I recently had the opportunity to work on a Vulnerability Assessment and Penetration Testing (VAPT) engagement for several branches of a regional bank in Indonesia.

Instead of spending most of the time behind a desk, this project involved visiting multiple branches in different cities and working directly in their environments. Each location had its own setup, its own team, and its own way of operating, which made the experience both challenging and interesting.

Starting With Observation

Before running any tools, we started with something simple: understanding the environment. This meant walking around the branch, looking at how devices were connected, how workstations were used, and identifying things that could potentially introduce security risks. Sometimes small details like an exposed service, unnecessary access, or a misconfiguration can become entry points if left unnoticed.

This meant walking around the branch, observing at how devices were connected, how workstations were used, and identifying things that could potentially introduce security risks. Sometimes small details like an exposed service, unnecessary access, or a misconfiguration can become entry points if left unnoticed.

Security assessments often begin by paying attention to these small things.

Moving Into Technical Testing

None

After the initial observations, we moved into the technical side of the assessment.

We performed vulnerability scanning and network analysis using several tools, followed by manual validation to confirm the findings. Automated scans can highlight potential issues, but each result still needs to be reviewed carefully to understand whether it is actually exploitable and what impact it might have.

Reporting and Presenting the Findings

Once the assessment was completed, the next step was documenting everything in a report and presenting the findings to the stakeholders.

During these sessions, we explained where the vulnerabilities came from, the potential risks they could introduce, and what steps could be taken to address them. Clear communication becomes very important here, because technical findings need to be understood by both technical teams and management.

None

Security Awareness

None

Another part of this engagement was conducting security awareness sessions. Technology alone is not enough to keep systems secure. People play a huge role as well. Through these sessions, we shared practical insights about common security risks and simple practices that can help reduce them.

The goal was to make security something everyone understands, not just the technical team.

What I Took Away From This Experience

None

Working across multiple branches meant constantly adapting. Every location was different — different setups, different people, and different ways of working. It also meant collaborating with teams we had just met and making sure the assessment process ran smoothly.

Beyond the technical experience, this project reminded me that cybersecurity is not just about tools or exploits. It is also about communication, collaboration, and understanding how systems and people work together in real environments.

A big thank you to the client and the teams involved for the collaboration and for giving me the opportunity to grow through this experience.