Security Penetration Test + Code Review — AWS Serverless SaaS (Node/TypeScript, React)

We're a UK-based logistics software company (strong Upwork history) looking to establish a long-term relationship with a security specialist for our growing SaaS platform. We're shortlisting now, with the first engagement planned within the next few months - ahead of onboarding larger customers. The first project will be a full security audit of the platform: Penetration test of our development environment (web app + API) - authentication, authorization, and especially multi-tenant data isolation Application security code review (read-only access, OWASP ASVS-aligned) AWS configuration review (IAM, network exposure, S3, Cognito, RDS) A written report with severity-rated findings, remediation guidance, and a retest after we apply fixes The platform: multi-tenant B2B SaaS - React + TypeScript frontend, AWS serverless backend (~80 Lambda functions, Node.js/TypeScript), API Gateway + Cognito, PostgreSQL, S3, third-party and AI integrations. Clean, conventional, well-documented codebase (~300 source files). Beyond the first audit, we expect recurring work as the platform grows: periodic retests, security review of new features, and advisory input on our AWS setup — so we're looking for someone interested in being our security person, not a one-time scan. Logistics: NDA and authorization-to-test letter signed before any access; testing against our dev environment only (no production access, no customer data); all access read-only and time-boxed. In your proposal, please tell us: your experience with AWS serverless and multi-tenant SaaS, relevant certifications if any (OSCP/OSWE/AWS Security Specialty), a redacted sample report from a similar engagement, and an indicative fixed price for the first audit (including the retest). No immediate start required - we're selecting the right person first.