Microsoft XP SP2 — Get Prepared for a Wave of Help Desk Calls; Citadel Delivers New Remedies to Protect Corporations from Their Own Security Conscious Users

Business Wire, August 16, 2004

DALLAS -- Citadel Security Software Inc. (Nasdaq:CDSS), a leader in full life cycle vulnerability management and policy enforcement solutions through automated vulnerability remediation (AVR) technology, today announced its AVR solution, Hercules, assists with managing the rollout of Microsoft's XP SP2 by applying a set of new remedies.

"SP2 makes significant modifications to the XP operating system and system administrators must understand and consider these changes before installing it throughout their network," said Carl Banzhof, Citadel's Chief Technology Officer. "Microsoft has been urging users to allow their machines to automatically install patches via Automatic Update and Windows Update. As a result, administrators may find XP SP2 creeping onto their networks via user application before they have been able to properly test it. This could cause an increase in support issues as users alert administrators that their critical applications no longer function."

In order to address the situation, Citadel is providing a set of remedies to assist the administrators in controlling the installation of XP SP2 on their networks.

1.  A Hercules remedy that can be applied to XP systems throughout
        the network to prevent XP SP2 from being installed until full
        testing and appropriate firewall configurations have been
        approved.

    2.  A Hercules remedy to install XP SP2 with the Windows Firewall
        enabled using organization defined firewall settings.

    3.  A Hercules remedy to install XP SP2 with the Windows Firewall
        disabled.

    4.  A Hercules remedy to enable the Windows Firewall with
        organization defined firewall settings after SP2 installation.

    5.  A Hercules remedy to disable the Windows Firewall after SP2
        installation.

This set of remedies will allow the administrator to control how and when XP SP2 is applied to their networks. It is important that administrators decide a course of action soon. Microsoft has posted the following dates on their web site as to the timeline for releasing XP SP2:

--August 16 -- Release to Automatic Update (for machines not running pre-releases versions of Windows XP SP2)

--August 16 -- Release to SUS

--Later in August -- Release to Windows Update for interactive user installations

Citadel recommends corporations promptly disable end users' ability to install XP SP2 without proper IT approval and thoroughly test all XP configurations before deploying enterprise-wide.

About Citadel

Citadel Security Software Inc., a leader in full life cycle vulnerability management solutions powered by AVR technology, helps enterprises effectively neutralize security vulnerabilities. Citadel's patent-pending, Common Criteria EAL 3 certified Hercules(R) technology provides users with full control over the automated remediation process, enabling efficient aggregation, prioritization and resolution of vulnerabilities detected by industry-standard vulnerability assessment tools. SecurePC(TM) and NetOFF(TM) products enable companies to enforce security policies from a single point of control. Citadel's solutions enable organizations to ensure the confidentiality of information, reduce the time and costs associated with the inefficient manual remediation process, and facilitate compliance with organizational security policies and government mandates such as FISMA, HIPAA and Gramm-Leach-Bliley legislation. For more information on Citadel, visit www.citadel.com, or contact the company at (214) 520-9292.

Safe Harbor/Forward-looking Statements:

This press release may contain forward-looking statements that are intended to be subject to the safe harbor protection provided by Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements relate to future events or future financial performance and involve known and unknown risks and uncertainties that may cause actual results or performance to be materially different from those indicated by any forward-looking statements. In some cases, you can identify forward-looking statements by terminology such as "forecast," "may," "will," "could," "should," "anticipate," "expect," "plan," "believe," "potential" or other similar words indicating future events or contingencies. Some of the things that could cause actual results to differ from expectations are: the current economic and geopolitical environment; current information technology spending trends; the uncertainty of funding of government information technology security projects; a lack of Citadel operating history; uncertainty of product acceptance; uncertainty of ability to compete effectively in a new market; the uncertainty of profitability and cash flow of Citadel; intellectual property rights and dependence on key personnel; economic conditions; the continued impact of terrorist attacks, global instability and potential U.S. military involvement; the competitive environment and other trends in the company's industry; changes in laws and regulations; changes in the company's business plans; interest rates and the availability of financing; liability and other claims asserted against the company; labor disputes; the company's ability to attract and retain qualified personnel; and inflation. For a discussion of these and other risk factors, see the company's Annual Report on Form 10-KSB for the year ended December 31, 2003 and its Quarterly Report on Form 10-QSB for the quarter ended March 31, 2004. All of the forward-looking statements are qualified in their entirety by reference to the risk factors discussed therein. These risk factors may not be exhaustive. The company operates in a continually changing business environment, and new risk factors emerge from time to time. Management cannot predict such new risk factors, nor can it assess the impact, if any, of such new risk factors on the company's business or events described in any forward-looking statements. The company disclaims any obligation to publicly update or revise any forward-looking statements after the date of this report to conform them to actual results.