The incident that changed the conversation
On June 1, 2024, Indonesia's national data center went down. The Pusat Data Nasional (PDNS) ransomware attack locked the government out of systems supporting 282 agencies, disrupted immigration services at airports across the country, and took weeks to fully recover. Ransom demand: $8 million USD.
Nobody could claim this was unforeseeable. The attackers used LockBit 3.0, a ransomware variant with well-documented indicators of compromise that had been active for over two years. A functioning security operations center would have had a reasonable chance to catch pre-ransomware staging activity in the days before encryption ran.
PDNS wasn't an isolated incident. Bank Syariah Indonesia (BSI) lost access to ATM and mobile banking services for several days in May 2023 after a LockBit attack. A state-owned telecommunications provider had millions of subscriber records exposed on dark web forums. An insurance company saw customer data leaked publicly before anyone internally knew there had been a breach.
These aren't edge cases anymore. They're the operational reality.
What the numbers actually show
BSSN reported over 361 million anomalous traffic incidents targeting Indonesian systems in 2023. That figure climbs each year as more businesses move operations online. Ransomware, credential theft, and business email compromise account for the majority of financially damaging incidents in the region.
The harder number is what detection actually costs. Building an in-house security operations center capable of handling this volume runs upward of Rp 15-20 billion per year for a mid-sized enterprise. That covers SIEM platform licensing, endpoint detection tooling, threat intelligence feeds, and staffing enough analysts to cover three shifts. It doesn't count incident response retainers, forensics tooling, or the senior engineering time spent recruiting people who accept an offer in Singapore six months after joining.
The talent shortage is real and well-documented. A 2023 report from the ASEAN cybersecurity community estimated Indonesia has fewer than 15,000 certified security professionals for a market that needs several times that number. Entry-level analysts with SIEM experience now command salaries that companies outside Jakarta's financial sector find difficult to sustain on a security-specific headcount.
The math doesn't improve at scale for most organizations. You end up paying full-time salaries for skills you need around the clock, maintaining infrastructure that depreciates, and depending on two or three people whose institutional knowledge walks out the door when they resign.
What a managed security service actually does
There is a persistent misunderstanding that managed security means outsourced antivirus. That is not what this is.
A proper MSSP operates a Security Operations Center with trained analysts monitoring your environment continuously. They ingest logs from your firewalls, endpoints, cloud workloads, and applications. They correlate events across those sources using a SIEM platform to spot patterns that no single alert would surface alone. They apply current threat intelligence to catch known attack behavior before it escalates. When something looks wrong, they call you. If your contract includes response authority, they isolate the affected system and call you afterward.
The detection stack matters significantly. SIEM correlation identifies multi-stage attacks that span systems and time. User and entity behavior analytics (UEBA) baseline how your people and services normally operate, then flag deviations that catch insider threats and compromised accounts that signature-based tools miss entirely. Network traffic analysis spots lateral movement and data exfiltration that endpoint tools never see.
For Indonesian enterprises, compliance adds a second layer of value. OJK Circular Letter No. 29/SEOJK.03/2022 on IT risk management for banks requires continuous monitoring, structured incident reporting, and documented response procedures. BSSN guidelines under Government Regulation No. 71/2019 set comparable expectations for government-adjacent organizations. An MSSP that knows these requirements reduces the compliance burden considerably and means you aren't translating generic frameworks into local regulatory language yourself.
A concrete example of what this looks like
Consider a mid-sized Indonesian manufacturing company with around 800 employees and an ERP system that handles procurement and supplier payments. They have one IT manager and two helpdesk staff. Security is handled reactively: antivirus on endpoints, a firewall at the perimeter, and no centralized log visibility.
In early 2024, a phishing email targeting the finance team delivered a credential stealer. The attacker used harvested VPN credentials to access the company network after business hours, spent two weeks doing reconnaissance, and identified the ERP system's service accounts. By the time the IT manager noticed unusual login behavior, the attacker had already exfiltrated supplier contract data and was staging for a ransomware deployment.
With a managed SOC in place, the scenario looks different. VPN logins from unusual geographic locations after hours trigger behavioral alerts in the first week. The SIEM correlates those logins with subsequent internal scanning activity and escalates the case. The SOC analyst calls the IT manager at 11pm. The compromise gets contained before the attacker reaches the ERP system.
This isn't a hypothetical threat model. These staging patterns show up regularly in Indonesian enterprise networks, and the gap between "something looks wrong" and "the business is down" is measured in days, not weeks, when detection happens early.
The build versus buy question
There is no universal answer, and any provider that tells you MSSP is right for every organization is oversimplifying.
If you're a large bank, telco, or state-owned enterprise with hundreds of millions of dollars in digital assets, building your own SOC gives you control and the ability to tune detection to your specific environment. The investment is justifiable at that scale.
For most Indonesian enterprises, it isn't. The IBM Cost of a Data Breach Report 2024 found that organizations with fully staffed security teams detected breaches 108 days faster than those without, and the cost difference per incident averaged $1.76 million USD. An MSSP delivers a comparable detection capability at a fraction of the infrastructure and headcount cost because the platform, tooling, and expertise are shared across clients.
If you already have a security team and want to extend their capability rather than replace it, a co-managed model is worth looking at. Your analysts stay focused on your environment and business context. The MSSP handles overnight shifts, platform management, and the threat intelligence feeds that are expensive to maintain independently.
For organizations starting fresh, beginning with a managed service and building internal capability over time is almost always more practical than standing up a full SOC on day one. The institutional knowledge that a good MSSP brings to a new client engagement takes years to develop internally.
What to actually check when evaluating providers
Not all managed security providers are the same, and the marketing language tends to converge around the same claims regardless of actual capability.
Local presence matters more than remote-first providers acknowledge. An MSSP with analysts in Jakarta understands regional threat patterns, responds to BSSN advisories with the right context, and can show up in person when an incident requires it. Covering Indonesian business hours from a different time zone introduces communication latency at exactly the moment you cannot afford it.
Ask for real MTTD and MTTR numbers from engagements similar to yours in size and industry. Any provider should be able to commit to SLA terms in writing and explain how they're measured.
Understand what happens past detection. Some MSSPs stop at alerting and leave response to you. Others provide contained incident response, forensic investigation, and recovery support. Knowing which you're buying before you sign matters a great deal when you're in the middle of an incident.
Regulatory alignment: if you're in banking, insurance, or healthcare, your MSSP should understand OJK, BSSN, and sector-specific requirements. Generic compliance framework knowledge doesn't map cleanly to Indonesia's regulatory environment, and you don't want to discover that during an OJK examination.
Where this leaves Indonesian enterprises today
The PDNS attack and the BSI breach were public enough that board-level conversations about security investment shifted after each one. But awareness hasn't translated uniformly into capability. A significant portion of Indonesian enterprises still rely on reactive controls and understaffed IT teams carrying security responsibilities as a secondary function.
The organizations that paid ransoms in 2023 and 2024 weren't careless. Many were understaffed, running tools that weren't integrated well enough to surface the early signals. That's a fixable problem, and the model for fixing it doesn't require building a Rp 15 billion annual program from scratch.
Our SOC-as-a-Service is built around a Jakarta-based operations center staffed by analysts who understand the Indonesian regulatory environment and regional threat landscape. Detection is AI-augmented to reduce alert fatigue, and reporting comes in both Bahasa Indonesia and English because your board, your IT team, and your regulators don't always speak the same language.
If you're evaluating whether managed security makes sense for your organization, the starting point is an honest conversation about what your current coverage actually looks like outside business hours. For most mid-sized Indonesian enterprises, the answer to that question is what drives the decision.