You will get SaaS Attack Surface Review - Know What's Exposed in 3 Days


Project details
Most security reviews either go too deep too fast or hand you a scanner report dressed up as analysis. I do a focused external review of your attack surface , what an attacker sees before they ever touch your application. Subdomains, exposed backends, GitHub exposure, cloud storage misconfigurations, certificate transparency. Passive, non-intrusive, and done in 3-7 business days.
I've spent 4 years finding real vulnerabilities across 300+ assessments, published 4 CVEs, and served as HackerOne Pod Lead across 200+ programs. I know what real exposure looks like and I know how to explain it in a way your engineering team can act on immediately.
Fixed price & Guaranteed findings after end of the assessment.
I've spent 4 years finding real vulnerabilities across 300+ assessments, published 4 CVEs, and served as HackerOne Pod Lead across 200+ programs. I know what real exposure looks like and I know how to explain it in a way your engineering team can act on immediately.
Fixed price & Guaranteed findings after end of the assessment.
Cybersecurity Assessment Type
Penetration TestingCybersecurity Expertise
Audit, Risk Assessment, Gap AnalysisTechnology Type
IaaS, Computer Network, SaaS, Web ApplicationCybersecurity Regulation
GDPR, HIPAA, PCI DSS, SOC 2What's included
| Service Tiers |
Starter
$350
|
Standard
$500
|
Advanced
$750
|
|---|---|---|---|
| Delivery Time | 3 days | 5 days | 7 days |
Application Audit | |||
Project Plan | |||
Cost Estimation |
Frequently asked questions
1 review
(0)
(0)
(1)
(0)
(0)
This project doesn't have any reviews.
CT
Cris T.
May 12, 2022
API security specialist
Unfortunately he just left without letting me know on the middle of the project, because he had few hours of availability
About Devansh
SaaS Web App & API Pentest | Real Findings | SOC 2 Ready
Jaipur, India - 9:37 am local time
I do web application and API pentests for Seed to Series B SaaS companies. Real findings with clear attack paths and developer-friendly fixes. Not a scanner report with your logo on it.
Before any engagement, we do a 20-minute scoping call to define exact scope, methodology, and deliverables, so you know precisely what you're getting before a dollar changes hands.
What I test:
1. Web application security: Authentication flaws, privilege escalation, IDOR, business logic vulnerabilities, sensitive data exposure
2. API security: BOLA, broken authentication, injection, improper authorization
3. Cloud infrastructure: AWS/Azure/GCP IAM misconfigurations, storage exposure, privilege escalation paths
4. Network security: Internal segmentation, exposed services, firewall misconfigurations
5. CI/CD pipelines: Secrets exposure, pipeline abuse, GitHub Actions and GitLab CI weaknesses
6. Container & Kubernetes: Misconfigured RBAC, exposed dashboards, container escape paths, privilege escalation within clusters
7. Supply chain: Dependency attacks, build pipeline risks, compromised packages, OIDC misconfigurations
8. AI security: LLM prompt injection, data leakage, model misuse scenarios
What you get:
Every finding comes with a working exploitation path, not theoretical risk. Clear business impact so your engineering team understands why it matters. Developer-friendly remediation guidance they can act on immediately. Optional retesting once fixes are in.
Background:
I've spent 4 years finding real vulnerabilities at depth. Published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I've triaged and validated 1,000+ vulnerabilities across web, API, cloud, and mobile. I'm not learning on your project.
A note on my work history:
I have an early 2022 contract on here that ended badly, I took on a project without the availability to complete it and communicated poorly. That was on me. Since then I scope every engagement upfront with a call before any work begins. It doesn't happen anymore.
If you want a quick look at your external surface before committing to anything, message me. I'll take a look and tell you what stands out.
Steps for completing your project
After purchasing the project, send requirements so Devansh can start the project.
Delivery time starts when Devansh receives requirements from you.
Devansh works on your project following the steps below.
Revisions may occur after the delivery date.
Kickoff & Scope Confirmation
Review your domain, subdomains, and GitHub org. Confirm the exact assets in scope and send a kickoff summary so you know what's being reviewed before work begins.
External Attack Surface Enumeration
Subdomain discovery, exposed service identification, certificate transparency analysis, and cloud storage exposure check across S3, GCS, and Azure.
