100 Security Assessments in One Year! Looking back at 2025

Another year has come to an end, and 2025 marked a major milestone for us at Assured. Over the course of the year, our team completed 100 security assessments—ranging from penetration tests and code reviews to audits and advisory engagements.

Reaching this number isn’t just a metric we’re proud of. It reflects a broad and deep exposure to real-world systems, development practices, and operational environments across many industries. Performing assessments at this scale gives us valuable insight into current challenges in the cybersecurity domain.

Testing a wide range of technologies and industries

While it’s impossible to cover everything we worked on during the year, a few recurring areas stood out:

Web and mobile applications
Cloud hosting technologies of all kinds
On-premises and cloud-based office environments
Automotive systems (cars, trucks, buses, basically anything on wheels)
Embedded systems and IoT products
Red team engagements
Medtech
... and more!

This diversity is one of the most rewarding aspects of our work. We love looking at various types of applications, solutions, devices and machines. Many security issues can be observed across domains, while others are highly specific. Seeing both in practice sharpens our tools as security consultants and penetration testers.

What the findings tell us

Across these engagements, we produced over 2,000 pages of reports, filled with 1,147 clear, actionable findings including comprehensible descriptions of the vulnerabilities, their impact and recommendations for mitigation or issue remediation.

The findings break down as follows:

Critical: 47, High: 176, Medium: 357, Low: 332, and Note: 235
Total: 1,147 findings

Chart visualizing the distribution, by severity, of Assured’s findings in 2025

This distribution tells that truly critical issues are relatively rare, at least in our book. Setting a Critical risk rating on a finding requires a high likelihood of successful exploitation and a severe potential impact. Of course we use established methods to determine risk rating, i.e. OWASP Risk Rating Methodology or CVSS, depending on customer’s preference.

Regardless of risk level, these findings have helped our customers improve the security of their products, services, and internal environments.

“Good” findings highlight what works well

Security assessments shouldn’t only focus on what’s broken.

That’s why, in 2025, we also documented 48 positive findings—examples of exemplary security practices that deserve recognition. A “Good” finding in our book could be a well-designed or well-implemented authentication flow, an encryption scheme that adheres to best current practices, an Entra ID/Active Directory that successfully implements security features, or similar.

Calling out the “Good” where applicable is something we continue to do in our reporting to help our customers understand the complexity of cybersecurity and raise awareness of common security issues in different areas.

As evident, “Good” findings are as rare as Critical ones, but we as a team tend to celebrate both types just as much.

Regulation is on the agenda

Another clear trend during 2025 was how firmly security regulations and directives have taken their place on the agenda, hopefully also in the minds of management and board executives.

During the year 2025, we:

Helped customers achieve type approval according to UNECE R155
Verified and validated compliance with NIS2
Verified and validated compliance with the Cyber Resilience Act (CRA)
Verified and validated compliance with DORA

In many cases, this work bridged the gap between regulatory language and technical reality, where we as technical security experts helped engineering and security activities.

Looking ahead to 2026

Now we’re off to 2026!

In twelve months, we’ll look back again and see what new records we’ve set and how the security landscape has continued to evolve. If you want to follow our progress throughout the year, keep an eye on the stats on our front page.

As always, feel free to reach out if you want to discuss how our experience apply to your own environment.

Blogginlägg värda att läsa

2023 Retrospective: Automotive Security

A 2023 retrospective by Assured Security Consultants on automotive security engagements, challenges and trends. We discuss security issues observed and the implications of cyber security regulations on the automotive industry. We provide an overview of the state of automotive cyber security and recommendations for improving automotive security based on our findings.

🇬🇧

2023 Retrospective: Web and Mobile Application Security

A 2023 retrospective by Assured Security Consultants on performed web application penetration tests, identifying common security issues and vulnerabilities and providing recommendations for mitigation.

🇬🇧

2023 Retrospective: IT Infrastructure and Active Directory Security

A 2023 retrospective by Assured Security Consultants on security assessments conducted, highlighting key IT infrastructure and Active Directory vulnerabilities, the impact of new regulations, and strategies for a more secure future.

🇬🇧