I’m looking for a seasoned web-application penetration tester to mimic automated attack patterns against our authentication stack and help us harden it. The scope is strictly limited to the hosts and endpoints that I will specify in writing before the engagement begins; no testing outside that list is permitted. What you’ll be examining • Username-and-password login flow • Custom CAPTCHA behaviour and resilience • Rate-limiting logic on both HTTP and HTTPS requests • Optional MFA checkpoints that interface with SilverBullet and OpenBullet configurations I’d like you to craft a working SilverBullet/OpenBullet config that reproduces the login sequence—including any necessary cookies, tokens, or header manipulation—so we can run repeatable regression tests after fixes are applied. Deliverables 1. A concise test plan outlining tools, payloads, and timelines. 2. The fully commented SilverBullet/OpenBullet configuration file. 3. A penetration-test report that ranks findings by risk and provides clear remediation steps. 4. Proof-of-concept requests (cURL or Burp/OWASP ZAP export) demonstrating each confirmed issue. Acceptance criteria • No exploitation outside the authorised endpoints. • Testing must respect legal and ethical guidelines at all times. • All high- and critical-risk findings must include a reproducible scenario. If you can confirm adherence to these rules and have strong experience bypassing custom CAPTCHA and rate-limit controls, I’m ready to move forward quickly.