Skip to main content

How we work

How an Alpha Code engagement works, start to finish

It helps to know how a security engagement actually runs before you commit to one. This page covers how we scope the work, what the first few weeks look like, what lands on your desk at the end, and what happens after that.

In short

Every engagement starts with a scoping call, follows a set onboarding sequence, and ends with a report your executives and your engineers can both use. Retesting and advisory support carry on after we deliver.

Step 1

How we scope an engagement

Scoping sets up everything else: how long the work takes, how much effort it needs, and what it costs. We begin with a short discovery call to understand what you are protecting, which regulations apply to you, and what prompted the call in the first place. Sometimes that is an OJK audit on the horizon, sometimes a board mandate, sometimes an incident you are still dealing with.

After the call we send a scoping questionnaire. For a penetration test it asks about the number of applications, your IP ranges, the user roles involved, and when we can test. For a compliance or DPO engagement it asks about your data flows, the systems in scope, and the documentation you already have. The answers let us size the job for what it actually is instead of quoting some off-the-shelf package.

You then get a written proposal with a fixed scope, a timeline, and a price. Nothing begins until you sign off on it and we both sign a mutual non-disclosure agreement.

Step 2

What the first weeks look like

Most engagements move through the same onboarding sequence. How long each part takes depends on the scope, but the order rarely changes.

  1. 1

    Kickoff and access

    We confirm the scope, agree on who we talk to, and line up the access we need, whether that is test accounts, network ranges, documentation, or interview slots. We also agree on what happens if we find something critical partway through, so nobody is caught off guard.

  2. 2

    Information gathering

    We collect and read through whatever is in scope: architecture diagrams, existing policies, asset inventories, findings from a previous audit. On a compliance engagement this is where we map your systems against the framework you answer to.

  3. 3

    Active work

    The testing, assessment, or analysis runs against the scope we agreed on. For technical work that means hands-on testing. For advisory work it means gap analysis and interviews. If we find anything critical, you hear about it right away. We do not sit on it until the report.

  4. 4

    Review and validation

    We check every finding, strip out the false positives, and make sure what we report can be reproduced. If we raise an issue, we can show it to you.

  5. 5

    Reporting and handover

    We hand over the report, walk you through it, and answer questions from both your leadership and your technical teams.

Step 3

What you receive

Every engagement ends with a written report in two layers. The executive summary states your overall risk position in plain language, with no jargon, so a board member or a regulator can read it straight through. The technical section lists each finding with its severity, the evidence, the business impact, and a specific step to fix it.

We score findings with recognised scales like CVSS for technical vulnerabilities, so your team can prioritise the same way every time. When a finding ties back to a regulation, we name it, for example a control under POJK 11/2022 or an obligation under UU PDP, so your compliance owners can act without flipping between documents to work out what we mean.

Reports go out over a secure channel. The report is yours, and we treat what is in it as confidential under the non-disclosure agreement.

Step 4

Support after delivery

A report only matters if the issues get fixed. After we deliver, we stay on hand to clarify findings and look over your remediation plan. For penetration tests and assessments we include a retest window, so once you have made the fixes we can confirm they actually closed the issue and update the report to show a clean result.

A lot of clients move onto an advisory retainer after the first engagement. That gives them a named contact for security questions, support when an audit comes up, and priority access to our incident response team. Others just come back for the next scheduled assessment. Either way, the relationship does not stop the moment the report arrives.

Standards

The frameworks we work to

Our methodology follows established international standards and maps to the Indonesian regulations our clients have to answer to. These are the frameworks behind the work.

Common questions about working with us

It depends on the scope. A focused penetration test usually runs two to four weeks from kickoff to report. A full compliance or ISO 27001 engagement takes longer because there is documentation and process review to work through. Whatever the case, you get a firm timeline in the proposal before any work begins.

Ready to scope your engagement?

Tell us what you need to protect and we will walk you through how the engagement would run, with a clear scope and timeline.

Talk to Alpha Code