With the days at their shortest and festive spirits at their highest, we take this time to reflect upon a busy year and show you what was going on behind the scenes at cyllective. We’re also happy to use this opportunity to announce valuable additions to the company and give you some insights on continuous updates to our processes, which ensure that we can keep delivering high quality and work efficiently throughout our projects.

Successfully Busy #

First and foremost, at the start of 2025, our team has grown. We’re happy to announce our latest full-time addition to the team: Welcome Sam Kabbani!

Sam has spent the previous year honing his skills as our latest intern, now engaged as a penetration tester, focusing on web & mobile application security and Windows/Active Directory environments.

We’re taking this chance to express how much pride we take in training our talent in-house. In fact, all of our engineers - except management - have developed their skillset while working with cyllective from the very start. A quick word from Sam on his experience:

My internship with cyllective allowed me to comfortably graduate from a curious hacker to a well-rounded penetration tester and close the gap between recreational and professional work. I’ve specifically enjoyed the freedom to decide for myself in which areas I want to build expertise in.

We appreciate having found a sharp-minded and witty addition to the team in Sam!

Further, the year 2025 marked yet another significant milestone in our journey. As of November, we have opened our new branch office in Bern, settling down in an excellent community and bringing us closer to many valued customers. We welcome everyone to stop by to have a chat and a refreshment of choice ↗ 🙌.

Since we were already so busy this year, we figured, why not add another thing to our schedule! And so we’ve moved to a shiny new headquarters location within Lucerne 😆.

Of course, we’ve been investing our time in some ongoing research projects this year. We’re happy to announce that early 2026 we can present yet ↗ another ↗ research related to plugin ecosystems. Maybe you can guess the next one!

In-House Everything #

When it comes to internal work, we kept improving upon our infrastructure and processes. We strive for privacy and security in our customer relations. Thus, our newest project is our internal secret & password sharing platform, with which we can facilitate the receival of credentials by our customer. If you are curious, you can take a peek at the application on our GitHub ↗.

Most of this year’s internal work was done on our reporting process. Over the past years, we’ve continuously developed our own markdown-based reporting pipeline in close collaboration with all our engineers and testers, ensuring that we are able to efficiently write high-quality reports while focusing more of our time on the penetration test at hand. Another notable change in this area are our own internal “testing guides”, which are inspired by, and closely aligned with OWASP (e.g. the Web Security Testing Guide ↗). This new process ensures that we can deliver holistic penetration testing reports with the personalized quality you’ve all come to appreciate, while still providing with a baseline of performed tests and a status reference - no matter what type of assessment is performed.

Further, we are naturally interested in following the latest trends and contemplating about ways to integrate them into our workflows. This was of course also the case with the emerging use of generative AI, chatbots and coding assistants alike. Thus, we’ve taken the step this year to set up our own barebones AI machine running local large language models (LLMs). We’ve come to appreciate this flexibility across our entire team, as this improvement enables us to perform AI assisted analysis and engineering tasks without negatively compromising the privacy we’ve worked so hard to maintain.

Exciting Look Ahead #

Lastly, it wouldn’t be a complete recap without looking towards the future.

In fall 2025, OWASP released their 8th installment of the OWASP Top 10 categories, ranking the most common and impactful web application vulnerabilities. While this is still a release candidate ↗, we’re closely following this development to adjust and update our hands-on OWASP Top 10 + Burp Suite Workshop, which is targeted to engineering teams wanting to establish a baseline of secure engineering practices.

A project that’s still in the works at the cyllective factory is a solution to offer continuous testing for customers. We’ve started to undertake this endeavour as the demand for periodic scanning started to rise and are excited to launch this offering within the first half of 2026.

To start the new year, in one week to be exact, we are announcing our newest service offering through customizable ongoing support & consulting packages: keep an eye out for cyAssist!

Signing-Off #

And to end the year just right, we are enjoying a company retreat to attend The Chaos Communication Congress ↗. So there’s only so much left to write - other than some warm regards from Hamburg and all the best for a Happy New Year!