LLM Security Engineer | AI Security | AppSec | DevSecOps | Cloud Security
I help startups, SaaS companies, and enterprises secure modern AI systems, web applications, cloud infrastructure, and digital assets — from development to production.
My work covers:
AI & LLM Security
• LLM application security assessments
• Prompt injection and jailbreak testing
• RAG pipeline security reviews
• Agentic workflow security
• Model abuse and data leakage testing
• AI threat modeling (STRIDE, MITRE ATLAS, OWASP LLM Top 10)
• Secure API integrations (OpenAI, Anthropic, vector databases)
Application & API Security
• Web application penetration testing
• API security assessments
• Authentication & authorization testing
• Business logic testing
• Secure architecture reviews
• Vulnerability discovery and remediation guidance
Incident Response & Malware Removal
• WordPress malware cleanup and security hardening
• Backdoor detection and persistence analysis
• Reinfection root cause analysis
• Webshell investigation
• Redirect/spam injection cleanup
• Post-compromise hardening and monitoring
DevSecOps & Cloud Security
• Secure CI/CD pipelines
• Infrastructure as Code (IaC) security
• Container and supply chain security
• Secrets management
• AWS & GCP security reviews
• Runtime detection engineering
• Security automation and secure SDLC improvements
Compliance & Security Governance
• Security assessments aligned with OWASP, NIST, ISO 27001, PCI DSS, GDPR, and SOC 2
• Threat modeling and risk analysis
• Security control validation
• Security architecture reviews
My background combines 7+ years of hands-on cybersecurity experience across application security, penetration testing, cloud security, DevSecOps, threat modeling, detection engineering, and adversarial machine learning research.
I work with clients across:
AI/ML platforms, SaaS, FinTech, E-commerce, Healthcare, Telecom, CMS/WordPress, and cloud-native environments.
Whether you need to secure your AI product, audit your application, clean a compromised website, or strengthen your cloud security posture, I can help you identify risks and implement practical fixes.
Available for short-term audits, incident response, and long-term security consulting.
Information Security
Cybersecurity Management
Python
NIST Cybersecurity Framework
Splunk
PCI DSS
Cloud Security
Vulnerability Assessment
Security Analysis
Kubernetes
Amazon Web Services
Security Assessment & Testing
CI/CD
Governance, Risk & Compliance Software
Information Security Audit
David M.
Tonbridge, United Kingdom
$50/hr
5.0
4 jobs
🔒 You need security that actually works — not a report that says it does. The organisations I work with want to find the vulnerabilities that matter, fix them with confidence, and get on with growing their business without security becoming the thing that stops them.
I have delivered over 1,000 commercial penetration tests across 27 years. Not side projects. Not internal assessments. Full mission-critical engagements for high street and investment banks, hedge funds, insurance firms, government departments, police, military, national infrastructure, retailers, law firms, airports and more. I led the security architecture for the Athens 2004 Olympics internet-facing systems. I was lead architect on the UK Cyber Essentials scheme at launch. I have published in commercial security press and guest lectured at universities.
There is a difference between someone who does penetration testing and someone who has seen every flavour of environment, every attack pattern, and every way organisations deceive themselves about their security posture. That difference is what you are hiring.
🎯 Where can I help:
🗡️ Network & Infrastructure Penetration Testing — adversarial testing of internal and external infrastructure, finding exploitable exposures before an attacker does.
🌐 Application Penetration Testing — web application and API security testing against real attack patterns: authentication, authorisation, input handling and business logic flaws.
☁️ Microsoft 365 Security Assessment — Entra ID, Conditional Access, PIM, Intune, DLP, sensitivity labelling, Exchange Online and Defender for Office 365.
🔷 Azure Security Assessment — identity and access management, network controls, storage and key management, Defender for Cloud posture, and monitoring coverage.
🟢 Google Workspace, GCP & AWS Security Assessments — configuration and access control assessments across Google and Amazon cloud environments.
🏛️ Security Architecture and Risk Advisory — senior technical input on architecture decisions, control design and risk without a full engagement commitment.
👤 Every engagement is delivered directly by me — David Morgan, founder of Metis Security. No account management layer, no junior handoffs, no templated output. You work with the person conducting the analysis and writing the report.
📋 How I work is as important as what I find
Every finding in my reports is one I will defend as genuinely material to your environment. No padding, no low-hanging fruit included to justify the fee, no default risk ratings copied from a scanner. If your context changes the risk, the rating reflects that.
What you receive:
✅ A visually structured report with clear separation between executive summary, findings and remediation roadmap — written to be read by people who are not security specialists
✅ Risk ratings adjusted to your specific environment and context, not defaulted from a tool
✅ A prioritised remediation roadmap so your team knows exactly what to fix first and why it matters commercially
✅ Immediate escalation of any high-risk finding or schedule-affecting issue during the engagement — you are never waiting until the end to hear something important
✅ Daily status updates so you always know where the engagement stands
✅ A debrief call at close to walk through findings, answer questions and finalise the report before it is delivered
CISSP | ISSAP | Microsoft Security certifications | 27 years
If you need to know whether your environment is genuinely secure — not whether it looks configured — I am worth a conversation.
Penetration Testing
Web Application Security
Network Penetration Testing
Office 365
Microsoft Azure
Cloud Security
Network Security
Vulnerability Assessment
Security Assessment & Testing
Cybersecurity Management
Zero Trust Architecture
Security Analysis
Google Cloud Platform
Google Workspace
Amazon Web Services
NIST Cybersecurity Framework
Microsoft 365 Copilot
Internet Security
Information Security Audit
Information Security Consultation
Najam U.
Gujranwala, Pakistan
$75/hr
5.0
88 jobs
Expert-Vetted on Upwork (Top 1% of security professionals). If you're building on the cloud and want to find the security gaps attackers would exploit — before they do — I can help.
I’m a cybersecurity consultant and founder of Exfiltra, helping startups and enterprises secure their applications, cloud infrastructure, and DevOps pipelines.
I have worked with organizations generating $6B+ in annual revenue and helped companies strengthen security across cloud environments, applications, and compliance programs.
I personally lead security engagements and, when needed, bring in specialists from my team at Exfiltra to support larger or complex projects.
Most clients hire me when they want to:
✔ Secure Azure / AWS / GCP environments
✔ Perform professional penetration testing
✔ Implement DevSecOps and secure CI/CD pipelines
✔ Prepare for SOC 2, ISO 27001, HIPAA, FedRAMP, or CMMC
✔ Improve security posture using industry frameworks
CORE EXPERTISE
AZURE & CLOUD SECURITY
• Azure security architecture reviews
• Microsoft Defender for Cloud & Sentinel
• Identity security (Entra ID / Conditional Access)
• Cloud configuration reviews and CIS Benchmark hardening
APPLICATION SECURITY & PENETRATION TESTING
• Web application penetration testing
• API security testing
• Mobile application security testing
• Network and cloud penetration testing
• Assessments aligned with OWASP Top 10 and OWASP ASVS
DEVSECOPS & SECURITY AUTOMATION
• Secure CI/CD pipelines (Azure DevOps / GitHub Actions)
• Infrastructure as Code security (Terraform / Bicep)
• SAST and DAST integration in pipelines
SECURITY TOOLS
• Snyk
• Semgrep
• OWASP ZAP
• Burp Suite
• Wazuh
• CrowdStrike
• Microsoft Sentinel
AI & LLM SECURITY
• AI application threat modeling
• Prompt injection and model abuse testing
• Secure architecture for AI-powered applications
WHY CLIENTS WORK WITH ME
• Upwork Expert-Vetted (Top 1% of freelancers)
• Founder of Exfiltra – a cybersecurity services company
• Supported by a team of security specialists for larger engagements
• Contributor to OWASP ZAP
• Experience securing environments for organizations generating $6B+ in revenue
• Background in both software engineering and cybersecurity
• Security research involving organizations like the U.S. Department of Defense
NOT A GOOD FIT IF
• You want to hack or recover social media accounts
• You want enterprise-grade security but are not willing to invest in it
If your goal is to build secure systems instead of reacting to breaches later, feel free to invite me to your job or send a message describing your project.
System Security
Network Security
Kali Linux
Security Assessment & Testing
Penetration Testing
Information Security Consultation
Application Security
Vulnerability Assessment
Information Security
Web Application Security
Ethical Hacking
Cloud Security
Web App Penetration Testing
Security Management
AI Security
Secure SDLC
Security Testing
Website Security
Database Security
Cybersecurity Management
Mihai V.
San Diego, California
$75/hr
5.0
5 jobs
I design and build production-grade security systems for companies that need to secure cloud infrastructure, pass audits, and operate in regulated environments.
Most teams don’t have a security tool problem.
They have an architecture, integration, and execution problem.
That’s where I come in.
What I Do
I help startups and enterprise teams move from:
❌ fragmented tools and partial controls
❌ audit delays and failing security reviews
❌ reactive fixes and security debt
→ to
✅ engineered, scalable security architecture
✅ audit-ready, continuously compliant environments
✅ automated, integrated security operations
Core Expertise
Cloud Security & Cryptography
• Multi-cloud security architecture (AWS, Azure, GCP)
• TLS PKI systems with automated certificate lifecycle (IaC + CI/CD)
• Encryption architecture (CMEK, KMS, data masking, data protection)
• Cryptographic hardening aligned with FIPS and modern standards
• DNS security, network isolation, and zero-trust patterns
Identity & Access Management
• SSO (SAML, OIDC), enterprise identity federation
• RBAC and least-privilege system design at scale
• SCIM provisioning and identity lifecycle automation
• Integration with enterprise IdPs (PingFederate, Azure AD, Okta)
• Cross-account and multi-environment access control
Compliance & Audit Readiness
• SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP-aligned environments
• End-to-end delivery: gap assessment → implementation → audit support
• Control design, remediation, and evidence automation (Vanta, Drata, custom pipelines)
• Continuous compliance monitoring vs point-in-time audits
• Closing audit findings fast (not just identifying them)
Security Engineering & Incident Response
• CI/CD security (SAST, DAST, IaC scanning, secret management)
• Vulnerability management with automated remediation workflows
• Cloud misconfiguration detection (CIS benchmarks, runtime analysis)
• Secure system design across infrastructure and application layers
• Incident response, forensics support, and system hardening
AI-Driven Security
I don’t just integrate tools — I design security platforms.
I have built and architected multi-agent AI-driven cybersecurity systems combining:
• Cloud security analysis (AWS integrations, IAM analysis, misconfiguration detection)
• Offensive security (recon, exploitation, privilege escalation simulation)
• Vulnerability management (SAST, DAST, fuzzing, CI/CD integration)
• SOC automation (SIEM/SOAR integrations, alert enrichment, playbooks)
• Forensics and incident investigation workflows
• Compliance reporting mapped to frameworks (SOC 2, ISO 27001, PCI, HIPAA)
Key capabilities:
• Multi-agent orchestration and communication
• Automated remediation workflows
• MITRE ATT&CK mapping and executive reporting
• API-driven integrations across security tooling ecosystem
• Role-based access for security, DevOps, and compliance teams
This enables:
→ Continuous security instead of periodic assessments
→ 80% reduction in manual security effort
→ Faster audit readiness and real-time visibility
How I Work
• Engineering-first — I build and implement, not just advise
• Work directly in production systems (cloud, identity, pipelines)
• Design for real audit constraints, not theoretical compliance
• Fast execution, clear communication, and ownership
Typical Clients
• SaaS companies preparing for SOC 2 / ISO 27001 / HIPAA
• Cloud-native platforms handling sensitive or regulated data
• Startups entering enterprise sales with security blockers
• Organizations with fragmented security tools that don’t work together
Important
I’m not a fit for checklist-based security or surface-level audits.
If you need:
• real security architecture
• working implementations
• systems that pass audits and hold up in production
- we’ll work well together.
Artificial Intelligence
Cybersecurity Tool
NIST Cybersecurity Framework
FedRAMP
PCI DSS
Cryptography
Information Security Threat Mitigation
Software
Linux
macOS
Security Engineering
Cloud Security
Metasploit
Software Architecture
Software Architecture & Design
Muhammad A.
Multan, Pakistan
$35/hr
5.0
60 jobs
Certified SOC Analyst | Certified Incident Handler | Certified Network Security Expert
I'm Muhammad Ahtsham, a Senior SOC Analyst and Cybersecurity Specialist with 5+ years of
hands-on experience defending enterprise environments across worldwide.
I don't just respond to alerts — I hunt threats, engineer detections, and build the security
infrastructure that stops breaches before they happen.
────────────────────────────────────────
🛡️ WHAT I DELIVER FOR YOU
────────────────────────────────────────
✦ SOC Operations & Management
Build, optimize, or manage your SOC from the ground up. I handle alert triage,
incident investigation, escalation workflows, and daily/weekly reporting.
✦ Threat Detection & Hunting
Using MITRE ATT&CK, LOLBAS, and hypothesis-based methodologies, I proactively hunt
threats hiding in your environment before they trigger alarms.
✦ Detection Engineering & Use Case Development
I've built 100+ custom detection rules across SIEM, EDR, XDR, and CASB platforms.
I reduce alert fatigue by eliminating false positives and tuning detection logic for
precision.
✦ Incident Response & Digital Forensics
End-to-end IR: containment, investigation, root cause analysis, and post-incident
reporting. I handle credential theft, malware analysis, network forensics, and
executive-ready reports.
✦ Threat Intelligence (CTI)
Hands-on experience with OpenCTI, MISP, and Group-IB. I build threat intelligence
pipelines, integrate STIX/TAXII feeds, and translate raw IOCs into actionable
detections.
✦ SIEM/SOAR Deployment & Administration
Expert-level experience with LogRhythm, Splunk, Microsoft Sentinel, and Trellix SIEM.
I onboard log sources, build correlation rules, automate response playbooks via SOAR,
and tune your environment for maximum detection fidelity.
✦ Security Policy & Compliance Documentation
ISO 27001-aligned policy writing, security procedure documentation, and security
awareness program development for teams of any size.
✦ Vulnerability Assessment & Penetration Testing
From Nessus-based VA scanning to web application testing with Burp Suite and network
assessments with Nmap — I find your exposures before attackers do.
✦ Consulting & Mentoring
Need guidance on OpenCTI deployment, SIEM architecture, or building a SOC from
scratch? I offer consultations for teams, MSSPs, and security leaders.
────────────────────────────────────────
🔧 TOOLS & PLATFORMS I WORK WITH DAILY
────────────────────────────────────────
SIEM: LogRhythm | Splunk | Microsoft Sentinel | Trellix | Wazuh | QRadar
EDR/XDR: CrowdStrike | Microsoft Defender (MDO/MDE) | Trellix EDR | IVX
CTI: OpenCTI | MISP | Group-IB | STIX/TAXII | arcX
Email Sec: Abnormal Security | Microsoft Defender for Office 365
CASB: Skyhigh CASB
VA/PT: Nessus | Burp Suite | Nmap | Kali Linux | Metasploit
Network: Wireshark | Fortinet | Palo Alto | Cisco ASA
SOAR: XSIAM | XSOAR | Cortex | Custom PowerShell Playbooks
Cloud: Microsoft Azure | Azure Sentinel | Microsoft 365 Security
────────────────────────────────────────
📜 CREDENTIALS
────────────────────────────────────────
✦ Certified SOC Analyst (CSA) — EC-Council
✦ Certified Ethical Hacker (CEH) — EC-Council
✦ Certified Incident Handler (CIH) — EC-Council
✦ Fortinet Certified Professional (FCP) NSE5 — Fortinet
✦ Cyber Threat Intelligence 101 — arcX
✦ Splunk Power User
✦ Practical Ethical Hacking — TCM Security
────────────────────────────────────────
Let's talk about securing your environment — send me a message.
Cybersecurity Monitoring
Cybersecurity Tool
Cyber Threat Intelligence
Cybersecurity Management
Information Security
Information Security Threat Mitigation
Information Security Consultation
Security Operation Center
Technical Writing
Security Analysis
NIST Cybersecurity Framework
Information & Communications Technology
Firewall
Wafa A.
Islamabad, Pakistan
$15/hr
5.0
26 jobs
💪 Top Rated
I help startups, SaaS companies, and enterprises identify security vulnerabilities before attackers do. With 5+ years of cybersecurity experience, I specialize in manual penetration testing, application security, API security, cloud security, compliance assessments, and privacy audits.
I have worked with organizations across the United States, United Kingdom, Germany, and Canada, delivering security assessments aligned with international standards and industry best practices. My assessments have uncovered critical vulnerabilities including Account Takeover, Remote Code Execution (RCE), IDOR, Authentication & Authorization flaws, Business Logic vulnerabilities, SSRF, XSS, CSRF, SQL Injection, Sensitive Data Exposure, Security Misconfigurations, and Insecure API Implementations.
My Services
Penetration Testing
• Web Application Penetration Testing (OWASP Top 10)
• Mobile Application Security Testing (Android & iOS)
• REST & GraphQL API Security Testing
• External & Internal Network Penetration Testing
• Authentication & Authorization Testing
• Business Logic Testing
• Secure Code Review (SAST)
• Cloud Security Assessments (AWS, Azure & GCP)
Privacy & Tracking Audits
I perform non-destructive privacy and tracking audits to evaluate how websites collect, process, and share user data without making any changes to production environments.
My privacy audits include:
• Tracking & Analytics Review (Google Analytics, Meta Pixel, LinkedIn Insight Tag, etc.)
• Cookie & Consent Compliance Assessment
• Third-Party Script & Tag Analysis
• Privacy & Data Collection Review
• Browser Storage Review (Cookies, Local Storage & Session Storage)
• Sensitive Data Leakage Detection
• Tracking Request Analysis
• GDPR Privacy Assessment
• Actionable Privacy & Security Recommendations
Important: I do not modify, delete, or update website code, tracking configurations, analytics settings, or production systems. My work is strictly read-only and results in a detailed report highlighting privacy concerns, security risks, and practical recommendations for improvement.
Compliance & Security Frameworks
• CASA Tier 2 Security Testing
• CMMC Level 2
• NIST SP 800-171
• NIST SP 800-53
• ISO 27001
• SOC 2
• GDPR
Security Automation
I develop custom security automation solutions that help organizations reduce manual effort and improve their security posture.
Automation services include:
• Vulnerability Management Automation
• Security Testing Automation
• Compliance Reporting Automation
• Security Workflow Automation
• Custom Security Scripts & Tools
Technical Toolkit
Security Tools
• Burp Suite Professional
• OWASP ZAP
• Nmap
• Nessus
• Metasploit
• SonarQube
• Veracode
• Appknox
• Bandit
Infrastructure & Cloud Security
• Cloudflare
• Imperva WAF
• Firewall Configuration
• Identity & Access Management (IAM)
• Access Control Management
• Database Security
Programming & Automation
• Python
• Bash
• Node.js
• Java
Why Clients Hire Me
✅ 5+ Years of Professional Cybersecurity Experience
✅ Manual Security Testing Not Just Automated Scanner Reports
✅ Clear, Actionable Reports with Risk Ratings and Remediation Guidance
✅ Independent Security Consultant (No Agency, No Subcontracting)
✅ Strong Communication Throughout the Engagement
✅ Flexible Across Multiple Time Zones (Including EST Overlap)
Deliverables
Every assessment includes:
• Executive Summary
• Technical Findings with Evidence
• Risk Severity (CVSS/OWASP where applicable)
• Step-by-Step Reproduction
• Screenshots & Proof of Concept
• Practical Remediation Recommendations
• Optional Re-Testing After Fixes
Due to client confidentiality, I do not publicly share full penetration testing reports. However, I can demonstrate redacted professional reports during a screen-sharing meeting or after an NDA is signed.
Whether you need a comprehensive penetration test, a privacy and tracking audit, an application security assessment, or compliance guidance, I'm here to help you strengthen your security posture and reduce risk.
Let's discuss your project.
Computer Network
Information Security
Network Penetration Testing
Penetration Testing
Testing
Software Testing
Malware Removal
Digital Forensics
Web App Penetration Testing
Security Testing
Cloud Testing
Cloud Security
Compliance
SOC 2
IT Compliance Audit
AI Compliance
GDPR Compliance Review
SOC 2 Report
Compliance Consultation
How it works
Post a job for freePost a job
Tell us what you need. Create your own job post or generate one with AI then filter talent matches.
Hire top talent fast
Consult, interview, and hire quickly, so you can meet the freelancers you're excited about.
Collaborate easily
Use Upwork to chat or video call, share files, and track project progress right from the app.
Payment simplified
Manage payments in one place with flexible billing options. Only pay for approved work, hourly or by milestone.
Don't just take our word for it
“Upwork provides an umbrella-level of security. I can see a talent’s work history and ratings. I can hold payments in escrow. I can communicate through Upwork Messages instead of working through my email address.”
KD
Kim Darling
Emerald Tiger
“Upwork is the best platform to hire skilled professionals when we're not looking for a full-time employee. All the companies in our portfolio use Upwork to find talent across a wide range of fields.”
DM
David Merry
Kinetic Investments
“Our very specific requirements can be a challenge—With Upwork, we’re able to access a bigger community to ensure the success of our projects.”
KK
Katja Krohn
Summa Linguae
How do I hire a Certified Systems Security Practitioner on Upwork?
You can hire a Certified Systems Security Practitioner on Upwork in four simple steps:
Create a job post tailored to your Certified Systems Security Practitioner project scope. We’ll walk you through the process step by step.
Browse top Certified Systems Security Practitioner talent on Upwork and invite them to your project.
Once the proposals start flowing in, create a shortlist of top Certified Systems Security Practitioner profiles and interview.
Hire the right Certified Systems Security Practitioner for your project from Upwork, the world’s largest work marketplace.
At Upwork, we believe talent staffing should be easy.
How much does it cost to hire a Certified Systems Security Practitioner?
Rates charged by Certified Systems Security Practitioners on Upwork can vary with a number of factors including experience, location, and market conditions. See hourly rates for in-demand skills on Upwork.
Why hire a Certified Systems Security Practitioner on Upwork?
As the world’s work marketplace, we connect highly-skilled freelance Certified Systems Security Practitioners and businesses and help them build trusted, long-term relationships so they can achieve more together. Let us help you build the dream Certified Systems Security Practitioner team you need to succeed.
Can I hire a Certified Systems Security Practitioner within 24 hours on Upwork?
Depending on availability and the quality of your job post, it’s entirely possible to sign up for Upwork and receive Certified Systems Security Practitioner proposals within 24 hours of posting a job description.
Find more freelancers
Similar Certified Systems Security Practitioner Skills