Hire the Best Vulnerability Assessment Specialists
Tonbridge, United Kingdom
🔒 You need security that actually works — not a report that says it does. The organisations I work with want to find the vulnerabilities that matter, fix them with confidence, and get on with growing their business without security becoming the thing that stops them. I have delivered over 1,000 commercial penetration tests across 27 years. Not side projects. Not internal assessments. Full mission-critical engagements for high street and investment banks, hedge funds, insurance firms, government departments, police, military, national infrastructure, retailers, law firms, airports and more. I led the security architecture for the Athens 2004 Olympics internet-facing systems. I was lead architect on the UK Cyber Essentials scheme at launch. I have published in commercial security press and guest lectured at universities. There is a difference between someone who does penetration testing and someone who has seen every flavour of environment, every attack pattern, and every way organisations deceive themselves about their security posture. That difference is what you are hiring. 🎯 Where can I help: 🗡️ Network & Infrastructure Penetration Testing — adversarial testing of internal and external infrastructure, finding exploitable exposures before an attacker does. 🌐 Application Penetration Testing — web application and API security testing against real attack patterns: authentication, authorisation, input handling and business logic flaws. ☁️ Microsoft 365 Security Assessment — Entra ID, Conditional Access, PIM, Intune, DLP, sensitivity labelling, Exchange Online and Defender for Office 365. 🔷 Azure Security Assessment — identity and access management, network controls, storage and key management, Defender for Cloud posture, and monitoring coverage. 🟢 Google Workspace, GCP & AWS Security Assessments — configuration and access control assessments across Google and Amazon cloud environments. 🏛️ Security Architecture and Risk Advisory — senior technical input on architecture decisions, control design and risk without a full engagement commitment. 👤 Every engagement is delivered directly by me — David Morgan, founder of Metis Security. No account management layer, no junior handoffs, no templated output. You work with the person conducting the analysis and writing the report. 📋 How I work is as important as what I find Every finding in my reports is one I will defend as genuinely material to your environment. No padding, no low-hanging fruit included to justify the fee, no default risk ratings copied from a scanner. If your context changes the risk, the rating reflects that. What you receive: ✅ A visually structured report with clear separation between executive summary, findings and remediation roadmap — written to be read by people who are not security specialists ✅ Risk ratings adjusted to your specific environment and context, not defaulted from a tool ✅ A prioritised remediation roadmap so your team knows exactly what to fix first and why it matters commercially ✅ Immediate escalation of any high-risk finding or schedule-affecting issue during the engagement — you are never waiting until the end to hear something important ✅ Daily status updates so you always know where the engagement stands ✅ A debrief call at close to walk through findings, answer questions and finalise the report before it is delivered CISSP | ISSAP | Microsoft Security certifications | 27 years If you need to know whether your environment is genuinely secure — not whether it looks configured — I am worth a conversation.
- Vulnerability Assessment
- Penetration Testing
- Web Application Security
- Network Penetration Testing
- Office 365
- Microsoft Azure
- Cloud Security
- Network Security
- Security Assessment & Testing
- Cybersecurity Management
- Zero Trust Architecture
- Security Analysis
- Google Cloud Platform
- Google Workspace
- Amazon Web Services
- NIST Cybersecurity Framework
- Microsoft 365 Copilot
- Internet Security
- Information Security Audit
- Information Security Consultation
Gujranwala, Pakistan
Expert-Vetted on Upwork (Top 1% of security professionals). If you're building on the cloud and want to find the security gaps attackers would exploit — before they do — I can help. I’m a cybersecurity consultant and founder of Exfiltra, helping startups and enterprises secure their applications, cloud infrastructure, and DevOps pipelines. I have worked with organizations generating $6B+ in annual revenue and helped companies strengthen security across cloud environments, applications, and compliance programs. I personally lead security engagements and, when needed, bring in specialists from my team at Exfiltra to support larger or complex projects. Most clients hire me when they want to: ✔ Secure Azure / AWS / GCP environments ✔ Perform professional penetration testing ✔ Implement DevSecOps and secure CI/CD pipelines ✔ Prepare for SOC 2, ISO 27001, HIPAA, FedRAMP, or CMMC ✔ Improve security posture using industry frameworks CORE EXPERTISE AZURE & CLOUD SECURITY • Azure security architecture reviews • Microsoft Defender for Cloud & Sentinel • Identity security (Entra ID / Conditional Access) • Cloud configuration reviews and CIS Benchmark hardening APPLICATION SECURITY & PENETRATION TESTING • Web application penetration testing • API security testing • Mobile application security testing • Network and cloud penetration testing • Assessments aligned with OWASP Top 10 and OWASP ASVS DEVSECOPS & SECURITY AUTOMATION • Secure CI/CD pipelines (Azure DevOps / GitHub Actions) • Infrastructure as Code security (Terraform / Bicep) • SAST and DAST integration in pipelines SECURITY TOOLS • Snyk • Semgrep • OWASP ZAP • Burp Suite • Wazuh • CrowdStrike • Microsoft Sentinel AI & LLM SECURITY • AI application threat modeling • Prompt injection and model abuse testing • Secure architecture for AI-powered applications WHY CLIENTS WORK WITH ME • Upwork Expert-Vetted (Top 1% of freelancers) • Founder of Exfiltra – a cybersecurity services company • Supported by a team of security specialists for larger engagements • Contributor to OWASP ZAP • Experience securing environments for organizations generating $6B+ in revenue • Background in both software engineering and cybersecurity • Security research involving organizations like the U.S. Department of Defense NOT A GOOD FIT IF • You want to hack or recover social media accounts • You want enterprise-grade security but are not willing to invest in it If your goal is to build secure systems instead of reacting to breaches later, feel free to invite me to your job or send a message describing your project.
- Vulnerability Assessment
- Network Security
- Kali Linux
- Security Assessment & Testing
- Penetration Testing
- Information Security Consultation
- Application Security
- Information Security
- Web Application Security
- Ethical Hacking
- Cloud Security
- Web App Penetration Testing
- Security Management
- System Security
- AI Security
- Secure SDLC
- Security Testing
- Website Security
- Database Security
- Cybersecurity Management
Kenitra, Morocco
I find the vulnerabilities in your web apps, APIs, and networks before attackers do, then hand your team a clear, reproducible penetration testing report they can act on. GXPN and GCIH certified. Top Rated on Upwork with 100% Job Success across web application, API, and network security engagements. No scanner dump and no jargon wall. Every finding comes with a severity rating (CVSS), working proof of concept, and a concrete fix your developers can ship. What I test: - Web application penetration testing (OWASP Top 10, PTES, NIST) - API security testing (REST, GraphQL, auth/OAuth, IDOR, broken access control) - SaaS and multi-tenant assessments (Supabase / Firebase data-isolation testing) - Network and external perimeter penetration testing - Source code / secure code review How I work: authorized testing only, on systems you own or have permission to test. Everything is documented over Upwork so you get a written record of every finding, not a verbal hand-wave. I retest after you patch to confirm the holes are actually closed. Credentials: GXPN (GIAC Advanced Penetration Tester & Exploit Researcher), GCIH (GIAC Certified Incident Handler), SANS CTF winner, and an active national/international CTF competitor (web, reverse, crypto, forensics). I also handle WordPress malware removal and incident response. See my Project Catalog for a fixed-price option.
- Vulnerability Assessment
- Penetration Testing
- Web Application Security
- WordPress
- Malware Removal
- Website Security
- Network Penetration Testing
- OWASP
- Information Security
- API
Sabac, Serbia
✅ Professional Penetration Tester ✅ 3500+ Hours ✅ Top Rated Plus Freelancer Security Researcher and Penetration Tester recognized by the U.S. Department of Defense, AT&T, Sony, and Semrush for the responsible disclosure of 40+ vulnerabilities via HackerOne. Since 2022, an active member of the Synack Red Team - an elite tier of offensive security specialists vetted through rigorous technical and background screening. Every engagement concludes with a comprehensive technical report built to satisfy the specific penetration testing controls required for HIPAA, ISO 27001, SOC2, and PCI-DSS. I provide a high-level executive summary for stakeholders alongside deep-dive technical findings, fully reproducible Proofs-of-Concept (PoCs), and prioritized remediation steps to ensure your team can effectively close every gap before your audit. Specializing in black and gray box testing of live web applications, cloud environments, and networks, covering all common attack vectors, business logic flaws, and discovering previously undisclosed vulnerabilities (0days) to prevent high-impact data breaches. Service Description: 1) Web Application Penetration Testing (OWASP Top 10, PTES, ASVS, Business Logic Testing) 2) Mobile Application Penetration Testing (OWASP Top 10, MASVS, MASTG, PTES) 3) Network Penetration Testing (Active Directory, Entra ID, Internal & External Network) 4) API Security Testing - REST, GraphQL, SOAP, gRPC, Webhooks (OWASP API Top 10) 5) Cloud Security Testing - AWS/Azure/GCP/OCI/Alibaba/IBM/DigitalOcean/SaaS/IaaS/PaaS 6) Cloud-Native & Container Security (Kubernetes, Docker, OpenShift, EKS/AKS/GKE) 7) LLM Security Testing (OWASP LLM Top 10, Prompt Injection, Data Poisoning) Tools used in engagements: BurpSuite Professional | Custom Python scripts | BloodHound | Impacket Framework | Responder | Metasploit | Mimikatz | Nuclei | Nmap | FRIDA | Android Studio | Pacu | Prowler | Postman Identify and secure your attack surface before threat actors do ! Message me to discuss your project requirements.
- Vulnerability Assessment
- Penetration Testing
- Network Security
- Security Testing
- Internet Security
- Network Penetration Testing
- Web App Penetration Testing
- Ethical Hacking
- Black Box Testing
- Reverse Engineering
- JavaScript
- Web Application Security
- Cloud Security
- API
- AI Security
- OWASP
- NIST SP 800-53
- HIPAA
- PCI DSS
- Bug Bounty
Tirana, Albania
I am an OSCP+ and CEH certified Professional Penetration Tester specializing in Web Application, API, Mobile Application, and Infrastructure Security Testing. Over the last years, I have completed more than 600 penetration tests and security assessments for clients across finance, SaaS, healthcare, e-commerce, and enterprise environments. My main focus is helping companies identify real security risks before attackers do, with clear evidence, practical remediation guidance, and professional reports suitable for compliance, audit, and internal security teams. Core services I provide: • Web Application Penetration Testing • API Security Testing • Mobile Application Penetration Testing for Android and iOS • SOC 2, ISO 27001, PCI DSS, AMAZON SP and Compliance-Oriented Penetration Test Reports • OWASP Top 10 Security Testing • OWASP WSTG-Based Assessments • Vulnerability Assessment and Security Hardening • Retesting and Remediation Validation I perform Black Box, Gray Box, and White Box penetration testing depending on the client’s needs. My reports are structured, professional, and easy to understand by both technical teams and management. Each finding includes clear evidence, risk rating, business impact, CVSS scoring where applicable, and actionable remediation steps. Clients usually hire me when they need: • A professional penetration test before a product launch • A security report for SOC 2, ISO 27001, PCI DSS, AMAZON SP vendor review, or investor due diligence • Web, API, or mobile app testing by an experienced OSCP-certified tester • A practical security assessment focused on real exploitability, not only scanner output • Fast communication, clear reporting, and reliable retesting after fixes My goal is not only to find vulnerabilities, but to help your team understand, prioritize, and fix them properly. Sample penetration testing reports can be provided upon request.
- Vulnerability Assessment
- Security Assessment & Testing
- Kali Linux
- Application Security
- Penetration Testing
- Network Security
- Security Infrastructure
- Manual Testing
- Ethical Hacking
- OWASP
- Windows Server
- NIST SP 800-53
- Internet Security
- Web Application Security
- Security Engineering
Accra, Ghana
Google Cloud Certified Professional Security Engineer. No technical debt. No unmonitored vulnerabilities. Only resilient, audit-ready infrastructure. I don't patch fragile systems — I design enterprise-grade cloud environments that scale securely from day one. I architect, harden, and scale Google Cloud Platform (GCP) infrastructure for FinTech, Healthcare, and high-growth SaaS companies. If your growth is outpacing your security, I can build your enterprise roadmap. If your current environment is failing compliance audits, I can bridge the gap with zero-trust architecture and automated DevSecOps pipelines. ━━ CLOUD SECURITY & GCP ARCHITECTURE ━━ ✔ Zero-trust architecture & IAM least-privilege enforcement ✔ VPC Service Controls & encrypted data flows ✔ Kubernetes (GKE) & container security ✔ "Fortress Cloud" design built to survive Series A/B due diligence ━━ DEVSECOPS & AUTOMATION ━━ ✔ CI/CD pipeline security integration (Shift-Left methodology) ✔ SAST/DAST scanning automation ✔ Infrastructure as Code (Terraform) ✔ Cloud monitoring and Google Kubernetes Engine (GKE) deployments ━━ COMPLIANCE & FRACTIONAL CTO ━━ ✔ ISO 27001, SOC 2, and GDPR technical mapping ✔ Executive-level technology strategy & engineering team leadership ✔ Secure AI Agent integration & LLM workflows (LangChain, n8n) ✔ Vendor portfolio management and cost optimization Why clients hire me: Most cloud freelancers only know how to spin up basic servers. I bring the discipline of a senior infrastructure lead and a Cybersecurity Instructor. Having spearheaded security at SGS Ghana for four years, I understand how to deploy environments where security is built directly into the codebase. Furthermore, as the Founder of Vision AI Consortium, I don't operate as a siloed freelancer. When complex, multi-disciplinary requirements arise, my clients gain access to a vetted team of specialists in data engineering, AI operations, and FinTech compliance. Recent quantifiable outcomes: Streamlined infrastructure provisioning by 70% through automated DevSecOps pipelines. Reduced production misconfigurations by 40% for enterprise environments. Cut operational support backlogs by 45% by implementing robust cloud monitoring. Have a complex scaling or compliance bottleneck? Send me a message with your current tech stack and infrastructure goals — I will outline exactly what needs to be fixed or built.
- Vulnerability Assessment
- Google Cloud Platform
- Cloud Security
- Information Security
- DevOps
- Security Engineering
- Docker
- Terraform
- Kubernetes
- ISO 27001
- Cloud Architecture
- Security Framework
- Security Assessment & Testing
- AI Security
How it works
Post a job for free Post a job
Tell us what you need. Create your own job post or generate one with AI then filter talent matches.
Hire top talent fast
Consult, interview, and hire quickly, so you can meet the freelancers you're excited about.
Collaborate easily
Use Upwork to chat or video call, share files, and track project progress right from the app.
Payment simplified
Manage payments in one place with flexible billing options. Only pay for approved work, hourly or by milestone.
Don't just take our word for it
“Upwork provides an umbrella-level of security. I can see a talent’s work history and ratings. I can hold payments in escrow. I can communicate through Upwork Messages instead of working through my email address.”
Kim Darling
Emerald Tiger
“Upwork is the best platform to hire skilled professionals when we're not looking for a full-time employee. All the companies in our portfolio use Upwork to find talent across a wide range of fields.”
David Merry
Kinetic Investments
“Our very specific requirements can be a challenge—With Upwork, we’re able to access a bigger community to ensure the success of our projects.”
Katja Krohn
Summa Linguae
How do I hire a Vulnerability Assessment Specialist on Upwork?
You can hire a Vulnerability Assessment Specialist on Upwork in four simple steps:
- Create a job post tailored to your Vulnerability Assessment Specialist project scope. We’ll walk you through the process step by step.
- Browse top Vulnerability Assessment Specialist talent on Upwork and invite them to your project.
- Once the proposals start flowing in, create a shortlist of top Vulnerability Assessment Specialist profiles and interview.
- Hire the right Vulnerability Assessment Specialist for your project from Upwork, the world’s largest work marketplace.
At Upwork, we believe talent staffing should be easy.
How much does it cost to hire a Vulnerability Assessment Specialist?
Rates charged by Vulnerability Assessment Specialists on Upwork can vary with a number of factors including experience, location, and market conditions. See hourly rates for in-demand skills on Upwork.
Why hire a Vulnerability Assessment Specialist on Upwork?
As the world’s work marketplace, we connect highly-skilled freelance Vulnerability Assessment Specialists and businesses and help them build trusted, long-term relationships so they can achieve more together. Let us help you build the dream Vulnerability Assessment Specialist team you need to succeed.
Can I hire a Vulnerability Assessment Specialist within 24 hours on Upwork?
Depending on availability and the quality of your job post, it’s entirely possible to sign up for Upwork and receive Vulnerability Assessment Specialist proposals within 24 hours of posting a job description.
Find more freelancers
Similar Vulnerability Assessment Specialist Skills
- Penetration Testers
- Cyber Risk Consultants
- Anti-Money Laundering (AML) Analysts
- Risk Assessment Professionals
- Security Consultants
- Information Security Audit Professionals
- Information Security Analysts
- Risk Management Specialists
- Bug Bounty Experts
- IT Compliance Specialists
- Insurance Coverage Analysis Specialists
- Network Security Engineers
- NIST Cybersecurity Framework Specialists
- Commercial Lending Specialists
- CMMC Experts
- Internet Security Specialists
Top Countries for Vulnerability Assessment Specialists
- Vulnerability Assessment Specialists in Australia
- Vulnerability Assessment Specialists in India
- Vulnerability Assessment Specialists in Pakistan
- Vulnerability Assessment Specialists in Bangladesh
- Vulnerability Assessment Specialists in Canada
- Vulnerability Assessment Specialists in Nigeria
- Vulnerability Assessment Specialists in the United Arab Emirates
- Penetration Testers in Turkey
- Penetration Testers in Serbia
- Penetration Testers in Australia
- Penetration Testers in Ukraine
- Penetration Testers in Egypt
- Penetration Testers in Romania
- Penetration Testers in Kenya
- Penetration Testers in Tunisia
- Penetration Testers in Ethiopia