Definition
What is a penetration test?
A penetration test (pentest) is a structured, authorised exercise in which security consultants attempt to compromise your systems the same way a real attacker would. Unlike a vulnerability scan, which lists potential weaknesses automatically, a pentest involves human testers who chain vulnerabilities together, bypass controls, and show you what an attacker could actually achieve.
The goal is not to break things, but to find and prove weaknesses before someone with bad intentions does. At the end of the engagement you receive a written report that documents every finding, assigns a severity rating, provides evidence of what was possible, and recommends specific remediation steps.
Indonesian enterprises run pentests for several reasons. Regulators including OJK and BSSN expect them. Customers and partners ask for them as a condition of doing business. And increasingly, boards and risk committees want assurance that the organisation can withstand a real attack.
Note: this page covers IT systems. If you operate industrial control systems, SCADA, or OT networks, see our OT VAPT service instead.
Methodology
Types of penetration test and what we target
We run three broad testing methodologies, and we apply them across four categories of target. The right combination depends on your threat model, your compliance requirements, and how much time we have.
Testing methodologies
Testers start with no internal knowledge of the target, the same starting point as an external attacker. This is the most realistic simulation of an opportunistic attack from outside your organisation.
Testers are given limited information, such as a standard user account or network diagrams. This reflects a more targeted attacker who has done reconnaissance, or an insider with basic access.
Testers have full access to source code, architecture diagrams, and credentials. This gives the most thorough coverage and is often used for pre-release reviews of internal applications.
What we test
Perimeter firewalls, internal network segments, routers, switches, and VPN endpoints. We look for misconfigurations, weak authentication, and paths from one network zone to another.
Customer portals, admin consoles, APIs, and any web-based system. We test for the OWASP Top 10 and beyond: injection flaws, broken access controls, insecure authentication, and business logic issues.
Android and iOS apps, including the API layer they rely on. We examine how the app stores data on device, how it communicates with the backend, and whether its business logic can be abused.
REST, GraphQL, and SOAP endpoints, including internal APIs that are not publicly exposed. Many data breaches trace back to an API that lacked proper authentication or rate limiting.
Process
How a penetration testing engagement works
Every engagement follows the same four phases. The timeline varies by scope, but most projects run between five and fifteen working days of active testing.
- 1
Scoping
We start with a conversation to define exactly what is in scope, what is out of scope, and what testing windows are acceptable. You receive a rules of engagement document to review and sign before any testing begins. This protects you legally and ensures we do not test systems you do not own or control.
- 2
Testing
Our consultants work through the agreed scope using a combination of automated tools and manual techniques. Manual testing is what separates a pentest from a scan: we follow leads, think laterally, and chain findings together to demonstrate real impact.
- 3
Reporting
We write a detailed report for every engagement. It covers every finding with a severity rating, technical evidence, business impact, and step-by-step remediation advice. We also write an executive summary your board or risk committee can read without a technical background.
- 4
Retest
After you have addressed the findings, we offer a retest to confirm that critical and high-severity issues are resolved. The retest report can be shared with regulators or auditors as evidence of remediation.
Deliverable
What the penetration test report contains
The report is the product you take away from a pentest. We write every report by hand, not from a template. A finding without clear evidence and a clear fix is not useful to you.
| Report section | What it covers |
|---|---|
| Executive summary | A one to two page overview of what we tested, the overall risk level, and the most important findings. Written for leadership, not technical staff. |
| Findings by severity | Every finding is rated Critical, High, Medium, Low, or Informational using the CVSS scoring system. Findings are ordered so the most important ones are addressed first. |
| Technical evidence | Screenshots, request and response payloads, and command output that prove each finding is real and exploitable. Nothing is theoretical. |
| Business impact | For each significant finding we explain what an attacker could do if they exploited it: data they could access, systems they could control, or services they could disrupt. |
| Remediation guidance | Specific, actionable steps to fix each finding. Where relevant we include code samples, configuration changes, or references to vendor patches. |
| Retest confirmation | After remediation, the retest report confirms which findings are closed and can serve as evidence for OJK examinations or ISO 27001 audits. |
Regulation
How penetration testing maps to OJK and ISO 27001
OJK POJK 11/2022 on information technology risk management requires financial services institutions to conduct vulnerability assessments and penetration tests as part of their security posture review. The regulation does not mandate a specific frequency, but examiners expect periodic testing, particularly after significant system changes.
ISO 27001:2022 Annex A control 8.8 (management of technical vulnerabilities) and control 5.37 (documented operating procedures) together create an expectation that organisations identify and address exploitable weaknesses through testing. A penetration test, documented with a full report and retest evidence, directly satisfies examiner questions about how you verify the effectiveness of your controls.
Our reports are written to be useful in both contexts. The executive summary is suitable for submission to OJK or for presentation to an ISO 27001 certification auditor. The technical evidence supports internal remediation tracking.
Why us
Why Alpha Code
Alpha Code Technologies is a managed security services provider headquartered in Jakarta and part of Akraya International. Our penetration testing consultants hold recognised certifications and work across Indonesian enterprises in financial services, healthcare, manufacturing, and government.
- Consultants based in Jakarta with Indonesian regulatory context
- Reports written for OJK examiners and ISO 27001 auditors
- Black-box, grey-box, and white-box across network, web, mobile, and API
- Retest included to confirm critical and high findings are closed
- Part of Akraya International, with global threat intelligence
Frequently asked questions
Most engagements run between five and fifteen working days of active testing, depending on scope. A single web application may take five days. A network plus three web applications could take two to three weeks. Scoping happens before testing begins, so you know the timeline before signing.