You will get SaaS Attack Surface Review - Know What's Exposed in 3 Days

2.9

Let a pro handle the details

Buy Assessments & Penetration Testing services from Devansh, priced and ready to go.
2.9

Let a pro handle the details

Buy Assessments & Penetration Testing services from Devansh, priced and ready to go.

Project details

Most security reviews either go too deep too fast or hand you a scanner report dressed up as analysis. I do a focused external review of your attack surface , what an attacker sees before they ever touch your application. Subdomains, exposed backends, GitHub exposure, cloud storage misconfigurations, certificate transparency. Passive, non-intrusive, and done in 3-7 business days.

I've spent 4 years finding real vulnerabilities across 300+ assessments, published 4 CVEs, and served as HackerOne Pod Lead across 200+ programs. I know what real exposure looks like and I know how to explain it in a way your engineering team can act on immediately.

Fixed price & Guaranteed findings after end of the assessment.
Cybersecurity Assessment Type
Penetration Testing
Cybersecurity Expertise
Audit, Risk Assessment, Gap Analysis
Technology Type
IaaS, Computer Network, SaaS, Web Application
Cybersecurity Regulation
GDPR, HIPAA, PCI DSS, SOC 2
What's included
Service Tiers Starter
$350
Standard
$500
Advanced
$750
Delivery Time 3 days 5 days 7 days
Application Audit
Project Plan
Cost Estimation

Frequently asked questions

2.9
1 review
1% Complete
(0)
1% Complete
(0)
100% Complete
1% Complete
(0)
1% Complete
(0)

CT

Cris T.
2.90
May 12, 2022
API security specialist Unfortunately he just left without letting me know on the middle of the project, because he had few hours of availability
Devansh B.Status: Offline

About Devansh

Devansh B.Status: Offline
SaaS Web App & API Pentest | Real Findings | SOC 2 Ready
2.9  (1 review)
Jaipur, India - 9:37 am local time
If you're building a B2B SaaS product and haven't had a proper security review, you're carrying risk you can't see. Enterprise clients, investors, and SOC 2 auditors will ask about it and "we haven't done one yet" is the answer that stalls deals and kills closings.

I do web application and API pentests for Seed to Series B SaaS companies. Real findings with clear attack paths and developer-friendly fixes. Not a scanner report with your logo on it.

Before any engagement, we do a 20-minute scoping call to define exact scope, methodology, and deliverables, so you know precisely what you're getting before a dollar changes hands.

What I test:

1. Web application security: Authentication flaws, privilege escalation, IDOR, business logic vulnerabilities, sensitive data exposure
2. API security: BOLA, broken authentication, injection, improper authorization
3. Cloud infrastructure: AWS/Azure/GCP IAM misconfigurations, storage exposure, privilege escalation paths
4. Network security: Internal segmentation, exposed services, firewall misconfigurations
5. CI/CD pipelines: Secrets exposure, pipeline abuse, GitHub Actions and GitLab CI weaknesses
6. Container & Kubernetes: Misconfigured RBAC, exposed dashboards, container escape paths, privilege escalation within clusters
7. Supply chain: Dependency attacks, build pipeline risks, compromised packages, OIDC misconfigurations
8. AI security: LLM prompt injection, data leakage, model misuse scenarios

What you get:

Every finding comes with a working exploitation path, not theoretical risk. Clear business impact so your engineering team understands why it matters. Developer-friendly remediation guidance they can act on immediately. Optional retesting once fixes are in.

Background:

I've spent 4 years finding real vulnerabilities at depth. Published 4 CVEs, earned Bugcrowd MVP recognition, and served as HackerOne Pod Lead across 200+ programs including Reddit, eBay, Sony, and Bumble. I've triaged and validated 1,000+ vulnerabilities across web, API, cloud, and mobile. I'm not learning on your project.

A note on my work history:

I have an early 2022 contract on here that ended badly, I took on a project without the availability to complete it and communicated poorly. That was on me. Since then I scope every engagement upfront with a call before any work begins. It doesn't happen anymore.

If you want a quick look at your external surface before committing to anything, message me. I'll take a look and tell you what stands out.

Steps for completing your project

After purchasing the project, send requirements so Devansh can start the project.

Delivery time starts when Devansh receives requirements from you.

Devansh works on your project following the steps below.

Revisions may occur after the delivery date.

Kickoff & Scope Confirmation

Review your domain, subdomains, and GitHub org. Confirm the exact assets in scope and send a kickoff summary so you know what's being reviewed before work begins.

External Attack Surface Enumeration

Subdomain discovery, exposed service identification, certificate transparency analysis, and cloud storage exposure check across S3, GCS, and Azure.

Review the work, release payment, and leave feedback to Devansh.