We're building a multi-tenant healthcare SaaS platform (B2B) for appointment scheduling with an AI-powered voice agent. We're looking for a penetration tester to validate our security posture before onboarding our first pilot clinic.
Tech stack: Cloudflare, Supabase, Clerk, Railway, Twilio
The engagement is split into 3 phases:
Phase 1 (pre-launch, priority): External attack surface review. Validate that all publicly exposed endpoints are properly secured before going live.
Phase 2: Internal platform security. Tenant isolation, RBAC enforcement, role escalation, API authorization.
Phase 3: AI/voice agent security. Prompt injection, call flow manipulation, abuse scenarios.
Deliverables per phase:
Written report with findings ranked by severity
Proof of concept for each finding
Remediation recommendations
Retest of critical/high findings after our fixes
Budget: $1,500 - $2,200 for the full 3-phase engagement. We know this is a startup budget. We're looking for someone early in their career or willing to work with an early-stage product, with the understanding that this becomes an ongoing paid relationship as we scale (periodic reassessments, new feature reviews).
Methodology: We expect testing aligned with OWASP Top 10 / OWASP ASVS. If you follow a different framework, let us know in your proposal.
Timeline: We're ready to start Phase 1 within 2-3 weeks of signing an NDA.
In your proposal, please mention:
Which of the technologies in our stack you've pentested before, and which would be new
A brief example of a similar engagement (SaaS, multi-tenant, or healthcare)
Your estimated timeline per phase
Your availability
Full architecture details, staging access, and role credentials will be shared after NDA signing.
Languages: English or Romanian.
Apply tot his job
Apply To this Job