You will get Web App & API Pentest for SaaS | Real Findings | SOC 2 Ready

2.9

Let a pro handle the details

Buy Other Consulting & HR services from Devansh, priced and ready to go.
2.9

Let a pro handle the details

Buy Other Consulting & HR services from Devansh, priced and ready to go.

Project details

Every week without a proper security review is another week of compounding exposure closer to a failed audit, a blocked enterprise deal, or a breach that could have been prevented.

The deliverable is a professional pentest report accepted as evidence for SOC 2 Type 2, ISO 27001, HIPAA, PCI DSS, and enterprise security questionnaires. If you're approaching an audit, closing an enterprise deal that requires a security review, or responding to a vendor security questionnaire this report checks that box. I can tailor the report format and scope to your specific compliance requirement so it maps directly to the controls your auditor is looking for.

I've spent 4 years finding real vulnerabilities across 300+ assessments published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I know what real exposure looks like and I know how to explain it clearly.


Before any work begins we do a 20-minute scoping call to define exact scope, methodology, and deliverables. You know precisely what you're getting before a dollar changes hands.
What's included
Service Tiers Starter
$1,500
Standard
$3,000
Advanced
$5,000
Delivery Time 7 days 10 days 14 days
Number of Revisions
000

Frequently asked questions

2.9
1 review
1% Complete
(0)
1% Complete
(0)
100% Complete
1% Complete
(0)
1% Complete
(0)

CT

Cris T.
2.90
May 12, 2022
API security specialist Unfortunately he just left without letting me know on the middle of the project, because he had few hours of availability
Devansh B.Status: Offline

About Devansh

Devansh B.Status: Offline
SaaS Web App & API Pentest | Real Findings | SOC 2 Ready
2.9  (1 review)
Jaipur, India - 7:35 am local time
If you're building a B2B SaaS product and haven't had a proper security review, you're carrying risk you can't see. Enterprise clients, investors, and SOC 2 auditors will ask about it and "we haven't done one yet" is the answer that stalls deals and kills closings.

I do web application and API pentests for Seed to Series B SaaS companies. Real findings with clear attack paths and developer-friendly fixes. Not a scanner report with your logo on it.

Before any engagement, we do a 20-minute scoping call to define exact scope, methodology, and deliverables, so you know precisely what you're getting before a dollar changes hands.

What I test:

1. Web application security: Authentication flaws, privilege escalation, IDOR, business logic vulnerabilities, sensitive data exposure
2. API security: BOLA, broken authentication, injection, improper authorization
3. Cloud infrastructure: AWS/Azure/GCP IAM misconfigurations, storage exposure, privilege escalation paths
4. Network security: Internal segmentation, exposed services, firewall misconfigurations
5. CI/CD pipelines: Secrets exposure, pipeline abuse, GitHub Actions and GitLab CI weaknesses
6. Container & Kubernetes: Misconfigured RBAC, exposed dashboards, container escape paths, privilege escalation within clusters
7. Supply chain: Dependency attacks, build pipeline risks, compromised packages, OIDC misconfigurations
8. AI security: LLM prompt injection, data leakage, model misuse scenarios

What you get:

Every finding comes with a working exploitation path, not theoretical risk. Clear business impact so your engineering team understands why it matters. Developer-friendly remediation guidance they can act on immediately. Optional retesting once fixes are in.

Background:

I've spent 4 years finding real vulnerabilities at depth. Published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I've triaged and validated 1,000+ vulnerabilities across web, API, cloud, and mobile. I'm not learning on your project.

A note on my work history:

I have an early 2022 contract on here that ended badly, I took on a project without the availability to complete it and communicated poorly. That was on me. Since then I scope every engagement upfront with a call before any work begins. It doesn't happen anymore.

If you want a quick look at your external surface before committing to anything, message me. I'll take a look and tell you what stands out.

Steps for completing your project

After purchasing the project, send requirements so Devansh can start the project.

Delivery time starts when Devansh receives requirements from you.

Devansh works on your project following the steps below.

Revisions may occur after the delivery date.

Scoping Call

20-minute call to define exact attack surface, testing methodology, access requirements, and deliverables. No work begins until scope is agreed and confirmed in writing.

Kickoff & Environment Setup

Confirm testing environment, establish communication channel, agree on testing window and any off-peak hour preferences to minimize impact on your users.

Review the work, release payment, and leave feedback to Devansh.