SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Remote role Full-time Open position

Summary

We need an independent third-party penetration test of our production SaaS platform to satisfy a SOC 2 control. We're looking for an experienced, certified penetration tester (OSCP / OSWE / GWAPT / CREST or equivalent) who can start immediately and deliver a professional, audit-ready report. TIMELINE — TIME-SENSITIVE: We need the testing performed and the final report delivered within 1 week of kickoff. Please only bid if you have current availability. ABOUT THE SYSTEM (full details and credentials shared under NDA with the selected tester): - Customer-facing web application: Next.js / React / TypeScript - Backend: Python / Django / Django REST Framework API - Authentication: Keycloak (OIDC) — username/password, social login, TOTP/MFA - Two supporting Python/Django microservices - Hosted on AWS (ECS Fargate, ALB + WAF, RDS PostgreSQL) - Role-based access with two primary roles (organization admin + end user) SCOPE: - External web application penetration test (OWASP Web Security Testing Guide) - API penetration test (OWASP API Security Top 10) - Authenticated testing across both user roles, with emphasis on authorization / access-control / IDOR / privilege escalation - Authentication & session security review (OIDC flows, token handling, MFA) - We'll align with you on whether to test a production-mirrored staging environment or production directly. OUT OF SCOPE (unless you flag something as essential): source-code audit, full cloud-configuration audit, social engineering, physical security, and DDoS testing. REQUIRED DELIVERABLES: 1. Formal penetration test report suitable for a SOC 2 audit — executive summary, scope, methodology, findings with CVSS severity ratings, proof-of-concept / reproduction steps, and prioritized remediation guidance. 2. A retest / verification of remediated findings after we fix them. 3. A signed attestation / summary letter we can share with our auditor (stating an independent test was performed, plus the period and scope). INDEPENDENCE: You must be independent from our company (no prior development relationship). This is required for the SOC 2 control. BUDGET: Open — please submit your best fixed-price bid for the full engagement (testing + report + one retest + attestation letter). Fixed-price proposals only. TO BE CONSIDERED, PLEASE INCLUDE IN YOUR PROPOSAL: 1. A redacted sample penetration test report (so we can assess report quality). 2. Your relevant certifications and a brief note on similar SOC 2 engagements. 3. Your earliest start date and the turnaround time you can commit to. 4. Your fixed price for the scope above. Apply tot his job Apply To this Job

Apply

SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Summary

Further positions

Information Security Specialist/Analyst II - Information Solutions (Remote)

Security Analyst 4

QA Engineer - DM platform (Remote) - Blue Bell, PA

Tier-1 Security Analysts

Sr. Cyber Security Analyst

Principal EPIC Security Analyst

ERP Security Analyst – CAPPS IAM, Security Specialist

QA Tester - Batch/Data Migration (Remote)

Security Analyst - AI Trainer

Senior Qa Engineer (Backend / Cloud) - Remote

Senior Account Manager

Remote Part-Time Data Entry Specialist – Healthcare Operations Support (Work From Home)

Business Development Representative

Director, Premium Audit

[Remote] Staff Engineering Manager, Legal Technology (Remote- US) 1

Experienced Data Entry Specialist – Community Development Initiatives at arenaflex

Experienced Chat Support Sales Agent – E-commerce Customer Service Representative (Part-time, Beginner Level, Fully Remote)

Experienced Sr Customer Success Manager – Data Security, Compliance, and AI Data Management

Experienced Data Entry Clerk Level 3 – Wichita, KS

Licensed Mental Health Counselor/Marriage & Family Therapist (LMHC & LMFT) - Remote