SOC 2 Penetration Test: Web App + API (Independent Third Party, Audit-Ready Report)

Summary We need an independent third-party penetration test of our production SaaS platform to satisfy a SOC 2 control. We're looking for an experienced, certified penetration tester (OSCP / OSWE / GWAPT / CREST or equivalent) who can start immediately and deliver a professional, audit-ready report. TIMELINE — TIME-SENSITIVE: We need the testing performed and the final report delivered within 1 week of kickoff. Please only bid if you have current availability. ABOUT THE SYSTEM (full details and credentials shared under NDA with the selected tester): - Customer-facing web application: Next.js / React / TypeScript - Backend: Python / Django / Django REST Framework API - Authentication: Keycloak (OIDC) — username/password, social login, TOTP/MFA - Two supporting Python/Django microservices - Hosted on AWS (ECS Fargate, ALB + WAF, RDS PostgreSQL) - Role-based access with two primary roles (organization admin + end user) SCOPE: - External web application penetration test (OWASP Web Security Testing Guide) - API penetration test (OWASP API Security Top 10) - Authenticated testing across both user roles, with emphasis on authorization / access-control / IDOR / privilege escalation - Authentication & session security review (OIDC flows, token handling, MFA) - We'll align with you on whether to test a production-mirrored staging environment or production directly. OUT OF SCOPE (unless you flag something as essential): source-code audit, full cloud-configuration audit, social engineering, physical security, and DDoS testing. REQUIRED DELIVERABLES: 1. Formal penetration test report suitable for a SOC 2 audit — executive summary, scope, methodology, findings with CVSS severity ratings, proof-of-concept / reproduction steps, and prioritized remediation guidance. 2. A retest / verification of remediated findings after we fix them. 3. A signed attestation / summary letter we can share with our auditor (stating an independent test was performed, plus the period and scope). INDEPENDENCE: You must be independent from our company (no prior development relationship). This is required for the SOC 2 control. BUDGET: Open — please submit your best fixed-price bid for the full engagement (testing + report + one retest + attestation letter). Fixed-price proposals only. TO BE CONSIDERED, PLEASE INCLUDE IN YOUR PROPOSAL: 1. A redacted sample penetration test report (so we can assess report quality). 2. Your relevant certifications and a brief note on similar SOC 2 engagements. 3. Your earliest start date and the turnaround time you can commit to. 4. Your fixed price for the scope above.