𝐲. At Citadelo, 𝐰𝐞 𝐬𝐞𝐞 𝐭𝐡𝐢𝐬 𝐭𝐫𝐞𝐧𝐝 𝐢𝐧 𝐩𝐫𝐚𝐜𝐭𝐢𝐜𝐞, more and more critical vulnerabilities are emerging outside of “standard categories” and require a creative, manual approach and the combination of multiple techniques. If you want to understand how your application would stand up to these types of attacks, a scanner report won’t give you the answer, 𝐨𝐧𝐥𝐲 𝐚 𝐫𝐞𝐚𝐥 𝐬𝐢𝐦𝐮𝐥𝐚𝐭𝐞𝐝 𝐚𝐭𝐭𝐚𝐜𝐤 𝐰𝐢𝐥𝐥. 𝐏𝐨𝐫𝐭𝐒𝐰𝐢𝐠𝐠𝐞𝐫’𝐬 𝐓𝐨𝐩 𝟏𝟎 is a strong annual indicator of how the real attack surface is evolving. We highly recommend the full list as a must-read: portswigger.net/research/top-1… #cybersecurity #appsec #ethicalhacking #pentesting #websecurity #citadelo

❗𝐂𝐳𝐞𝐜𝐡 𝐈𝐧𝐬𝐮𝐫𝐞𝐫 𝐒𝐥𝐚𝐯𝐢𝐚 𝐩𝐨𝐣𝐢𝐬̌𝐭̌𝐨𝐯𝐧𝐚 𝐔𝐧𝐝𝐞𝐫 𝐀𝐭𝐭𝐚𝐜𝐤: 𝟏𝟓𝟎 𝐆𝐁 𝐨𝐟 𝐒𝐞𝐧𝐬𝐢𝐭𝐢𝐯𝐞 𝐃𝐚𝐭𝐚 𝐢𝐧 𝐇𝐚𝐜𝐤𝐞𝐫𝐬’ 𝐇𝐚𝐧𝐝𝐬 While insurance companies protect us from risk, who protects them from cyberattacks? Slavia pojišťovna has confirmed a cyberattack. The hacking group 𝐁𝐲𝐭𝐞𝐓𝐨𝐁𝐫𝐞𝐚𝐜𝐡 claims it obtained 𝟏𝟓𝟎 𝐆𝐁 𝐨𝐟 𝐬𝐞𝐧𝐬𝐢𝐭𝐢𝐯𝐞 𝐝𝐚𝐭𝐚, including medical records, insurance contracts, client databases, and even ultrasound images. 𝐇𝐨𝐰 𝐝𝐢𝐝 𝐢𝐭 𝐡𝐚𝐩𝐩𝐞𝐧? By exploiting vulnerabilities in 𝐀𝐝𝐦𝐢𝐧𝐞𝐫, a web-based database management tool. The attackers deployed a web shell and gained persistent access to internal systems. 𝐖𝐡𝐚𝐭 𝐝𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐦𝐞𝐚𝐧 𝐟𝐨𝐫 𝟐𝟓𝟎,𝟎𝟎𝟎 𝐜𝐥𝐢𝐞𝐧𝐭𝐬? With such detailed information, hackers can craft extremely convincing phishing messages. When a fraudulent email contains your name, policy number, and even specific health details, it becomes almost indistinguishable from legitimate communication. 𝐓𝐡𝐫𝐞𝐞 𝐪𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬 𝐞𝐯𝐞𝐫𝐲 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐡𝐚𝐧𝐝𝐥𝐢𝐧𝐠 𝐬𝐞𝐧𝐬𝐢𝐭𝐢𝐯𝐞 𝐝𝐚𝐭𝐚 𝐬𝐡𝐨𝐮𝐥𝐝 𝐚𝐬𝐤: 1️⃣ When was the last time you tested your defenses against real-world attacks? 2️⃣ Do you have visibility into vulnerabilities in third-party tools? 3️⃣ How long would it take you to detect an ongoing attack? Incidents like this are a reminder that modern cybersecurity is no longer just about protecting your own infrastructure. That’s why organizations increasingly rely on 𝐩𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐚𝐧𝐝 𝐫𝐞𝐝 𝐭𝐞𝐚𝐦𝐢𝐧𝐠 to uncover vulnerabilities before attackers do. 𝐖𝐚𝐧𝐭 𝐭𝐨 𝐭𝐞𝐬𝐭 𝐲𝐨𝐮𝐫 𝐝𝐞𝐟𝐞𝐧𝐬𝐞𝐬 𝐛𝐞𝐟𝐨𝐫𝐞 𝐭𝐡𝐞 𝐰𝐫𝐨𝐧𝐠 𝐩𝐞𝐨𝐩𝐥𝐞 𝐝𝐨? citadelo.com hashtag#CyberSecurity hashtag#PenTesting hashtag#EthicalHacking hashtag#Citadelo

2.3 𝐲𝐞𝐚𝐫𝐬 𝐯𝐬. 1.6 𝐝𝐚𝐲𝐬 How quickly do attackers exploit a vulnerability today? Back in 2018, the average time to exploit a vulnerability was 2.3 years. 𝐓𝐨𝐝𝐚𝐲? 𝐀𝐫𝐨𝐮𝐧𝐝 1.6 𝐝𝐚𝐲𝐬. This dramatic shift is highlighted by the 𝐙𝐞𝐫𝐨 𝐃𝐚𝐲 𝐂𝐥𝐨𝐜𝐤 𝐩𝐫𝐨𝐣𝐞𝐜𝐭, which tracks the time between a vulnerability being discovered and its first real-world exploitation. If you haven’t seen this visualization yet, it’s worth a look: zerodayclock.com ❗It’s one of the simplest ways to explain to executives and boards why cyber risk is accelerating faster than ever before. 𝐅𝐨𝐫 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐚𝐦𝐬, 𝐭𝐡𝐢𝐬 𝐜𝐡𝐚𝐧𝐠𝐞𝐬 𝐭𝐡𝐞 𝐠𝐚𝐦𝐞: ✖️It’s no longer enough to react after vulnerabilities are discovered ✔️Organizations must proactively identify weaknesses before attackers do That’s why many companies are moving away from 𝐨𝐧𝐞-𝐨𝐟𝐟 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐮𝐝𝐢𝐭𝐬 𝐭𝐨𝐰𝐚𝐫𝐝 𝐜𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠, including penetration testing and red teaming. The question is no longer if a vulnerability will be exploited. 𝐓𝐡𝐞 𝐪𝐮𝐞𝐬𝐭𝐢𝐨𝐧 𝐢𝐬 𝐡𝐨𝐰 𝐪𝐮𝐢𝐜𝐤𝐥𝐲. We’ll help you assess the security of your systems. Contact us for a free consultation: citadelo.com #CyberSecurity #ZeroDay #PenTesting #EthicalHacking #Citadelo

𝐖𝐡𝐲 𝐝𝐨𝐞𝐬 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐬𝐭𝐢𝐥𝐥 𝐰𝐨𝐫𝐤? Because attackers target human psychology, not technology. And human psychology hasn’t changed in the past ten years, unlike firewalls and antivirus solutions. Companies invest millions in security technologies. Yet the most vulnerable point often remains the human. 𝐀 𝐬𝐦𝐚𝐥𝐥 𝐞𝐱𝐩𝐞𝐫𝐢𝐦𝐞𝐧𝐭: Wouldn’t you hold the door for someone carrying a stack of documents and feel good about doing a kind thing? Or hold the elevator for a colleague rushing to the office? Of course you would. It’s natural. It’s polite. It’s human. And that’s exactly what attackers rely on. The person you just helped might have entered the building without an access card. Those documents might contain sensitive contracts. Without realizing it, you’ve just become part of a social engineering attack. 𝐌𝐨𝐝𝐞𝐫𝐧 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐫𝐞𝐥𝐢𝐞𝐬 𝐨𝐧 𝐩𝐬𝐲𝐜𝐡𝐨𝐥𝐨𝐠𝐢𝐜𝐚𝐥 𝐭𝐫𝐢𝐠𝐠𝐞𝐫𝐬: ✔️ 𝐀𝐮𝐭𝐡𝐨𝐫𝐢𝐭𝐲 – “Your manager needs this report within 10 minutes.” ✔️ 𝐔𝐫𝐠𝐞𝐧𝐜𝐲 – “Your account will be blocked by 5:00 PM.” ✔️ 𝐅𝐞𝐚𝐫 – “Your payment card has been compromised.” ✔️ 𝐑𝐞𝐰𝐚𝐫𝐝 – “You’ve received a €500 bonus.” ✔️ 𝐇𝐚𝐛𝐢𝐭 – A notification from an app you use every day. Modern phishing is no longer about the “Nigerian prince.” ▪️ It’s an email from IT with your company logo. ▪️ A text from a courier when you’re actually expecting a package. ▪️ Or a call from the bank just days after you contacted them. Attackers are no longer just stealing passwords. They’re stealing context. 𝐒𝐨 𝐰𝐡𝐚𝐭’𝐬 𝐭𝐡𝐞 𝐬𝐨𝐥𝐮𝐭𝐢𝐨𝐧? No technology can fully solve for human empathy and trust. What organizations need is security awareness that teaches people to recognize psychological manipulation combined with regular simulations of real-world attacks. Human psychology hasn’t changed in the last decade, but our ability to defend against it has. 𝐈𝐟 𝐲𝐨𝐮’𝐝 𝐥𝐢𝐤𝐞 𝐭𝐨 𝐫𝐮𝐧 𝐚 𝐬𝐢𝐦𝐮𝐥𝐚𝐭𝐞𝐝 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐚𝐭𝐭𝐚𝐜𝐤, 𝐠𝐞𝐭 𝐢𝐧 𝐭𝐨𝐮𝐜𝐡 𝐰𝐢𝐭𝐡 𝐮𝐬. Read the full article on this topic on our website: fe-new.int.citadelo.net/en/blog/why-do… #Citadelo #Phishing #SecurityAwareness #CyberSecurity

FraudGPT is still marketed on the dark web as “AI for hacking.” ◾️Some tools may be scams, but the real threat is the trend ◾️AI lowers the barrier to cybercrime, enabling convincing phishing in minutes Are your employees prepared? #CyberSecurity #FraudGPT #Phishing #DarkWeb

❗️Slovak National Gallery was hacked Internal systems were publicly accessible - network maps & infrastructure architecture. Attackers don't choose by industry, they choose by vulnerability. Find your weak points before someone else does citadelo.com #CyberSecurity

90% of cyberattacks start with phishing. 7 signs your people are the weakest link: High click rates in phishing simulations Oversharing on LinkedIn Reused passwords Ignored security alerts Impulsive decisions under pressure AI phishing looks perfect now Never actually tested

❗AI-powered malware isn’t science fiction — it’s evolving. Google’s GTIG warns of malware that uses AI mid-attack to rewrite its code, evade detection, and adapt in real time. AI is no longer just supporting attacks, it’s embedded inside them.

🇸🇰 citadelo.com/sk/blog/fenome… 🇨🇿 citadelo.com/cs/blog/fenome…

🚀💼 Start-Ups, Speed, and Cybersecurity: Striking the Right Balance! Start-ups race to innovate, but how often do they check their security mirrors?🤔Michal Havrda breaks down the need for speed AND safety in his latest blog. #StartUpJourney #SecureTech citadelo.com/en/blog/start-…

@Tom_Horvath 🇸🇰 citadelo.com/sk/blog/priruc… 🇨🇿 citadelo.com/cs/blog/pruvod…

Dive into the DORA regulation with our simple guide! 🚀 Our Sales Director @Tom_Horvath recently delved into this at NBS, showcasing the need for enhanced financial cybersecurity. Available in 🇸🇰🇨🇿 🇬🇧 #DORA #CyberSafe #FinanceInsights citadelo.com/en/blog/guide-…

Snapshot from #SwissCyberStorm: @Tom_Horvath for Citadelo - The Expert Division of Ethical Hacking at BoltonShield, partaking in enlightening discussions at our booth. BoltonShield, the Golden Sponsor, is all about fostering #CyberSecurity dialogues.🛡️ #EthicalHacking

🔗citadelo.com/en/blog/Unveil…

📢 Explore NIS2 Directive! 🔍 EU framework for network & info security. • Affects: Energy⚡, Transport🚆, Banking🏦, Health🌡️, Digital☁️. • New: Expands sectors & rules. 🤔 Need help? Check our 🎡 & blog for Sept 2024 updates! 👇🏼 #NIS2 #Cybersecurity #EURegulations