8grams8grams.
BlogCasesEbook
ENID
Start a Project
ENID
Start a Project
8grams8grams.

AI-powered software studio taking your web apps, mobile apps, and cloud infrastructure from idea to production.

Get in touch

  • [email protected]
  • WhatsAppWhatsApp: +62 811-3143-975
Read 8grams on MediumLike 8grams on FacebookFollow 8grams on InstagramFollow 8grams on LinkedInFollow 8grams on X

Pages

  • Cloud Migration
  • Cost Optimization
  • Cybersecurity
  • Kubernetes Migration
  • Cloud Cost
  • Kubernetes Ops
  • CI/CD Pipeline
  • Cases
  • Blog
  • Contact

Services

  • DevOps & Cloud Infrastructure

    Reliable, scalable infrastructure engineered for growth.

  • Web Application Development

    Custom web apps built for real business outcomes.

  • Mobile App Development

    iOS and Android apps users actually want to use.

  • Web Company Profile

    Fast, search-friendly company sites with measured SEO, GEO, and AEO.

  • Cybersecurity

    Find and fix security issues before they become incidents.

Start a Project

We reply within one business day.

© 2026 8grams Technology. Surabaya, Indonesia.

Built for teams with something to ship.

Chat with us
Cybersecurity/Penetration Testing & AI Red Teaming
Penetration Testing & AI Red Teaming

Find your weak spots before an attacker does.

Your applications, APIs, networks, mobile apps, and AI surfaces get tested the way a real attacker would, including prompt injection, jailbreaks, model extraction, and RAG data leakage against your LLM features. The testing is hands-on, with no punches pulled. You get back a report with CVSS scores, exact reproduction steps, and remediation guidance your developers can start working from the same day.

  • Web application and API penetration testing, following OWASP methodology
  • AI and LLM red teaming against the OWASP LLM Top 10
  • Mobile application security assessment for iOS and Android
  • AI-augmented social engineering and phishing simulations
Get a quoteWhy this matters

The tools security professionals reach for on real engagements.

Kali LinuxMetasploitBurp SuiteOWASPWireshark
Why

Attackers will find the gaps your developers walked past.

Developers are paid to build features, and that's a different mindset from breaking them. Code review catches logic errors. It rarely catches the creative chains of valid-looking requests that an attacker uses to take over a real system. A penetration test is how you see your application through hostile eyes.

The last pentest was two years ago

Since then you've shipped new features and extended your APIs, and the kinds of attacks people run have moved on. That old report describes a system that no longer exists. It says nothing useful about where you stand today.

Scanner output, but no real testing

A tool ran, spat out 200 findings, and nobody can tell which ones are real. Automated scanners simply don't see business logic vulnerabilities. Catching those takes a person.

An enterprise client is asking for a pentest report

Their vendor onboarding needs a report dated within the last 12 months. You don't have one, so the deal is sitting on hold while you scramble.

An API that has never been looked at

It handles authentication, user data, and payments, and it has never been checked for injection, broken object-level authorisation, or rate limiting. That should have happened a long time ago.

The Process

How we run this engagement.

Each step produces something concrete, comes with a written hand-off, and has to pass a checkpoint before we move on to the next one.

01

Scoping

We agree the scope in writing first. That covers which systems are in play, which user roles we use, the test types, the rules of engagement, the testing windows, and who to call in an emergency. We don't touch anything outside that scope.

02

Reconnaissance

We map your attack surface the way an attacker would prepare for the job. That includes endpoints, authentication, third-party integrations, and any metadata you've left exposed.

03

Exploitation

Hands-on testing that follows the OWASP Testing Guide. We don't just point at a finding, we exploit it. That way the severity rating reflects real impact rather than a theoretical worst case.

04

Documentation

Every finding gets a CVSS score, a description, screenshots, reproduction steps, and remediation guidance. The report has an executive summary for leadership and the technical detail your developers need.

05

Re-test

Once your team has worked through the fixes, we test again and confirm each finding is closed. The final report shows the fixed state, which is the evidence your auditors and enterprise buyers are looking for.

The Result

What you walk away with.

These are outcomes you can measure, not a slide deck. Here's the change you should expect to see.

CVSS-scoredevery finding

A report your developers can act on right away

Every finding comes with reproduction steps, evidence, and specific remediation guidance. Nobody has to go research the fix. It's already in the report.

Hands-ontesting

Business logic flaws that scanners walk past

An experienced tester finds the broken authorisation, the insecure workflows, and the logic flaws that are specific to your application. No automated tool picks these up.

Re-testincluded

Confirmed fixes, not just a list of problems

Each finding is checked to confirm it's genuinely closed. Your audit evidence then shows both the original finding and the confirmed fix.

A report that enterprise procurement teams accept

The testers hold OSCP and CEH certifications, and the report is structured the way ISO 27001 auditors and enterprise security teams expect to see it.

FAQ

Common questions.

How often should we run penetration tests?

Once a year as a baseline, plus a test after any significant change such as a new feature, an architecture change, or a migration. If you handle payments or health data, every six months is closer to the right cadence. We'll give you a straight answer on what your risk profile actually calls for.

What's the difference between a vulnerability scan and a penetration test?

A scan is automated. It checks your systems against a database of known vulnerabilities. A pentest is hands-on. A skilled tester exploits those vulnerabilities using real attacker techniques and finds others that a scanner won't see at all. Scan output is a useful starting point for a pentest, but it isn't a replacement for one.

What do you need to provide to get started?

A signed statement of work, written authorisation to test the agreed scope, credentials for the user roles we'll need, and an emergency contact. We take care of everything else.

How do you decide the scope of a pentest?

We work it out with you up front: which applications, APIs, networks, and AI surfaces are in play, which user roles we test as, and whether the engagement is black box, grey box, or white box. We document what is explicitly out of scope so there is no ambiguity. Anything outside that boundary is left untouched.

What methodology do you follow?

Web and API testing follows the OWASP Testing Guide and the OWASP Top 10, AI and LLM testing follows the OWASP LLM Top 10, and we map findings to CVSS for severity. The work is manual and exploit-driven rather than scanner-only, which is what surfaces business logic flaws. The methodology is written into the report so you can see exactly what was covered.

What does the report look like, and who is it for?

Every finding gets a CVSS score, a clear description, evidence such as screenshots, exact reproduction steps, and specific remediation guidance. There is an executive summary for leadership and full technical detail for your developers. It is structured the way ISO 27001 auditors and enterprise procurement teams expect to receive it.

Is a re-test included after we fix the findings?

Yes. Once your team has worked through the fixes, we test each finding again and confirm it is genuinely closed. The final report shows both the original finding and the verified fixed state, which is the audit evidence enterprise buyers look for. Re-testing is part of the engagement, not a paid add-on.

Do you test against production or staging?

We prefer a staging or pre-production environment that mirrors production, so testing carries no risk to live users or data. When production testing is genuinely required, we agree careful rules of engagement: testing windows, rate limits, and an emergency contact who can stop the test instantly. We never run destructive tests against production without explicit written sign-off.

What access and credentials do you need from us?

For authenticated testing we need accounts for each user role in scope, ideally including a low-privilege and a high-privilege account so we can test authorisation boundaries. For grey or white box work we may also ask for architecture diagrams, API documentation, or source code. We tell you exactly what is needed for the depth of testing you have chosen.

What certifications do your testers hold?

Our testers hold industry certifications including OSCP and CEH, and they test hands-on against real attacker techniques rather than just running tools. Certifications are a baseline; the engagement results and the quality of the report are what actually matter. We are happy to share tester credentials during scoping.

Contact Us

Have a project in mind? Let's build it.

Dealing with an active incident? Message us on WhatsApp now. For anything else, whether that's a security assessment, DevSecOps work, or a blue team setup, the form below is the place to start. We reply within one working day with a straight read on scope and cost.

Email

[email protected]

Office

Surabaya, Indonesia

Starting price

From USD 4,000

Typical projects: USD 4,000–25,000

Tell us about your project

We'll reply within one business day, and we won't put you through a sales pitch.

Prefer to chat? WhatsApp us