Expected duration: less than 1 week We are seeking a practical, detail-oriented security tester to conduct a structured penetration testing and security assessment of our early-stage platform.
This is an MVP and early-access engagement, not a formal certification audit. The goal is to identify and remediate material security risks using recognised methodologies and free/open-source tools, ahead of broader public and enterprise pilots.
This role is ideal for an experienced independent tester who understands startup constraints and can deliver real security value without unnecessary overhead.
Scope of Work
The engagement includes security testing of:
• Public web application • Backend APIs • Authentication and authorisation flows • API key usage and access controls • Admin or privileged interfaces • Application-related infrastructure exposure
Out of scope: • Third-party services • Denial-of-service testing • Social engineering • Formal certification (ISO, SOC, etc.)
Required Standards and Approach
Testing must align with: • OWASP Top 10 (Web Application) • OWASP API Security Top 10
Manual testing and validation are required. Automated scanning alone is not sufficient.
Tools (Free / Open Source)
You are expected to use some or all of the following:
• OWASP ZAP • Burp Suite Community Edition • Postman • Snyk (free tier) or Trivy • Nmap • SSL Labs Server Test
You may propose additional free tools where appropriate.
Deliverables
You must provide a written security assessment report that includes:
• Executive summary • Scope and methodology • Findings with severity ratings (Critical, High, Medium, Low) • Evidence and reproduction steps • Practical remediation guidance • Tool-generated reports (where applicable) • Clear statement that this is a non-certified assessment
