LDP Batch 11 · Andrew Salim 15m Presentation · 15m Q&A Board of Directors · 24 June 2026

LDP Final Presentation.

Red Team 1 — Data on the page. Empathy in the room.

Manager — Team, Projects & Operations. Partnering with Division Manager on commercial & market direction.

FMI Offensive Security · Metrodata Group

24 June 2026

Tenure

7 years Metrodata Group (MII → FMI)

Timeline

MII Intern2019 – 2020

MII Contract2020 – 2022

MII Permanent2022 – 2024

FMI Permanent2025 – present

Certifications

OSWE · GMOB · CRTOSCP · CPSA · CEH(P)

Professional Credentials

Dale Carnegie Leadership Training2026

CCEP · APIsec CP · ISO 27001 LA2025

OffSec Web Expert (OSWE)2024

GIAC Mobile (GMOB) · CAP2023

CEH Practical2022

OffSec OSCP · CREST (CRT / CPSA)2021

RT1 Scope

14 engineers

The team

Shakato · Ryan · Marvin · Nico · Farhan · William · Bukhari · Alex · Sisko · Rafel · Bryan Besar · Patar · Bryan Kecil · Luqman

02 / 07

Lessons Learned from LDP

Three focus areas set with HR at the start of LDP — and where each stands today.

Leadership

Lead by audience — direction for juniors, discussion with peers, negotiation with seniors. Prioritise key people, but keep every voice heard; not every problem needs a fix — some need listening.

Decision Making

Frame every problem as Objective · PIC · Deadline. Spend energy on what I control; prepare workarounds for what I can't. A problem many engineers share is a divisional KPI signal, not an individual fault.

Communication

Translate the work into the audience's language. With C-level, lead with business risk and financial exposure — CVEs and payloads belong in the appendix, not the opening.

03 / 07

Our Client Base — by Industry

186 companies across more than a dozen industries — the division's real asset.

Banking

Bank Mandiri · Bank Danamon · BPD Kalsel · Bank ANZ · Bank Maspion · Bank Woori Saudara · Bank of China HK · BPD DKI Jakarta · 8 of 28 active in 2025

Financial Services

Artajasa · Kredit Plus · Akulaku Finance · Toyota Astra Finance · Buana Finance · E2Pay Global · 6 of 24 active in 2025

Insurance

Zurich Topas Life · IFG One · Tugu Re · AXA Mandiri · Mandiri AXA Insurance · AXA Financia · Dana Pensiun Mandiri · 7 of 20 active in 2025

Energy & Oil/Gas

Transportasi Gas Indonesia · 1 of 16 active in 2025

Manufacturing

Serasi Auto Raya · Pupuk Kalimantan Timur · Avian · Sinar Sentosa Primatama · 4 of 15 active in 2025

Mining

Kalimantan Prima Persada · Tuah Turangga · 2 of 13 active in 2025

Information Technology

Synnex Metrodata · Global Digital Indokreasi · Berca Hardayaperkasa · Five Jack · 4 of 12 active in 2025

Government / Regulator

Peruri · 1 of 4 active in 2025

Telecommunications

Telekomunikasi Indonesia · 1 of 3 active in 2025

Ink-blue = financial sector · grey = industrial & tech · sienna = under-penetrated. Plus ~51 clients across Logistics, Transportation, F&B and ~12 smaller segments.

Strength and gap

72 of 186 clients — 39% — sit in financial services. But only 55 of 186 show 2025 activity. The dormant pool — 131 accounts — is the deck's largest opportunity.

04 / 07

Where to Grow — and Why

Budget, IT focus and regulation sort the client map into three tiers.

Deepen — Financial Services

72 of our 186 clients. OJK and Bank Indonesia mandate regular security testing; banks, multifinance and insurers have the budgets and the obligation. Our stronghold — protect it and cross-sell harder.

Regulatory drivers — finance

POJK 11/2022 + SEOJK 29/2022

Bank wajib melakukan pengujian keamanan siber secara berkala berdasarkan analisis risiko. Untuk sistem kritis atau perubahan aplikasi substansial, penetration test wajib paling sedikit 1× setahun. OJK mewajibkan mekanisme independent review.

PBI 2/2024 (KKS)

Penyelenggara Jasa Pembayaran (PJP) dan Penyelenggara Infrastruktur Pembayaran (PIP) wajib melaksanakan vulnerability assessment dan simulasi serangan siber sebelum menyampaikan laporan profil risiko siber tahunan ke Bank Indonesia.

Grow — Government & Telecom

Just 7 clients today. Peruri and Telkom active; OJK, Bank Indonesia, TAPERA and Indosat are warm or lapsed names — a scoped target list, not whitespace. BSSN mandates and the revised UU ITE make the buying motion real.

Regulatory drivers — public & telco

Peraturan BSSN 4/2021 (Pasal 8)

Pengelolaan kerentanan keamanan pada SPBE wajib dilakukan melalui vulnerability assessment dan penetration testing — mencakup Web Application dan Mobile Application — dengan PoC eksploitasi dan Risk Rating yang jelas.

UU No. 1 Tahun 2024 (revisi kedua UU ITE)

Penyelenggara Sistem Elektronik (PSE) — termasuk telekomunikasi — wajib menyelenggarakan Sistem Elektronik secara andal dan aman. Revisi kedua UU ITE menguatkan kewajiban keamanan sistem dan tata kelola data dalam transaksi elektronik.

Reactivate — the dormant book

131 of our 186 accounts are lapsed — Bank BNI, MSIG, BRI Life, Antam, Timah, OJK and many more. Structured re-contact reactivates relationships we've already won, with no acquisition cost.

Cross-sector driver — UU PDP

UU 27/2022 — Pasal 35 · 39 · 57

Pasal 35: Pengendali Data Pribadi wajib menjaga keamanan Data Pribadi dari pengaksesan yang tidak sah dengan menyelenggarakan sistem keamanan yang andal dan aman. Pasal 39: wajib melakukan pengawasan berkala atas tata kelola keamanan. Pasal 57: sanksi administratif hingga 2% dari pendapatan tahunan. Masa transisi telah selesai — berlaku penuh.

What to do

Two named lists: a Government- & Telecom-first target list (Peruri, OJK, Telkom, Indosat) and a dormant-top-10 reactivation programme (BNI, MSIG, Antam, Timah, BRI Life). Same warm-relationship logic, two motions.

05 / 07

The Warmest Pipeline — Clients We Already Have

The warmest pipelines aren't new logos. Existing Blue Team clients who've never bought offensive security (58) — and lapsed Red Team accounts ready to re-engage (131).

Blue Team client accounts — every one an existing relationship

Already buy Red Team too — proof the cross-sell works

Blue-only — never bought Red Team. The warm target list (~50 after dedup)

Sector	Sample Blue-only accounts we already serve
Banking	Bank Permata · Bank Syariah Indonesia · BTPN · OCBC NISP · Bank Mizuho
Multifinance	Federal International Finance · Adira Dinamika · Mandiri Tunas Finance · BFI Finance
Insurance / Reinsurance	Indonesia Re · Reasuransi Indonesia Utama
Telecom & Public sector	Telkomsel · BPJS Ketenagakerjaan · Pertamina · Angkasa Pura · Pelindo III

What to do

These 58 are pre-qualified — the relationship already exists. Make a pentest scoping conversation a standard step in every Blue Team engagement.

06 / 07

Leading Red Team 1

Grounding management in data: a baseline survey of all 14 engineers to align individual aspirations with divisional goals.

14/14

Team Participation in baseline questionnaire

Tech Specialisms (Web, Mobile, API, Infra)

100%

Peer-review gate on all project reports

People

Talent Map: Data-driven IDPs built from survey skills-matrix.
Rotation: Project-based Tech Lead roles to build leadership.
Mentoring: Bi-weekly 1-on-1s to track blockers & progress.
Onsite Policy: Fair distribution model based on survey feedback.

Delivery

Standardized Scoping: Unified PT, VA, Red Team & Phishing.
Quality Gate: 100% peer-review required for all reports.
Execution Post-Review: Lessons learned fed back into methodology.
Billing Discipline: Monthly BAST & bucket true-ups.

Knowledge

Internal Wiki: Playbooks, payloads & engagement notes.
Asset Guard: Reducing single-point-of-knowledge risk.
Tooling Audit: Quarterly Build-vs-Buy reviews.
Retrospectives: Converting project wins into team assets.

07 / 07

Closing

Two lanes.

I lead the operational

People — talent map, leadership rotation, 1-on-1s.
Delivery — standardized scoping, peer-review gate.
Knowledge — wiki, retros, tooling discipline.

The Board leads the business

Sector strategy — where to deepen, where to grow.
Commercial calls — pricing, named target list.
The hiring ramp — pace, profile, when to gate.

With thanks to

Pak Erick

Mentor

Mba Shanti

HRBP

Pak Digit

Direct Manager