SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Remote · USA Full-time New today

Summary

We need an independent third-party penetration test of our production SaaS platform to satisfy a SOC 2 control. We're looking for an experienced, certified penetration tester (OSCP / OSWE / GWAPT / CREST or equivalent) who can start immediately and deliver a professional, audit-ready report. TIMELINE — TIME-SENSITIVE: We need the testing performed and the final report delivered within 1 week of kickoff. Please only bid if you have current availability. ABOUT THE SYSTEM (full details and credentials shared under NDA with the selected tester): - Customer-facing web application: Next.js / React / TypeScript - Backend: Python / Django / Django REST Framework API - Authentication: Keycloak (OIDC) — username/password, social login, TOTP/MFA - Two supporting Python/Django microservices - Hosted on AWS (ECS Fargate, ALB + WAF, RDS PostgreSQL) - Role-based access with two primary roles (organization admin + end user) SCOPE: - External web application penetration test (OWASP Web Security Testing Guide) - API penetration test (OWASP API Security Top 10) - Authenticated testing across both user roles, with emphasis on authorization / access-control / IDOR / privilege escalation - Authentication & session security review (OIDC flows, token handling, MFA) - We'll align with you on whether to test a production-mirrored staging environment or production directly. OUT OF SCOPE (unless you flag something as essential): source-code audit, full cloud-configuration audit, social engineering, physical security, and DDoS testing. REQUIRED DELIVERABLES: 1. Formal penetration test report suitable for a SOC 2 audit — executive summary, scope, methodology, findings with CVSS severity ratings, proof-of-concept / reproduction steps, and prioritized remediation guidance. 2. A retest / verification of remediated findings after we fix them. 3. A signed attestation / summary letter we can share with our auditor (stating an independent test was performed, plus the period and scope). INDEPENDENCE: You must be independent from our company (no prior development relationship). This is required for the SOC 2 control. BUDGET: Open — please submit your best fixed-price bid for the full engagement (testing + report + one retest + attestation letter). Fixed-price proposals only. TO BE CONSIDERED, PLEASE INCLUDE IN YOUR PROPOSAL: 1. A redacted sample penetration test report (so we can assess report quality). 2. Your relevant certifications and a brief note on similar SOC 2 engagements. 3. Your earliest start date and the turnaround time you can commit to. 4. Your fixed price for the scope above. Apply To This Job

Apply

SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Summary

Related roles

Information Security Specialist/Analyst II - Information Solutions (Remote)

Cyber Security Analyst - Clearance Required Remote / Telecommute Jobs

Information Security Analyst - Remote

IT Security Analyst – Remote, United States

Experienced Cyber Security Analyst – 3rd Shift Remote Opportunity for Protecting Businesses from Cyber Threats

[Remote] Cyber Security Analyst II, Data Protection

Sr Security Analyst / Specialist - JDE

Senior Security Analyst, Security Operations (Threat Detection)

Senior Network Security Analyst

Information Security Analyst - Remote

Director, K-12 Education & Technical Assistance

Counterparty Risk Analyst

Sr. Staff Product Manager - Trade, Payward Services

Experienced Data Entry Specialist – Work From Home Opportunity at arenaflex

Staff Actuary (Medicare) | Manhattan, NY, USA | Remote

Experienced Full Stack Chat Support Representative – arenaflex

Entry-Level Medical Transcription Jobs from Home with Paid Training

Experienced Full Stack Data Engineer – Cloud and Big Data Application Development at arenaflex

Sr Lead Data Engineer

Architecture & Engineering Project Assessor (BVTA)