Law Firm IT Security Testing (2026): The Complete Playbook for Managing Partners, GCs, and IT Directors
A field-tested 2026 guide to law firm IT security testing — external and internal network tests, Microsoft 365 and Entra ID hardening checks, iManage and NetDocuments exposure reviews, phishing and MFA-fatigue simulation, tabletop exercises, red-team engagements, and continuous attack-surface monitoring. Mapped to ABA Model Rule 1.6(c), the FTC Safeguards Rule, SEC Regulation S-P, HIPAA, NY DFS 23 NYCRR 500, and the outside-counsel guidelines AmLaw clients now enforce.

Law firm IT security testing is no longer a once-a-year PDF that lives in a partner's inbox. In 2026, it is a continuous program that your cyber-insurance underwriter, your AmLaw and Fortune-500 clients, and — if the worst happens — a plaintiffs' lawyer in post-breach discovery will each measure you against. This guide is the same playbook we hand to managing partners, general counsel, and IT directors before we scope an engagement: what to test, how often, who should run it, what evidence to keep, and what the results actually need to prove.
If you only have five minutes: an effective 2026 program layers external attack-surface monitoring (continuous) + vulnerability assessment (quarterly) + penetration testing (annual, plus after material change) + phishing and social-engineering simulation (quarterly) + tabletop exercises (semiannual) + a red-team or purple-team engagement (every 18–24 months for AmLaw 200 firms and any firm handling regulated data). Miss two of those layers and you are the soft target in your peer group.
Why IT security testing is now table stakes for law firms
The ABA 2024 Legal Technology Survey found that 29% of law firms reported a security breach and 36% did not know whether they had been breached. The 2024 Verizon DBIR shows the median dwell time for an attacker inside a professional-services network is still measured in weeks, not hours. And every insurer we work with — Beazley, Chubb, Coalition, At-Bay, CFC — now asks for specific, dated testing evidence on 2026 renewal questionnaires.
Four overlapping obligations shape what "reasonable" testing looks like:
- ABA Model Rules 1.1, 1.6(c), and 5.3. Formal Opinion 477R and Formal Opinion 498 make clear that "reasonable efforts" is a facts-and-circumstances test — and testing evidence is one of the strongest facts you can produce.
- [FTC Safeguards Rule](https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know) § 314.4(d)(2). Requires annual penetration testing and biannual vulnerability assessments, or continuous monitoring in lieu of the fixed schedule. Applies to any firm handling consumer financial information — including plaintiffs' firms with client trust accounts.
- [SEC Regulation S-P](https://www.sec.gov/rules/2024/05/regulation-s-p-privacy-consumer-financial-information-and-safeguarding-customer) (amended 2024). Large filers had to comply by December 3, 2025; smaller entities by June 3, 2026. Firms serving broker-dealers and RIAs are being asked to produce testing artifacts in vendor questionnaires.
- Client outside-counsel guidelines (OCG). AmLaw 200 firms routinely field OCG questionnaires requiring an annual third-party penetration test and quarterly phishing simulation reports on file.
Add NY DFS 23 NYCRR 500, HIPAA Security Rule, and state laws like CCPA/CPRA and Illinois BIPA for firms serving regulated industries, and IT security testing becomes the connective tissue of the entire compliance program.
The six layers of a defensible 2026 testing program
Think of testing as a stack. Each layer answers a different question, produces different evidence, and satisfies a different auditor. Skip a layer and your record has a hole an underwriter or plaintiff's expert will find.
Layer 1 — Continuous external attack-surface monitoring
The question it answers: *what does an attacker see, right now, from the public internet?*
An external attack-surface management (ASM) tool inventories every domain, subdomain, IP range, exposed service, cloud tenant, and SaaS integration your firm has — including the ones nobody remembers (an acquired boutique from 2019, a marketing landing page a departed CMO spun up, an Azure tenant a summer associate created in 2022). It cross-references those assets against the CISA Known Exploited Vulnerabilities Catalog, leaked credentials from Have I Been Pwned and infostealer logs, and email-security posture (SPF, DKIM, DMARC).
- Frequency: continuous. Insurers now specifically ask "do you have continuous external monitoring in lieu of biannual vuln scans?"
- Evidence to keep: dated snapshot report each month, plus an alert log showing time-to-remediation for any Critical finding.
Layer 2 — Vulnerability assessment (authenticated scans)
The question it answers: *what known vulnerabilities exist on assets we own, including behind the firewall?*
Authenticated vulnerability scanning uses credentialed access to workstations, servers, and network devices to enumerate missing patches, misconfigurations, and end-of-life software. It is broader and shallower than a pentest — it finds *what* is vulnerable, not necessarily what is *exploitable*.
- Frequency: quarterly minimum, monthly for AmLaw 200 and regulated-industry firms.
- Evidence to keep: scan report with CVSS scores, remediation tickets in your ITSM (Jira, ServiceNow, Autotask, ConnectWise), and closeout evidence.
- Common gaps we find: unpatched Adobe Acrobat and Reader (still the #1 endpoint CVE for firms), end-of-life Windows Server 2012 R2 domain controllers, and forgotten Fortigate/Ivanti/Palo Alto VPN appliances on old firmware.
Layer 3 — Penetration testing (annual, plus after material change)
The question it answers: *if a real adversary tried, could they reach our privileged data?*
A penetration test is a human-led, goal-oriented simulation. A qualified tester (look for CREST, OSCP, OSCE³, GPEN, GXPN, GWAPT, or PNPT on the individual, not just company logos) chains findings into an actual attack path — the way ransomware affiliates and BEC operators do.
For law firms, the modern pentest almost always includes an assumed-breach scenario (tester is given a low-privilege laptop as if a paralegal clicked a phishing link) because that is what insurers now specifically request. It also includes an Active Directory / Entra ID attack path map via BloodHound, a document management system (DMS) exposure review for iManage / NetDocuments / Worldox / Epona / OpenText, and a client-portal authorization test for IDOR ("client A cannot read client B's documents by tampering with a URL parameter").
- Frequency: annual, plus after any material change — merger, cloud migration, new DMS, new client portal, new remote-access vendor.
- Evidence to keep: executive summary, technical findings, remediation guidance, and a free retest of Critical/High findings within 60–90 days. The retest letter is what an insurer wants to see, not just the original report.
- Deeper dive: see our 47-point pen test checklist for law firms and pen test cost benchmarks for 2026.
Layer 4 — Phishing and social-engineering simulation
The question it answers: *how do our people actually behave under pressure?*
The FBI IC3 2024 report put business email compromise losses at over $2.9 billion. Law firms are prime targets because of wire-instruction volume in real-estate, M&A, and IOLTA workflows. Modern simulations must go beyond generic invoice scams and include:
- Court-filing impersonation (fake PACER/CM/ECF notifications).
- Opposing-counsel pretexts with realistic matter numbers.
- Wire-instruction change targeting finance and closing coordinators.
- MFA-fatigue push-bombing against attorneys with mobile authenticator apps.
- AI-cloned partner voice for high-dollar wire authorization (this is now real; we have seen it in three engagements in the past year).
- Frequency: quarterly, with escalating difficulty. Report click-rate, report-rate, and — most importantly — credential-submission rate, not just click-rate.
- Evidence to keep: dated campaign reports and completed remedial training records per user.
Layer 5 — Tabletop exercises
The question it answers: *do our humans know what to do in the first 72 hours?*
A tabletop is a two-to-three-hour facilitated scenario walked through by the incident-response team: managing partner, GC, CIO/CISO, COO, PR, outside breach coach, insurer contact, forensic IR firm. It is the single highest-ROI testing activity a firm can run.
- Frequency: semiannual. One scenario should always be ransomware; the second should rotate through BEC / wire fraud, insider data theft, third-party (DMS / e-billing vendor) breach, and — increasingly — an AI-tool data-leak scenario (Copilot, ChatGPT Enterprise, Otter.ai transcripts).
- Evidence to keep: exercise plan, participant roster, after-action report, and revisions to the incident response plan. This is what regulators and insurers ask for by name.
Layer 6 — Red-team or purple-team engagement
The question it answers: *if a motivated adversary spent 4–6 weeks trying, could they exfiltrate a specific matter without our SOC noticing?*
Red-team engagements simulate a specific threat actor (ransomware affiliate, nation-state, insider) against a specific objective ("exfiltrate the Project Falcon deal room without detection"). Purple-team engagements pair the red team with your defenders in real time so every attempted TTP becomes a detection-engineering opportunity.
- Frequency: every 18–24 months for AmLaw 200 firms, firms handling regulated data (health, finance, defense), and firms with a mature SOC or MDR. Overkill for a 15-attorney boutique — do the other five layers first.
- Evidence to keep: attack narrative mapped to MITRE ATT&CK, detection gaps, and a remediation roadmap.
What "done" looks like for each layer
Cyber insurers and OCG questionnaires do not accept "yes, we test." They ask for artifacts. Here is what your evidence binder should contain by December 31 of each year:
- Continuous ASM: 12 monthly snapshot reports and a ticket log for any Critical remediated within SLA.
- Vulnerability assessments: 4 quarterly (or 12 monthly) scan reports with remediation tickets and closeout evidence.
- Penetration test: annual report, executive summary, remediation plan, and dated retest letter for Critical/High findings.
- Phishing simulation: 4 quarterly campaign reports with click / report / credential-submission metrics and remedial training completion records.
- Tabletop: 2 semiannual after-action reports and dated revisions to the IR plan.
- Red/purple team (if in scope): attack narrative, ATT&CK mapping, detection engineering backlog.
Retain everything under privilege where possible — engage testing vendors through outside counsel using the breach-coach model. See In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 3470261 (E.D. Va. 2020) for why the retention structure matters.
Scoping IT security testing by firm size
Testing programs scale. What is proportionate for a 12-attorney boutique is inadequate for an AmLaw 100 firm, and vice versa. Use this as a starting point and adjust for regulated-industry clients.
Solo and small firms (1–25 attorneys)
- Continuous external ASM — required.
- Authenticated vulnerability scans — quarterly, via your MSP or MSSP.
- Penetration test — annual, external + Microsoft 365 focused. Budget $8K–$18K.
- Phishing simulation — quarterly, via your MSP's KnowBe4 / Hoxhunt / Proofpoint license.
- Tabletop — annual, facilitated by your breach coach or MSP.
- Red team — not required.
Mid-size firms (26–200 attorneys)
- Continuous external ASM — required, with SIEM/SOAR alerting.
- Vulnerability scans — monthly authenticated.
- Penetration test — annual, external + internal (assumed breach) + DMS + top 3 client portals. Budget $22K–$55K.
- Phishing simulation — quarterly with escalating difficulty and vishing pilot.
- Tabletop — semiannual.
- Purple team — biennial recommended.
AmLaw 200 firms (200+ attorneys)
- Continuous external ASM + internal ASM — required.
- Vulnerability scans — continuous / monthly.
- Penetration test — annual segmented (external, internal, cloud, DMS, portals, mobile) plus targeted tests after each material change. Budget $75K–$250K+.
- Phishing + vishing + smishing — quarterly, with executive-targeted whaling campaigns.
- Tabletop — quarterly, board-briefed semiannually.
- Red team — every 18 months, with a purple-team debrief.
- Third-party (vendor) security assessments — annual for every DMS, e-billing, court-services, and AI vendor touching privileged data.
The seven mistakes that get firms breached (and denied at renewal)
We see the same failures across intake calls. If any of these describe your firm, fix them this quarter.
- Testing only the perimeter. External-only pentests miss the 80% of modern attack paths that start with a phishing click. Always include an assumed-breach scenario.
- Treating the pentest report as the deliverable. The deliverable is a *closed remediation ticket with retest evidence.* An open finding at renewal costs you 10–25% on premium.
- Skipping the DMS. iManage / NetDocuments / Worldox / Epona permissions maps are the single largest privileged-data disclosure risk in a firm. Test them every year.
- Forgetting Entra ID. Legacy auth, disabled-but-not-deleted admin accounts, guest user sprawl, and OAuth app over-permissioning are the top-three findings in every Microsoft 365 review we run. Use CISA SCuBA baselines as your target state.
- Measuring phishing by click-rate alone. Report-rate and credential-submission rate are the metrics that predict a real BEC incident. Click-rate is vanity.
- No tabletop. The first time your managing partner learns the state breach notification deadline cannot be during a real incident. Rehearse.
- Ignoring the AI surface. Copilot, ChatGPT Enterprise, Otter.ai, Grammarly Business, Fireflies, and every "AI paralegal" tool now needs to be in scope. Insurers ask about it explicitly on 2026 renewal questionnaires.
How to pick a testing vendor
Not every "cybersecurity firm" understands the legal industry's confidentiality obligations, DMS ecosystem, or the way privilege interacts with evidence handling. Ask every prospective vendor:
- Do your testers have OSCP, OSCE³, GPEN, GXPN, GWAPT, PNPT, or CREST certifications on the individual, not just the company?
- What percentage of your engagements are with law firms in the past 24 months? Fewer than 20% means they will learn on your matter.
- Do you carry ≥ $2M cyber-liability and E&O coverage? Request a COI.
- Are you willing to be engaged through our outside breach coach to preserve privilege?
- Is a Critical/High retest included in the SOW at no additional cost within 60–90 days?
- Can you provide a redacted sample report we can review before signing? No sample = no engagement.
- How is evidence stored, encrypted, retained, and destroyed? Insurers ask this by name.
Frequently asked questions
How often should a law firm do IT security testing?
Continuous external attack-surface monitoring, quarterly vulnerability scans, quarterly phishing simulations, semiannual tabletop exercises, an annual third-party penetration test, and a red-team or purple-team engagement every 18–24 months for larger and regulated-industry firms. The FTC Safeguards Rule specifically requires annual pentests and biannual vulnerability assessments, or continuous monitoring in lieu of that fixed schedule.
Is IT security testing required by the ABA?
The ABA does not prescribe specific technical tests, but Model Rule 1.6(c) and Formal Opinions 477R and 498 require "reasonable efforts" to protect client information. In 2026, "reasonable" is being interpreted by bar counsel, courts, and insurers as a documented, layered testing program. Absence of testing evidence is increasingly treated as prima facie unreasonableness.
How much does law firm IT security testing cost?
Continuous external monitoring runs $2K–$15K per year depending on tenant size. Quarterly phishing simulation is typically bundled with your security-awareness license ($3–$8 per user per year). Annual penetration tests range from $8K for a small-firm external test to $250K+ for a segmented AmLaw 200 program. Tabletop exercises are $4K–$15K per session. Red-team engagements start around $60K and scale with objective complexity.
Who should own the testing program at a law firm?
The CISO or Director of Information Security for firms large enough to have one. In smaller firms, it is usually a shared role between the Chief Operating Officer and an outsourced virtual CISO (vCISO). In every firm, the Managing Partner and General Counsel must be sponsors — they are the ones who will be asked, under oath, whether the firm made reasonable efforts.
Can we use our MSP to do all our security testing?
Your managed service provider can run continuous monitoring, vulnerability scans, and phishing simulation. They should not perform your annual penetration test — that must be an independent third party, or the finding is worth nothing to insurers, OCG auditors, or plaintiffs' experts. Independence is the point.
Where Attorney Armor fits
Attorney Armor is the continuous external attack-surface monitoring layer of the six-layer program above. We watch every domain, subdomain, exposed service, and email-security posture change your firm has — 24/7 — and alert you when something crosses into the same threat landscape your insurer is watching. We are not a replacement for an annual penetration test; we are the layer that keeps you defensible in the 51 weeks between them.
Run a free external attack-surface scan on your firm's domain in under two minutes — no agent, no sales call, no obligation. You will see exactly what an attacker sees before your next insurance renewal, OCG questionnaire, or matter intake.
Free Assessment
See what an attacker sees.
Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.
Start the assessment


