8grams8grams.
BlogCasesEbook
ENID
Start a Project
ENID
Start a Project
8grams8grams.

AI-powered software studio taking your web apps, mobile apps, and cloud infrastructure from idea to production.

Get in touch

  • [email protected]
  • WhatsAppWhatsApp: +62 811-3143-975
Read 8grams on MediumLike 8grams on FacebookFollow 8grams on InstagramFollow 8grams on LinkedInFollow 8grams on X

Pages

  • Cloud Migration
  • Cost Optimization
  • Cybersecurity
  • Kubernetes Migration
  • Cloud Cost
  • Kubernetes Ops
  • CI/CD Pipeline
  • Cases
  • Blog
  • Contact

Services

  • DevOps & Cloud Infrastructure

    Reliable, scalable infrastructure engineered for growth.

  • Web Application Development

    Custom web apps built for real business outcomes.

  • Mobile App Development

    iOS and Android apps users actually want to use.

  • Web Company Profile

    Fast, search-friendly company sites with measured SEO, GEO, and AEO.

  • Cybersecurity

    Find and fix security issues before they become incidents.

Start a Project

We reply within one business day.

© 2026 8grams Technology. Surabaya, Indonesia.

Built for teams with something to ship.

Chat with us
Cybersecurity

AI-augmented defence, tested by real attackers.

Your whole security lifecycle is covered, with AI doing real work alongside the team. That means LLM-assisted code review, machine-learning anomaly detection in your SIEM, AI-driven alert triage that cuts your noise, plus the human red team and blue team operators who do what AI can't, and a real engineer on the phone within the hour when something fires.

  • AI-assisted SAST and DAST scanning on every pull request
  • ML-based anomaly detection and LLM alert triage in your SIEM
  • Certified pentesters running AI-augmented red team operations
  • AI threat-modelling for LLM, RAG, and agentic systems (OWASP LLM Top 10)
Start a conversationSee how it works

Incident response

< 1hr initial contact

A security toolchain your team can run and keep running

Kali LinuxMetasploitSnykSonarQubeElasticGrafanaVaultWireshark
How your security gets stronger

Four disciplines, one security team.

Security splits into four separate disciplines, and you get all of them from one team. That saves you from stitching together four different vendors and hoping they talk to each other.

DevSecOps

Security from the first commit

Plenty of teams bolt security on at the end and call it a review. Yours gets built in from the start. That means threat modelling while your system is still being designed, AI-assisted scanning that runs inside your CI, and hardening standards your developers will actually follow.

  • OWASP Top 10 and OWASP LLM Top 10 addressed at architecture and code level
  • AI-assisted SAST and DAST scanning on every pull request
  • Secrets management, container hardening, AI-powered dependency triage
  • Security gates before every production deployment
Discover more
Red Team

Penetration testing and red team ops

Your systems get broken into the way a real attacker would. Methodically, no punches pulled. That covers your web apps, APIs, mobile apps, networks, cloud environments, and AI surfaces such as LLM prompt injection, jailbreaks, model extraction, and RAG data leakage. Then you get a documented report that explains exactly what was found and how to fix it.

  • Web application and API penetration testing (OWASP methodology)
  • LLM and AI red teaming: prompt injection, jailbreaks, data exfiltration
  • Mobile app security assessment (iOS and Android)
  • AI-augmented social engineering and phishing simulations
Discover more
Blue Team

AI-powered detection and active defence

The red team finds the gaps. The blue team watches for anyone trying to walk through them. Your SIEM is set up with machine-learning anomaly detection, LLM-driven alert triage that summarises an incident in plain language, and detection rules tuned to flag real threats instead of drowning your team in noise.

  • SIEM with ML-based anomaly detection and behavioural baselining
  • LLM-powered alert triage and incident summarisation
  • Threat intelligence feeds, IOC matching, and AI-assisted hunting
  • Runbooks and an on-call process your internal team can run
Discover more
Incident Response

Contain, recover, and learn

How bad an incident gets is usually decided in the first hour. You can reach a real engineer around the clock. The breach gets contained, forensic evidence preserved, your operations running again, and you get a root cause analysis so the same thing doesn't happen twice.

  • Initial contact in under an hour on retainer engagements
  • Breach containment, isolation, and evidence preservation
  • Forensic analysis and root cause determination
  • Post-incident hardening and a lessons-learned report
Discover more
What shapes your security

Three things that shape how your security holds up.

Security is an engineering discipline, an adversarial game, and a day-to-day operational habit all at once. Yours is treated as all three, run in parallel rather than one after another.

DevSecOps

Build it in, don't bolt it on.

A flaw found after launch costs roughly ten times more to fix, and it's far less likely to ever get fixed at all. So the work moves earlier. AI-assisted threat modelling, automated scanning with LLM-driven false-positive filtering, and hardening standards become part of your development pipeline, which means most vulnerabilities surface during code review rather than in a post-launch audit.

  • AI-assisted threat modelling during architecture design
  • SAST tools (Semgrep, CodeQL) with LLM-powered triage in CI
  • DAST scanning against staging before every release
  • OWASP LLM Top 10 controls for any AI surface you ship
Complete Team

Both sides of the fight.

A penetration test on its own only tells you half the story. You get both sides: operators who think like attackers, and analysts who detect and hunt them. You end up with a clear read on where you actually stand, rather than a list of findings with no context.

  • Certified penetration testers (OSCP, CEH, PNPT)
  • Red team operations with real-world attack simulation
  • Blue team setup: SIEM, EDR, network monitoring, alerting
  • Purple team exercises to validate detection coverage
Incident Response

Help that picks up the phone.

Incidents rarely wait for office hours. With a retainer in place, you have a trained team on the line within the hour, whatever the time or day. The breach gets contained, evidence preserved, your operations back up, and then you're walked through what happened and how to keep it from recurring.

  • Initial response in under an hour on retainer engagements
  • Real 24/7 on-call coverage, not a ticket queue
  • Forensic-grade evidence handling for legal and compliance use
  • Full incident report with timeline and remediation steps
Engagement

From first assessment to hardened and monitored.

Five steps that finish with your systems tested, your defences live, and your team trained. You end up with a running setup, not a PDF report that gets filed and forgotten.

01

Assess

We map your attack surface, inventory your assets, model the threats, and review where you stand today. You get a written risk report inside a week.

02

Plan

We agree the scope, the rules of engagement, the threat model, and a remediation roadmap ranked by priority. All of that is signed off before any testing starts.

03

Attack

Red team and penetration testing runs against the agreed scope. Every finding is documented with a severity rating, evidence, and the steps to reproduce it.

04

Defend

We deploy the blue team tooling: SIEM, alerting, log aggregation, and detection rules tuned to your specific environment.

05

Harden

Findings get fixed, controls get verified, runbooks get written, and your team gets trained. You can add a retainer for ongoing monitoring and incident response if you want one.

FAQ

Common questions before you get started.

What's the difference between a penetration test and a red team engagement?

A penetration test has a fixed scope and timeframe. The goal is to find and document as many vulnerabilities as possible inside that boundary. A red team engagement is broader and goal-driven. We simulate a realistic attack campaign and see whether your defences actually catch it. So a pentest tells you where your weak spots are, while a red team engagement tells you whether your blue team can spot an attack in progress.

Do you assess systems you didn't build?

Yes, and most of our assessments are exactly that. We need access credentials, documentation, and written authorisation from you. We don't need to have built the system to find the holes in it.

How quickly can you respond to a security incident?

With a retainer, we make initial contact in under an hour, any time of day. Without one, we aim to be engaged within four hours. If you have an active incident right now, message us on WhatsApp.

What do we receive after a penetration test?

A full written report, not a raw scan dump. It includes an executive summary written in plain business-risk language, CVSS-scored findings with evidence, steps to reproduce each one, and guidance on how to fix them. We also include a re-test window once you've worked through the fixes.

Do you red team AI and LLM applications?

Yes. We test the entire AI surface against the OWASP LLM Top 10: prompt injection (direct and indirect), jailbreaks, training-data leakage, model denial of service, supply-chain risks on model weights and embeddings, sensitive-information disclosure through RAG, insecure plugin and tool-use design, and agentic systems with too much autonomy. The report covers the model, the prompts, the retrieval layer, the tools the agent can call, and the data it can reach.

How does AI fit into your blue team and SIEM work?

We deploy SIEM with machine-learning anomaly detection so behavioural baselines pick up the slow, quiet attacks that signature rules miss. On top of that we wire in LLM-powered alert triage: each alert is summarised in plain language, ranked by likely severity, and grouped with related events, which typically cuts triage volume by 60 to 80%. The aim is to reduce noise so the analysts spend their time on real incidents, not on dismissing false positives.

How do we define the scope of an engagement?

We define scope together during the planning phase, before any testing begins. You tell us which assets are in play (domains, IP ranges, applications, APIs, mobile apps, cloud accounts), and which are explicitly off-limits. We write the agreed targets, rules of engagement, and testing windows into a signed document, so nothing gets touched outside that boundary and there are no surprises.

What access and credentials do you need from us?

For most assessments we recommend grey-box: you give us test accounts at each privilege level, network access, and relevant documentation or source code, which makes the test faster and more thorough. You get deeper coverage for the same budget, since we are not spending days on reconnaissance that a determined attacker would eventually complete anyway. A black-box test, by contrast, starts with no inside knowledge at all. We recommend the level that fits your risk and budget.

How are severity ratings assigned in the report?

Every finding is scored with CVSS (Common Vulnerability Scoring System) and mapped to a plain-language band: critical, high, medium, low, or informational. The rating reflects both technical impact and how exploitable the issue is in your specific context, not just a raw number. That lets you prioritise remediation by real business risk rather than guessing which findings actually matter.

Do you retest after we fix the findings?

Yes. Every engagement includes a retest window once you have worked through the fixes, usually within 30 to 60 days of the original report. We re-run the same tests against each remediated finding and confirm whether it is genuinely closed or only partially mitigated. You receive an updated report showing the resolved status of each item, which is often what auditors and customers want to see.

Can you support compliance frameworks like ISO 27001, SOC 2, PCI DSS, or OJK?

Yes. We align our testing and reporting to the framework you need, whether that is ISO 27001, SOC 2, PCI DSS, or Indonesian regulations such as OJK and the Personal Data Protection Law (UU PDP). The report is structured so your auditor can map findings directly to the relevant controls. If you are pursuing certification, we can scope the assessment to satisfy the penetration testing and vulnerability management requirements those standards impose.

Will testing disrupt our production systems?

Our default is to test without disrupting your operations. Wherever possible we work against a staging or pre-production environment that mirrors production, and we agree testing windows in advance for anything live. Intrusive checks such as denial-of-service or load testing are only run with your explicit written sign-off, and we keep a direct contact open during testing so anything unexpected can be paused immediately.

Learn

The concepts behind our security.

Security

Cyber Security Architecture

Strong security architecture rests on five time-tested principles: defense in depth, least privilege, separation of duties, security by design, and simplicity. Here's what each one means.

Read
Security

Zero Trust Security

Zero Trust drops the idea of a trusted internal network and verifies every request instead, 'never trust, always verify'. Here's how it works and why it fits the modern cloud era.

Read
Security

DevSecOps

DevSecOps builds security into every stage of the software lifecycle instead of bolting it on at the end. Here's what it is, why it matters, and how security fits across build, ship, and run.

Read
Security

Security Lifecycle Management

Security lifecycle management protects sensitive data continuously through three stages: protect it, inspect for exposure, and enforce least-privileged access. Here's how to get started.

Read
Portfolio

Related portfolio

Clients now running hardened infrastructure and monitoring that catches problems early.

Confidential

Confidential

Cloud Cost Optimization

60%Cost Optimization

"We needed to dramatically cut cloud infrastructure costs without touching system reliability. 8grams migrated us to AWS, rebuilt our workloads on Kubernetes, and reduced our spend by 60%, without losing a single SLA commitment in the process."

amazonwebserviceskubernetesterraform
REP MEQR

REP MEQR

Scalable Cloud Infrastructure

70%Scalability

"REP-MEQR, as a government program overseeing dozens of projects, requires a reliable cloud infrastructure to serve more than 5 million active users, making it one of the most critical factors for the success of the ongoing program."

googlecloudterraformkubernetesgitlab
Scalev

Scalev

Scalev

ZeroDowntime deploys

"Scalev's platform was migrated from manual VM-based deployments to a production-grade Kubernetes cluster, fronted by an end-to-end CI/CD pipeline with automated testing, image scanning, and GitOps-driven releases. On top of that sits a blue team security layer: centralised log aggregation, SIEM-based alerting, network monitoring, and a tested incident response runbook, giving the team continuous visibility and faster, safer releases for every seller on the platform."

kubernetesdockergithubactionsgrafana
Free · no obligation

Not ready to start? Get a free security audit.

Drop your email (and a link to review, if you have one) and we'll send back a short, practical audit: the quick wins and the risks we'd tackle first. No call required, no sales pitch.

No spam. We reply within one business day.

Contact Us

Find your weak spots before an attacker does.

Tell us what you're after, whether that's a one-time assessment, ongoing monitoring, or incident response cover. We reply within 1x24 working hours. If you're dealing with an active incident, message us on WhatsApp now.

Email

[email protected]

Office

Surabaya, Indonesia

Starting price

From USD 4,000

Typical projects: USD 4,000–25,000

Tell us about your project

We'll reply within one business day, and we won't put you through a sales pitch.

Prefer to chat? WhatsApp us