Insights & Guides
Practical guides on penetration testing, security, and compliance — written by our operators.
BSSN & SPBE Compliance: Security Testing for Indonesian Government Systems
Indonesian government electronic systems (SPBE) are expected to undergo security assessment, with BSSN setting the national bar and UU PDP protecting citizen data. This guide explains what SPBE and BSSN require, where penetration testing fits, and how a compliant assessment is delivered.
How to Choose a Penetration Testing Vendor: A Buyer's Guide
Most penetration testing vendors offer the same service on paper, so the real differences hide in the details: do they test by hand or just rebrand a scanner, will they show you a sample report, is a retest included, and can they map findings to the standards you answer to? Here are the questions that separate a real pentest from a checkbox.
CVSS Explained: How We Score Vulnerability Severity
CVSS is the open industry standard for scoring how severe a vulnerability is, on a 0–10 scale derived from a vector string of metrics like Attack Vector, Privileges Required, and impact to confidentiality, integrity, and availability. Here's how to read a score, what 3.1 and 4.0 measure, and why the number is a starting point, not the whole story.
Active Directory Penetration Testing: From Foothold to Domain Admin
An Active Directory penetration test simulates an attacker who already has a foothold inside your network and maps the path to Domain Admin — through enumeration, credential attacks like Kerberoasting, lateral movement, and privilege escalation. Here's the attack chain we walk, and the misconfigurations that hand over the whole domain.
Mobile Application Penetration Testing: iOS & Android, Explained
A mobile application penetration test assesses three layers — the app on the device, its local data storage, and the backend API it talks to — against the OWASP MASVS standard. It covers insecure storage, certificate pinning bypass, reverse engineering, and the IPC and deep-link attack surface. Here's how it works.
Web Application Penetration Testing: What It Actually Tests
A web application penetration test is a manual, attacker-led assessment that maps to the OWASP Testing Guide and hunts the OWASP Top 10 — broken access control, injection, authentication flaws, SSRF, and business-logic abuse — then proves real impact. Here's what happens under the hood.
How Much Does a Penetration Test Cost? A Pricing Guide for Indonesia
The price of a penetration test depends mostly on how big and complex the application is — not a fixed rate. Here's what drives pentest cost in Indonesia and how to get an accurate quote.
Source Code Review vs Penetration Testing: Which Do You Need?
A source code review reads your application from the inside; a penetration test attacks it from the outside. Here's how the two differ, what each one finds, and when to use which — or both.
Penetration Testing & Compliance in Indonesia: OJK, UU PDP, and ISO 27001
In Indonesia, penetration testing is increasingly expected — and sometimes effectively required — by regulations and standards including the Personal Data Protection Law (UU PDP), OJK financial-sector rules, and ISO 27001. Here's what applies to you.
Types of Penetration Testing: Black-Box vs Grey-Box vs White-Box
The main types of penetration testing are defined two ways: by how much access the tester is given (black-box, grey-box, white-box) and by what is tested (web, mobile, infrastructure, Active Directory). Here's how to choose.
What Is Penetration Testing? A Practical Guide for 2026
Penetration testing is an authorized, simulated cyberattack on your systems to find and prove exploitable vulnerabilities before real attackers do. Here's how it works, what you get, and when you need one.