You will get Web App & API Pentest for SaaS | Real Findings | SOC 2 Ready


Project details
Every week without a proper security review is another week of compounding exposure closer to a failed audit, a blocked enterprise deal, or a breach that could have been prevented.
The deliverable is a professional pentest report accepted as evidence for SOC 2 Type 2, ISO 27001, HIPAA, PCI DSS, and enterprise security questionnaires. If you're approaching an audit, closing an enterprise deal that requires a security review, or responding to a vendor security questionnaire this report checks that box. I can tailor the report format and scope to your specific compliance requirement so it maps directly to the controls your auditor is looking for.
I've spent 4 years finding real vulnerabilities across 300+ assessments published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I know what real exposure looks like and I know how to explain it clearly.
Before any work begins we do a 20-minute scoping call to define exact scope, methodology, and deliverables. You know precisely what you're getting before a dollar changes hands.
The deliverable is a professional pentest report accepted as evidence for SOC 2 Type 2, ISO 27001, HIPAA, PCI DSS, and enterprise security questionnaires. If you're approaching an audit, closing an enterprise deal that requires a security review, or responding to a vendor security questionnaire this report checks that box. I can tailor the report format and scope to your specific compliance requirement so it maps directly to the controls your auditor is looking for.
I've spent 4 years finding real vulnerabilities across 300+ assessments published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I know what real exposure looks like and I know how to explain it clearly.
Before any work begins we do a 20-minute scoping call to define exact scope, methodology, and deliverables. You know precisely what you're getting before a dollar changes hands.
What's included
| Service Tiers |
Starter
$1,500
|
Standard
$3,000
|
Advanced
$5,000
|
|---|---|---|---|
| Delivery Time | 7 days | 10 days | 14 days |
Number of Revisions | 0 | 0 | 0 |
Frequently asked questions
1 review
(0)
(0)
(1)
(0)
(0)
This project doesn't have any reviews.
CT
Cris T.
May 12, 2022
API security specialist
Unfortunately he just left without letting me know on the middle of the project, because he had few hours of availability
About Devansh
SaaS Web App & API Pentest | Real Findings | SOC 2 Ready
Jaipur, India - 7:35 am local time
I do web application and API pentests for Seed to Series B SaaS companies. Real findings with clear attack paths and developer-friendly fixes. Not a scanner report with your logo on it.
Before any engagement, we do a 20-minute scoping call to define exact scope, methodology, and deliverables, so you know precisely what you're getting before a dollar changes hands.
What I test:
1. Web application security: Authentication flaws, privilege escalation, IDOR, business logic vulnerabilities, sensitive data exposure
2. API security: BOLA, broken authentication, injection, improper authorization
3. Cloud infrastructure: AWS/Azure/GCP IAM misconfigurations, storage exposure, privilege escalation paths
4. Network security: Internal segmentation, exposed services, firewall misconfigurations
5. CI/CD pipelines: Secrets exposure, pipeline abuse, GitHub Actions and GitLab CI weaknesses
6. Container & Kubernetes: Misconfigured RBAC, exposed dashboards, container escape paths, privilege escalation within clusters
7. Supply chain: Dependency attacks, build pipeline risks, compromised packages, OIDC misconfigurations
8. AI security: LLM prompt injection, data leakage, model misuse scenarios
What you get:
Every finding comes with a working exploitation path, not theoretical risk. Clear business impact so your engineering team understands why it matters. Developer-friendly remediation guidance they can act on immediately. Optional retesting once fixes are in.
Background:
I've spent 4 years finding real vulnerabilities at depth. Published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I've triaged and validated 1,000+ vulnerabilities across web, API, cloud, and mobile. I'm not learning on your project.
A note on my work history:
I have an early 2022 contract on here that ended badly, I took on a project without the availability to complete it and communicated poorly. That was on me. Since then I scope every engagement upfront with a call before any work begins. It doesn't happen anymore.
If you want a quick look at your external surface before committing to anything, message me. I'll take a look and tell you what stands out.
Steps for completing your project
After purchasing the project, send requirements so Devansh can start the project.
Delivery time starts when Devansh receives requirements from you.
Devansh works on your project following the steps below.
Revisions may occur after the delivery date.
Scoping Call
20-minute call to define exact attack surface, testing methodology, access requirements, and deliverables. No work begins until scope is agreed and confirmed in writing.
Kickoff & Environment Setup
Confirm testing environment, establish communication channel, agree on testing window and any off-peak hour preferences to minimize impact on your users.
