8grams8grams.
BlogCasesEbook
ENID
Start a Project
ENID
Start a Project
8grams8grams.

AI-powered software studio taking your web apps, mobile apps, and cloud infrastructure from idea to production.

Get in touch

  • [email protected]
  • WhatsAppWhatsApp: +62 811-3143-975
Read 8grams on MediumLike 8grams on FacebookFollow 8grams on InstagramFollow 8grams on LinkedInFollow 8grams on X

Pages

  • Cloud Migration
  • Cost Optimization
  • Cybersecurity
  • Kubernetes Migration
  • Cloud Cost
  • Kubernetes Ops
  • CI/CD Pipeline
  • Cases
  • Blog
  • Contact

Services

  • DevOps & Cloud Infrastructure

    Reliable, scalable infrastructure engineered for growth.

  • Web Application Development

    Custom web apps built for real business outcomes.

  • Mobile App Development

    iOS and Android apps users actually want to use.

  • Web Company Profile

    Fast, search-friendly company sites with measured SEO, GEO, and AEO.

  • Cybersecurity

    Find and fix security issues before they become incidents.

Start a Project

We reply within one business day.

© 2026 8grams Technology. Surabaya, Indonesia.

Built for teams with something to ship.

Chat with us
Cybersecurity/AI-Powered Blue Team
AI-Powered Blue Team

AI-powered detection, before threats turn into incidents.

A red team finds the holes. A blue team watches for anyone trying to use them. Your environment gets a SIEM with machine-learning anomaly detection, LLM-powered alert triage that summarises incidents in plain language, and detection rules tuned to how you actually run. Then your team is trained to act on the alerts that matter instead of drowning in false positives.

  • SIEM with ML-based anomaly detection and behavioural baselining
  • LLM-powered alert triage that cuts noise by 60 to 80%
  • Threat intelligence feeds with AI-assisted IOC matching and hunting
  • Runbooks and detection playbooks written for your internal team
Get a quoteWhy this matters

Open-source and commercial tooling your team can keep running on its own.

ElasticWazuhGrafanaPrometheusSuricataOpenTelemetry
Why

Most breaches take months to spot. Yours shouldn't.

On average, more than 200 days pass between a breach and the moment someone notices it. By then the attacker has moved across your network, taken data, and set up ways to get back in. A blue team exists to shrink that gap from months down to hours.

Logs exist, but nobody is reading them

When an incident hits, the team realises they can't piece together what happened. Forensics after the fact go nowhere if the logs were never collected in one place.

Security alerts nobody trusts

There are 300 alerts a day and 290 of them are false positives. So the team stopped reading them. The 10 alerts that mattered never got investigated.

An incident plan nobody has read

There is a security policy somewhere. When a real incident happens, nobody follows it, because it doesn't match the situation in front of them and they never practiced it.

Logs scattered across three places with nothing tying them together

Application logs sit in CloudWatch, network logs sit in the firewall, host logs sit on the servers. Tracing a single lateral movement event means clicking through three different interfaces by hand. Attackers count on exactly that.

The Process

How we run this engagement.

Each step produces something concrete, comes with a written hand-off, and has to pass a checkpoint before we move on to the next one.

01

Logging architecture

We design how your logs get collected: what to capture, where it comes from, how long to keep it, and what that costs. The build uses Fluentd or Fluent Bit collectors, structured logging standards, and a pipeline that holds up when traffic spikes instead of quietly dropping events.

02

SIEM deployment

We deploy and configure Elastic SIEM, Wazuh, or a cloud-native equivalent. It comes with dashboards, saved searches, and correlation rules tuned to your environment rather than a generic template someone copied from a vendor.

03

Detection rules

We write rules for the attack surface you actually have. That covers failed authentication patterns, signs of lateral movement, data exfiltration, and privilege escalation attempts. Each rule is tuned so it doesn't drown your team in false positives.

04

Threat intelligence integration

We connect open-source or commercial threat intelligence feeds for IOC matching, so known bad IPs, domains, and file hashes get flagged automatically as they show up in your logs.

05

Runbooks and team training

We write detection playbooks for your top 10 alert types, covering what to check, what to escalate, and what to do next. Before we hand off, we run tabletop exercises so you know the playbooks hold up.

The Result

What you walk away with.

These are outcomes you can measure, not a slide deck. Here's the change you should expect to see.

Onelog pipeline

Everything visible in one place

Application, network, and host logs are correlated inside a single SIEM. When something happens, the whole picture is right there instead of spread across three tools.

<10false positive alerts/day

Alerts your team can actually work through

Detection rules tuned to your environment keep alert volume low and confidence high, so your team can read every alert that comes in.

Testedplaybooks

Runbooks that hold up under pressure

Your team runs tabletop exercises before the engagement ends, so the response is already practiced well before the real incident arrives.

Visibility your forensics work can rely on

Log retention and correlation rules are set up so that after an incident you can reconstruct exactly what happened and back it up with evidence.

FAQ

Common questions.

Do you run a managed SOC, or just set up the tooling?

We do both. In a standard engagement we deploy the tooling, tune the detection rules, and train your team to run it. If you don't have an internal team to operate the SOC, we offer a managed detection and response retainer with agreed escalation SLAs.

How do you keep the SIEM from drowning us in false positives?

We tune against a baseline. Before writing any detection rules, we spend time learning what normal looks like in your environment. Rules run in observation mode first, with exclusion logic suppressing the noise, and only start alerting once the signal-to-noise ratio is good enough.

Which threat intelligence sources do you use?

We use open-source feeds such as AlienVault OTX, Emerging Threats, and abuse.ch as a baseline, and add commercial feeds for clients with a more mature program. The choice depends on your threat model, since a fintech company faces a very different set of adversaries than an e-commerce startup.

Which SIEM do you deploy?

We typically deploy Elastic SIEM or Wazuh, or work with a cloud-native option like Microsoft Sentinel if that fits your stack better. The choice depends on your existing logging, your budget, and whether your team needs to keep running it independently afterwards. We deploy something your team can actually operate, not a tool that becomes shelfware.

How do you write detection rules that catch real attacks?

We map rules to the attack surface you actually have and to MITRE ATT&CK techniques, covering failed authentication patterns, lateral movement, data exfiltration, and privilege escalation. Each rule is built against a baseline of your normal activity so it fires on genuine anomalies. We document what each rule detects and what to do when it triggers.

How do you tune alerts so the team isn't flooded?

We learn what normal looks like in your environment first, then run new rules in observation mode with exclusion logic suppressing the known-good noise. Rules only start alerting once the signal-to-noise ratio is good enough, and LLM-assisted triage summarises and prioritises what remains. The target is fewer than ten false positives a day so every alert is worth reading.

Do you provide on-call or 24/7 monitoring?

In a standard engagement we set up the tooling and train your team to run the monitoring themselves. If you do not have the staff to cover it, we offer a managed detection and response retainer with agreed escalation SLAs and after-hours coverage. We will help you decide which model fits your team size and risk profile.

What do we need to have in place before you start?

Ideally centralised logging from your applications, network, and hosts, or at least access to those log sources so we can build the pipeline. We also need to understand your environment: assets, user roles, and what normal traffic looks like. If logging is fragmented or missing, building that foundation is the first part of the engagement.

Do you run tabletop exercises with our team?

Yes. Before we hand off, we run tabletop exercises that walk your team through realistic scenarios using the detection playbooks we wrote. It tests whether the runbooks hold up and whether people know what to check, escalate, and do next. The response is practised well before a real incident arrives.

How does the blue team work hand off to incident response?

The SIEM, detection rules, and log retention we set up are exactly what an incident responder needs to reconstruct an attack, so the blue team work feeds directly into faster forensics. The detection playbooks define when an alert becomes an incident and who to escalate to. If you also hold an incident response retainer with us, the team responding already knows your environment.

Contact Us

Have a project in mind? Let's build it.

Dealing with an active incident? Message us on WhatsApp now. For anything else, whether that's a security assessment, DevSecOps work, or a blue team setup, the form below is the place to start. We reply within one working day with a straight read on scope and cost.

Email

[email protected]

Office

Surabaya, Indonesia

Starting price

From USD 4,000

Typical projects: USD 4,000–25,000

Tell us about your project

We'll reply within one business day, and we won't put you through a sales pitch.

Prefer to chat? WhatsApp us