Fractional Application Security Advisor — Retainer (Modern Web Stacks) + Initial Paid Pentest
Worldwide
We're a productized dev shop building and hosting custom web apps for SMB clients. Our work centers on modern full-stack setups — Next.js/React, Postgres (including Supabase with RLS), Node, cloud hosting (Railway and similar), Tailscale-secured infrastructure — with a standardized template approach: secure the pattern once, apply it across many deployments. Some client work involves other stacks and third-party integrations (payments, messaging/WhatsApp, accounting systems, POS). Looking for one senior application security engineer for an ongoing advisory retainer. Judgment role, not a volume role: 5–10 hrs/month, async-first, minimal meetings. Scope: Security review of our core stack templates: auth flows, multi-tenant isolation, RLS policies, secrets handling, storage policies Code review sign-off on new integration patterns before they ship (payments, messaging, webhooks, third-party APIs) Periodic pentesting of our apps (staging environments, synthetic data) Internal testing practices: help us build security checks into our CI/dev workflow Best-practices guidance as we grow; incident response on-call (day rate applies) Quarterly security summary report (template provided, you review and sign off) Engagement structure: Step 1 is a paid, fixed-price security assessment of one of our production apps (contains no customer data) — full findings report with severity ratings, reproduction steps, and remediation guidance. Strong work converts to the monthly retainer. You: 5+ years hands-on AppSec / web application pentesting (not network/infra-only, not compliance-only) Strong with multi-tenant SaaS security and Postgres/RLS-style authorization models OSCP, OSWE, or equivalent hands-on background preferred Can explain findings to a non-security founder in plain English Comfortable being the named security reviewer on client-facing summaries Upwork profile requirements (hard filters — please don't apply otherwise): 95%+ Job Success Score $25k+ earned on Upwork with 500+ hours worked Security-specific work history visible in your profile (web app pentests, AppSec reviews — not general dev work with "security" listed as a skill) Identity verified At least one sample report or sanitized writeup you can share To apply: skip the boilerplate. In 3–5 sentences, tell us the first two things you'd examine in a multi-tenant SaaS app and why. Applications without this will not be read. Budget: fixed price for the initial assessment (propose your number), then monthly retainer negotiated on results.
- More than 30 hrs/weekHourly
- 6+ monthsDuration
- ExpertExperience Level
- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:5 to 10
- Last viewed by client:yesterday
- Interviewing:1
- Invites sent:0
- Unanswered invites:0
About the client
- United StatesLakewood5:24 AM
- $19K total spent55 hires, 10 active
- 679 hours
- Individual client
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by