Grey Box Penetration Test (ethical hacker)

🌍 Remote, USA 🎯 Full-time 🕐 Posted Recently

Job Description

1. Introduction

Finstory is a US-based (Delaware Inc.) Fintech startup. We operate a platform that stores and processes sensitive financial data for our customers. We are currently in the process of achieving SOC2 Type 1 certification and are using TrustCloud as our GRC/ISMS platform.

We are looking for a qualified Ethical Hacker or Security Firm to conduct a Grey Box Penetration Test to validate our security posture and provide documented evidence for our upcoming audit.

2. Project Objective

The goal is to identify vulnerabilities within our application and infrastructure that could lead to unauthorized access to customer financial data. We require a comprehensive report that satisfies SOC2 "Vulnerability Management" and "Penetration Testing" control requirements.

3. Scope of Work

Target: [Insert URL/Environment, e.g., Web Application & API Endpoints].

Methodology: Grey Box. We will provide architectural overviews and standard user credentials (low-level access) to simulate an "authenticated attacker" scenario.

Key Focus Areas:

Broken Access Control (Bole/BOPA): Ensure users cannot access other customers' financial data.

Injection Attacks: SQLi, XSS, and Command Injection.

Authentication & Session Management: MFA bypass attempts and session hijacking.

API Security: Assessment of REST/GraphQL endpoints.

Cloud Infrastructure: Basic review of the underlying environment (e.g., AWS/Azure/GCP) for misconfigurations.

4. Deliverables

Executive Summary: High-level overview for management and auditors.

Detailed Technical Report: Including steps to reproduce, risk ratings (CVSS), and clear remediation advice.

Attestation Letter: A formal summary letter that we can share with our SOC2 auditors and enterprise prospects.

Re-test (Optional but Preferred): A brief validation scan once we have patched the "Critical" or "High" findings.

5. Requirements for the Consultant