Security Penetration Tester for Healthcare SaaS Platform

We're building a multi-tenant healthcare SaaS platform (B2B) for appointment scheduling with an AI-powered voice agent. We're looking for a penetration tester to validate our security posture before onboarding our first pilot clinic.

Tech stack: Cloudflare, Supabase, Clerk, Railway, Twilio

The engagement is split into 3 phases:

Phase 1 (pre-launch, priority): External attack surface review. Validate that all publicly exposed endpoints are properly secured before going live.

Phase 2: Internal platform security. Tenant isolation, RBAC enforcement, role escalation, API authorization.

Phase 3: AI/voice agent security. Prompt injection, call flow manipulation, abuse scenarios.

Deliverables per phase:

Written report with findings ranked by severity

Proof of concept for each finding

Remediation recommendations

Retest of critical/high findings after our fixes

Budget: $1,500 - $2,200 for the full 3-phase engagement. We know this is a startup budget. We're looking for someone early in their career or willing to work with an early-stage product, with the understanding that this becomes an ongoing paid relationship as we scale (periodic reassessments, new feature reviews).

Methodology: We expect testing aligned with OWASP Top 10 / OWASP ASVS. If you follow a different framework, let us know in your proposal.

Timeline: We're ready to start Phase 1 within 2-3 weeks of signing an NDA.

In your proposal, please mention:

Which of the technologies in our stack you've pentested before, and which would be new

A brief example of a similar engagement (SaaS, multi-tenant, or healthcare)

Your estimated timeline per phase

Your availability

Full architecture details, staging access, and role credentials will be shared after NDA signing.

Languages: English or Romanian.

Apply tot his job