Information Security Consultant – Security Assessment & Ongoing Advisory

We're a small software company (five engineers) seeking an experienced information security consultant for an initial security assessment engagement, with strong potential for ongoing advisory work. About Us We build and operate web applications on the LAMP stack (Linux, Apache, MySQL, PHP), hosted on AWS. We recently adopted GitHub for source control and have begun integrating AI-based coding agents into our development workflow. We're at a stage where we want to make sure our security posture keeps pace with how we're building and shipping software. Scope of the Initial Engagement Penetration testing of our infrastructure, applications, and AWS environment Threat assessment identifying risks relevant to our stack, hosting configuration, and development practices Process review — interviewing team members to understand how we handle credentials, deployments, access controls, code review, and other security-relevant workflows, and identifying gaps Server-level access — you'll be granted appropriate access to review and adjust configurations directly on our systems Findings delivery — a written report documenting vulnerabilities, risks, and prioritized recommendations, supplemented by an oral debrief with the team What We're Looking For Demonstrated experience with penetration testing and security assessments for web application environments Familiarity with AWS security (IAM, security groups, VPC configuration, CloudTrail, etc.) Experience assessing LAMP stack deployments Understanding of risks introduced by AI coding agents and GitHub-based workflows — including supply chain and secrets exposure concerns Strong communication skills; you'll be working directly with engineers and need to explain findings clearly to a non-security audience Relevant certifications a plus (OSCP, CISSP, CEH, or similar) Engagement Structure This starts as a one-time assessment, but we expect to bring the right consultant back on an ongoing retainer or as-needed basis as we grow and our security needs evolve. We're looking for someone interested in building a long-term relationship, not just a one-off deliverable. References Please be prepared to provide contact information for at least two clients for whom you have conducted similar security assessments. We may ask references specifically about the quality of written deliverables, communication with non-security staff, and discretion in handling sensitive infrastructure access. To Apply Please include examples of similar engagements, any relevant certifications, and a brief description of how you'd approach an initial assessment for a team of our size and stack.