SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Worldwide Salaried Open

Summary

We need an independent third-party penetration test of our production SaaS platform to satisfy a SOC 2 control. We're looking for an experienced, certified penetration tester (OSCP / OSWE / GWAPT / CREST or equivalent) who can start immediately and deliver a professional, audit-ready report. TIMELINE — TIME-SENSITIVE: We need the testing performed and the final report delivered within 1 week of kickoff. Please only bid if you have current availability. ABOUT THE SYSTEM (full details and credentials shared under NDA with the selected tester): - Customer-facing web application: Next.js / React / TypeScript - Backend: Python / Django / Django REST Framework API - Authentication: Keycloak (OIDC) — username/password, social login, TOTP/MFA - Two supporting Python/Django microservices - Hosted on AWS (ECS Fargate, ALB + WAF, RDS PostgreSQL) - Role-based access with two primary roles (organization admin + end user) SCOPE: - External web application penetration test (OWASP Web Security Testing Guide) - API penetration test (OWASP API Security Top 10) - Authenticated testing across both user roles, with emphasis on authorization / access-control / IDOR / privilege escalation - Authentication & session security review (OIDC flows, token handling, MFA) - We'll align with you on whether to test a production-mirrored staging environment or production directly. OUT OF SCOPE (unless you flag something as essential): source-code audit, full cloud-configuration audit, social engineering, physical security, and DDoS testing. REQUIRED DELIVERABLES: 1. Formal penetration test report suitable for a SOC 2 audit — executive summary, scope, methodology, findings with CVSS severity ratings, proof-of-concept / reproduction steps, and prioritized remediation guidance. 2. A retest / verification of remediated findings after we fix them. 3. A signed attestation / summary letter we can share with our auditor (stating an independent test was performed, plus the period and scope). INDEPENDENCE: You must be independent from our company (no prior development relationship). This is required for the SOC 2 control. BUDGET: Open — please submit your best fixed-price bid for the full engagement (testing + report + one retest + attestation letter). Fixed-price proposals only. TO BE CONSIDERED, PLEASE INCLUDE IN YOUR PROPOSAL: 1. A redacted sample penetration test report (so we can assess report quality). 2. Your relevant certifications and a brief note on similar SOC 2 engagements. 3. Your earliest start date and the turnaround time you can commit to. 4. Your fixed price for the scope above. Apply To This Job

Apply now

SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Summary

More jobs

Information Security Specialist/Analyst II - Information Solutions (Remote)

Senior Security Analyst, Security Operations (Threat Detection)

Software Tester / QA Analyst / Automation Engineer

Manual QA Engineer, Web Applications (US-Remote)

[Remote] Testing & QA Engineer (Leawood, KS or Arlington, VA)

QA Engineer

[Remote] Product Builder (Product Manager), AI Agents

Staff Product Manager, Travel Management

AVP, Project Manager (REMOTE - EASTERN/CENTRAL TIME PREFERRED)

Director of Project Management (m/f/d)

Kundenberater (all genders) – Fokus Versicherungsberatung auf den kanarischen Inseln

Full Time Nursing Faculty- BSN Online Prelicensure-Health & Wellness

Experienced Remote Data Entry Clerk – Flexible Work Opportunities for Teens

Entry Level - Customer Service Representative | REMOTE ©

Looking for Accounting Manager - REMOTE

VP, Physician Review and Market Insights

Experienced Part-Time Remote Customer Service Representative – American Airlines Customer Service Center

Remote Supply Chain Operations Manager - Global Logistics

Tech Lead, Web Core Product & Chrome Extension - Brisbane, Australia

Manager, Labor Strategy & Engagement (Remote)