SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Summary

We need an independent third-party penetration test of our production SaaS platform to satisfy a SOC 2 control. We're looking for an experienced, certified penetration tester (OSCP / OSWE / GWAPT / CREST or equivalent) who can start immediately and deliver a professional, audit-ready report.

TIMELINE — TIME-SENSITIVE: We need the testing performed and the final report delivered within 1 week of kickoff. Please only bid if you have current availability.

ABOUT THE SYSTEM (full details and credentials shared under NDA with the selected tester):

- Customer-facing web application: Next.js / React / TypeScript

- Backend: Python / Django / Django REST Framework API

- Authentication: Keycloak (OIDC) — username/password, social login, TOTP/MFA

- Two supporting Python/Django microservices

- Hosted on AWS (ECS Fargate, ALB + WAF, RDS PostgreSQL)

- Role-based access with two primary roles (organization admin + end user)

SCOPE:

- External web application penetration test (OWASP Web Security Testing Guide)

- API penetration test (OWASP API Security Top 10)

- Authenticated testing across both user roles, with emphasis on authorization / access-control / IDOR / privilege escalation

- Authentication & session security review (OIDC flows, token handling, MFA)

- We'll align with you on whether to test a production-mirrored staging environment or production directly.

OUT OF SCOPE (unless you flag something as essential): source-code audit, full cloud-configuration audit, social engineering, physical security, and DDoS testing.

REQUIRED DELIVERABLES:

1. Formal penetration test report suitable for a SOC 2 audit — executive summary, scope, methodology, findings with CVSS severity ratings, proof-of-concept / reproduction steps, and prioritized remediation guidance.

2. A retest / verification of remediated findings after we fix them.

3. A signed attestation / summary letter we can share with our auditor (stating an independent test was performed, plus the period and scope).

INDEPENDENCE: You must be independent from our company (no prior development relationship). This is required for the SOC 2 control.

BUDGET: Open — please submit your best fixed-price bid for the full engagement (testing + report + one retest + attestation letter). Fixed-price proposals only.

TO BE CONSIDERED, PLEASE INCLUDE IN YOUR PROPOSAL:

1. A redacted sample penetration test report (so we can assess report quality).

2. Your relevant certifications and a brief note on similar SOC 2 engagements.

3. Your earliest start date and the turnaround time you can commit to.

4. Your fixed price for the scope above.

Apply tot his job