The Night Indonesia's National Data Center Went Dark
On June 20, 2024, a ransomware group encrypted Indonesia's national data center in Surabaya (PDNS-2). Within hours, 282 government services went offline. Immigration checks failed. Airport queues backed up. The attackers demanded USD 8 million. The government refused to pay, and decryption keys were eventually released thirteen days later.
The attack did not succeed because the systems were fundamentally weak. It succeeded because nobody was watching in real time.
That is the exact problem a Security Operations Center exists to solve.
What Is a Security Operations Center?
A Security Operations Center, or SOC, is a dedicated function within an organization responsible for monitoring its digital environment around the clock, detecting threats early, and coordinating a response when something goes wrong.
The best analogy is a hospital emergency room, but for cybersecurity. It runs 24 hours a day, seven days a week. Every incoming alert gets triaged by severity. Serious threats get escalated. The team works from established playbooks so the response is fast and consistent, not improvised under pressure.
A mature SOC is typically organized into three tiers.
Tier 1: Alert Analysts work the front lines. They monitor dashboards, review automated alerts, and escalate anything that needs a closer look. Volume is high and decisions need to be fast.
Tier 2: Incident Responders handle the escalated cases. They investigate the full picture of what happened, contain the threat, and document findings. This is where analysis depth matters most.
Tier 3: Threat Hunters go looking for problems before any alert fires. They work from threat intelligence, behavioral patterns, and experience to find intrusions that automated tools might miss entirely.
All three tiers rely on a shared technology stack: a SIEM platform for log correlation, endpoint detection tools, threat intelligence feeds, and SOAR automation to handle repetitive response tasks.
What a SOC Does Every Day
The SOC's job is not just to collect alerts. It is to make those alerts mean something actionable.
Continuous Monitoring. Every log, network packet, endpoint event, and cloud API call flows into correlation rules. The SOC watches for patterns that suggest an attack is underway, not just individual data points in isolation.
Threat Detection. Using behavioral analytics (UEBA) and threat intelligence, the SOC flags unusual activity. A corporate account accessing sensitive files at 2 AM from an unfamiliar location gets flagged, even when no malware is involved.
Incident Response. Once an incident is confirmed, the team follows pre-built playbooks: isolate the affected system, preserve evidence, notify the right stakeholders, and begin remediation. The target is response measured in minutes, not hours.
Vulnerability Management. The SOC tracks known vulnerabilities across the environment and helps prioritize which ones to fix first, based on real exploitability and business impact rather than just a CVSS score.
Compliance Reporting. Regulated organizations need a clear paper trail: who accessed what, when, and what the security team did about it. The SOC produces that documentation as a natural output of its daily operations.
The Indonesian Threat Landscape in Numbers
The figures below come from BSSN's official reporting and IBM's Cost of a Data Breach Report 2024.
| Metric | Figure | Source |
|---|---|---|
| Cyber anomalies recorded in Indonesia (2023) | 361 million | BSSN 2023 Annual Report |
| Ransomware attacks in Indonesia (2024) | 57,554 (highest in Southeast Asia) | BSSN 2024 |
| Average data breach cost, ASEAN (2024) | USD 3.33 million | IBM Cost of a Data Breach 2024 |
| Average time to detect a breach globally | 194 days | IBM Cost of a Data Breach 2024 |
| Indonesian organisations at "Mature" security readiness | 5% | Cisco Cybersecurity Readiness Index 2025 |
| Cybersecurity workforce gap in Indonesia | ~100,000 specialists needed | Industry estimates |
The two defining incidents of 2024 tell the same story. PDNS-2 went down because the ransomware was not caught early enough. The BKN civil servant database, containing 4.7 million records, was exfiltrated without any real-time detection in place. In both cases, the damage did not come from the initial intrusion. It came from the time between when the attacker entered and when anyone found out.
A SOC does not guarantee you will never be attacked. It means you find out in hours, not months.
Does Your Business Need a SOC?
The answer depends on where your organization sits. Four questions help frame the decision.
Do you have regulatory obligations? Banking, insurance, capital markets, and healthcare are the most scrutinized industries. OJK's POJK No. 11/POJK.03/2022 and SEOJK No. 29/SEOJK.03/2022 require financial institutions to demonstrate active, continuous security monitoring. Indonesia's UU PDP, fully in force since October 2024, mandates breach notification within 72 hours. Meeting that deadline is only possible if you detected the breach in the first place.
But regulatory exposure extends far beyond banking. E-commerce platforms, logistics companies, manufacturers, telecoms, hospitals, and universities all handle personal data, customer records, or operational systems that represent genuine risk and increasingly attract regulatory attention.
How sensitive is your data? Personal data at scale, financial records, intellectual property, or operational data that keeps the business running: the sensitivity of what you hold determines the consequences of losing it.
How complex is your digital environment? A 15-person company running a single SaaS product has a narrow attack surface. A 200-person company with cloud infrastructure, an ERP, a payment gateway, API integrations, and remote access does not. At a certain level of complexity, one IT administrator cannot realistically watch everything at once.
Can you answer basic visibility questions right now? What devices are on your network today? Which accounts accessed your core systems in the last 30 days? Are there any unusual outbound connections right now? If any answer is "I am not sure," your monitoring has fallen behind your environment.
Build, Buy, or Managed?
Building an in-house SOC requires a minimum of 8 to 12 analysts for round-the-clock coverage, a SIEM platform, threat intelligence subscriptions, and the ongoing infrastructure to run it. For most Indonesian businesses, the upfront cost is out of reach. The staffing challenge is often even harder, given a national shortage of roughly 100,000 cybersecurity specialists.
A Managed SOC delivers the same outcome through a partner who provides the team, the platform, and the processes at a fraction of the build cost.
| In-House SOC | Managed SOC | |
|---|---|---|
| Upfront cost | High | Low |
| Time to operational | 6 to 18 months | 4 to 8 weeks |
| 24/7 coverage | Requires large team | Included |
| Local compliance expertise | Must be built in-house | Provided by partner |
| Customisation | Full control | High (varies by provider) |
| Scalability | Slower | Faster |
For most Indonesian businesses below 5,000 employees, and particularly those that need audit-ready compliance reporting, a Managed SOC delivers the right security outcome without requiring a full infrastructure investment.
What NIST and ISO 27001 Require
Two of the most widely adopted international frameworks align directly with what a SOC delivers.
NIST SP 800-137 covers information security continuous monitoring. Its stated purpose is providing ongoing visibility into assets, threats, and the effectiveness of deployed security controls so organizations can respond to risk in a timely way. That description matches a SOC's core output precisely.
NIST CSF 2.0 names "Detect" as one of six core functions, requiring continuous monitoring tools across all devices and networks.
ISO 27001:2022 Annex A Control 8.16 requires organizations to continuously monitor network, system, and application behavior to detect and respond to anomalous security events promptly.
If your organization is working toward ISO 27001 certification or preparing for an OJK audit, your SOC capability, whether internal or through a partner, is a control that needs to be documented and evidenced. BSSN's national cybersecurity framework aligns with these standards and sets the baseline expectations for Indonesian organizations.
What to Look for in a SOC Provider
If a Managed SOC is the right path, evaluate potential partners on these points.
Local regulatory knowledge. Do they understand OJK, UU PDP, and BSSN incident reporting requirements? Compliance expertise specific to Indonesia is not optional. It needs to be embedded in their service design.
Detection benchmarks. Ask for their average Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). The global industry average for breach detection is 194 days (IBM 2024). A strong provider should target under 24 hours for high-severity incidents.
Transparent reporting. Is there a real-time dashboard you can access? Do monthly reports map directly to your compliance obligations?
Integration scope. Can the SOC pull logs from your existing environment, on-premises, cloud, and endpoints, without a full technology replacement?
Escalation clarity. Who contacts you at 2 AM when a confirmed breach is in progress? Is that person named in the contract, and what is the response SLA?
How Alpha Code Can Help
Alpha Code Technologies runs a Security Operations Center in Jakarta with 24/7 coverage, AI-assisted detection, and compliance reporting built around Indonesian regulatory requirements including OJK, UU PDP, and BSSN incident notification standards.
Our SOC-as-a-Service is differentiated by several capabilities that most MSSPs cannot offer in Indonesia:
Global expertise, local presence. Our analysts are bilingual, fluent in both English and Bahasa Indonesia. Incident reports, compliance documentation, and escalation calls are delivered in the language your team actually works in. You get the depth of an international security team without the communication friction.
Discovery before deployment. Before we switch on monitoring, we run a structured Discovery phase: mapping your attack surface, identifying critical assets, and working with your IT team to design the right detection rules and alerting thresholds for your specific environment. You are not buying a generic template. You are getting a program built for how your business operates.
Annual offensive security assessment included. Every SOC engagement includes a yearly penetration test. We actively try to find what our own detection would miss, then close those gaps. Offense informs defense, and you get documentation of both for regulators and auditors.
Indonesian threat intelligence. Our detection rules are tuned to threats that are active in Indonesia right now: the ransomware groups targeting Indonesian infrastructure, the phishing campaigns impersonating local banks and government agencies, and the tactics being used against ASEAN businesses specifically.
Data sovereignty by design. All log data, alerts, and incident records are stored within Indonesia. Nothing leaves Indonesian jurisdiction. For organizations with UU PDP obligations or sensitive government data, this is a hard requirement, not a preference.
The Bottom Line
A SOC is not something reserved for large multinationals. It is the operational capability that separates organizations that find out about a breach in hours from those that discover it months later, when the damage is already done.
Indonesia's threat environment, the enforcement of UU PDP, and tightening OJK requirements are collectively making continuous monitoring a business necessity across all sectors, not just banking and finance.
Whether you build it, buy it, or partner with someone who already runs one, the question is no longer whether you need a SOC. It is how soon you will start.