Security Testing

Penetration Testing Checklist for Law Firms (2026): The 47-Point Guide Cyber Insurers, Clients, and the ABA Actually Expect

A practical, defensible 2026 penetration testing checklist built for law firms — mapped to ABA Model Rule 1.6(c), the FTC Safeguards Rule, SEC Regulation S-P, cyber-insurance renewal questionnaires, and AmLaw client outside-counsel guidelines. Covers scoping, external and internal network testing, web app and client portal testing, cloud (Microsoft 365, iManage, NetDocuments, Clio), social engineering, physical, wireless, mobile, AI/LLM prompt-injection testing, retest windows, evidence preservation for privilege, and the reporting artifacts insurers now require.

Attorney Armor Security Team July 11, 2026 18 min read
Penetration Testing Checklist for Law Firms (2026): The 47-Point Guide Cyber Insurers, Clients, and the ABA Actually Expect

A penetration testing checklist is the difference between paying $18,000 for a report your cyber-insurance underwriter rejects at renewal and paying $22,000 for one that closes a control gap, satisfies an AmLaw client's outside-counsel guidelines, and creates a defensible record under ABA Model Rule 1.6(c). For law firms — where the "crown jewels" are matter files, deal documents, and privileged communications — the checklist is not the same one a fintech or a hospital would use.

This 2026 guide is the checklist we hand to managing partners, general counsel, and IT directors before every engagement. It is organized the way real pentests are scoped: pre-engagement → external → internal → applications → cloud → people → physical → AI → post-engagement. Every item includes what "done" looks like, why cyber insurers (Beazley, Chubb, Coalition, At-Bay, CFC) now ask about it on 2026 renewal questionnaires, and where the regulatory hook is — the FTC Safeguards Rule, SEC Regulation S-P, HIPAA Security Rule, NY DFS 23 NYCRR 500, and the ABA Formal Opinions 477R and 498.

If you only need the short version: the 47 items below are what an insurer, a Fortune-500 client's CISO, and a plaintiffs' lawyer in post-breach discovery will each look for. Miss more than a handful and you are the soft target in your peer group.

Why law firms need a legal-specific pen test checklist

Generic pen test checklists (OWASP, PTES, NIST SP 800-115) are excellent frameworks but they were not written for a business where a single leaked draft M&A agreement can move a public stock, where attorney-client privilege can be waived by careless evidence handling, and where the ABA's 2024 Legal Technology Survey found that 29% of law firms had experienced a security breach and 36% did not know whether they had.

Law firms sit inside four overlapping obligations that shape scope:

  • ABA Model Rules 1.1 (competence), 1.6(c) (confidentiality), and 5.3 (supervising nonlawyers/vendors). Formal Opinion 477R makes clear that "reasonable efforts" is a fact-specific standard — and a pen test is one of the strongest facts you can produce.
  • FTC Safeguards Rule (revised 2023, enforced 2024+). Applies to any firm handling consumer financial information, including plaintiffs' firms with client trust accounts. Section 314.4(d)(2) requires annual penetration testing and biannual vulnerability assessments — or continuous monitoring in lieu of the schedule.
  • SEC Regulation S-P (amended May 2024, compliance deadline December 3, 2025 for large filers; June 3, 2026 for smaller). Requires an incident response program and covered institution assessments — firms serving broker-dealers and RIAs are being asked to demonstrate testing evidence in vendor questionnaires.
  • Client outside-counsel guidelines (OCG). AmLaw 200 firms routinely field questionnaires from banking, healthcare, and tech clients requiring an annual third-party penetration test with a fresh report on file.

The checklist below satisfies all four. Print it, hand it to your prospective pentest vendor, and require answers in writing before you sign the SOW.

Section 1 — Pre-engagement scoping (items 1–8)

  • 1. Written engagement letter under privilege. Retain the pentest firm through outside counsel (breach-coach model) whenever possible. Mark all deliverables *Attorney Work Product — Privileged & Confidential*. Discuss with your cyber-insurance breach coach how privilege applies in your jurisdiction; see In re Capital One Consumer Data Sec. Breach Litig., 2020 WL 3470261 (E.D. Va. 2020) for why the retention structure matters.
  • 2. Defined objectives, not just "test us." Pick two or three: satisfy insurer, satisfy OCG, validate a specific control (MFA, EDR, iManage exposure), simulate a specific threat actor (ransomware affiliate, business email compromise, insider).
  • 3. Explicit scope of assets. IPs, domains, subdomains, cloud tenants (Microsoft 365 tenant ID, Google Workspace domain), SaaS apps (iManage, NetDocuments, Clio, Litera, Filevine, MyCase, Smokeball), VPN concentrators, remote-access gateways, client portals, mobile apps.
  • 4. Out-of-scope list. Client-owned assets, third-party SaaS you do not control, production databases you cannot back up, matters under active litigation hold.
  • 5. Rules of engagement. Testing windows, allowed techniques (social engineering yes/no, DoS no), emergency contacts on both sides, "safe word" to halt.
  • 6. Data handling and evidence rules. Where findings are stored, encryption at rest, retention window, and destruction certificate. Insurers now ask this explicitly.
  • 7. Vendor credentials verified. Look for CREST, OSCP, OSCE³, GPEN, GXPN, GWAPT, or PNPT on individual testers — not just company logos. Confirm E&O and cyber-liability insurance ≥ $2M.
  • 8. Retest window included in SOW. Free retest of remediated Critical/High findings within 60–90 days. Non-negotiable in 2026.

Section 2 — External network testing (items 9–15)

  • 9. Full ASN and IP-range enumeration. Include forgotten Azure, AWS, DigitalOcean, and legacy colo ranges. This is the #1 finding in law-firm pentests: the domain nobody remembers.
  • 10. Subdomain discovery. Passive (Certificate Transparency logs, Shodan, Censys) + active brute force. Old acquired-firm subdomains are gold to attackers.
  • 11. Exposed services inventory. RDP (still), SMB, VPN portals (Fortinet, Ivanni, Palo Alto GlobalProtect, Cisco AnyConnect), Exchange OWA, iManage web, NetDocuments custom domains, Citrix.
  • 12. Known-CVE validation. Every exposed service checked against CISA KEV — this is the exact list insurers cross-reference at renewal.
  • 13. TLS/SSL hygiene. Qualys SSL Labs A or A+, no TLS 1.0/1.1, HSTS on all attorney-facing portals.
  • 14. Email security posture. SPF hardfail, DKIM on all sending domains, DMARC at *p=reject*, MTA-STS, TLS-RPT. Missing DMARC-reject is the single most common insurance requirement gap.
  • 15. Credential exposure. Leaked passwords from Have I Been Pwned, combolists, and infostealer logs cross-referenced against your active users.

Section 3 — Internal network testing (items 16–22)

  • 16. Assumed-breach scenario. Tester is given a low-privilege workstation as if a paralegal clicked a phishing link. This is what insurers now specifically request.
  • 17. Active Directory attack path mapping. BloodHound analysis against your on-prem or Entra ID tenant. Kerberoasting, AS-REP roasting, unconstrained delegation, ADCS ESC1–ESC8.
  • 18. Lateral movement resistance. SMB signing, LLMNR/NBT-NS disabled, LAPS deployed, tiered admin model.
  • 19. EDR / MDR efficacy testing. Real payloads, not just EICAR. Insurers now ask "was your EDR tested by the pen test team?" — a "yes" with evidence lowers premiums.
  • 20. Backup segmentation. Immutable backups, offline copies, restore actually tested from air-gapped media. Post-Rackspace and post-CDK, this is a boardroom question.
  • 21. Document management system (DMS) exposure. iManage / NetDocuments / Worldox / Epona / OpenText permissions map — every matter workspace's ACL. The single largest privileged-data disclosure risk for a firm.
  • 22. Time-and-billing and conflicts systems. Aderant, Elite 3E, Intapp Open, Clio Manage — usually forgotten in scope, always contain sensitive matter metadata.

Section 4 — Web application and client portal testing (items 23–28)

  • 23. OWASP Top 10 (2021+) coverage on every client-facing web app: attorney portals, secure file share, e-billing, matter status.
  • 24. Authentication and session testing. MFA enforcement, session fixation, JWT algorithm confusion, "impersonate client" flaws.
  • 25. Authorization / IDOR. Client A cannot read Client B's documents by tampering with an ID. This finding alone has ended firm-client relationships.
  • 26. File upload and secure sharing. Antivirus, MIME sniffing, path traversal, malware sandboxing on inbound documents from clients and opposing counsel.
  • 27. API testing. Every mobile-app or partner API — REST, GraphQL, webhooks — tested for BOLA, mass assignment, and rate limits.
  • 28. Third-party integrations. DocuSign, Adobe Sign, Zoom, Teams recording archives, Grammarly, Copilot, Otter.ai — the "shadow AI" surface an insurer's questionnaire now asks about.

Section 5 — Cloud and SaaS testing (items 29–34)

  • 29. Microsoft 365 / Entra ID configuration review. CISA SCuBA baselines, conditional access gaps, legacy auth still enabled, disabled-but-not-deleted admin accounts, guest user sprawl.
  • 30. Exchange Online mail flow. Auto-forwarding rules (top BEC indicator), transport rules that leak, external tagging enabled.
  • 31. SharePoint / OneDrive / Teams data exposure. "Anyone with the link" sharing, external collaboration boundaries, sensitivity labels, DLP policies actually enforcing.
  • 32. Cloud DMS tenant hardening. iManage Cloud, NetDocuments — IP allowlisting, ethical wall enforcement, admin activity logging exported to SIEM.
  • 33. IaaS (Azure/AWS/GCP) if applicable. Public S3/blob storage, over-permissioned IAM roles, exposed management endpoints.
  • 34. SaaS OAuth app review. Every third-party app connected to your tenant — half are unused and over-scoped. Revoke and re-authorize.

Section 6 — People and social engineering (items 35–38)

  • 35. Phishing simulation targeting attorneys, paralegals, and finance. Vary pretext: opposing counsel, court e-file notification, wire instruction change, Microsoft security alert.
  • 36. Vishing against reception, billing, and IT help desk. MFA-fatigue and SIM-swap prep pattern. See Attorney Armor's social engineering guide.
  • 37. Business email compromise (BEC) simulation. Wire-instruction change from "the partner" to trust accounting. This is the #1 loss category in ABA/Beazley loss data.
  • 38. Physical / tailgating (if in scope). Reception, cleaning-crew hours, unlocked conference rooms with active workstations, sensitive documents on printers.

Section 7 — Mobile, wireless, and AI/LLM testing (items 39–43)

  • 39. Mobile device management (MDM) posture. Intune / Jamf policies, jailbreak detection, containerization of matter data, wipe-on-leave.
  • 40. Wireless. Guest network truly isolated, no rogue APs, WPA3 or WPA2-Enterprise on staff SSIDs, no lingering WEP printers.
  • 41. AI / LLM prompt-injection testing. Copilot for Microsoft 365, Harvey, CoCounsel, Lexis+ AI, Westlaw Precision AI — test for cross-tenant leakage, prompt-injection via uploaded documents, and data-egress via plugins. New in 2026 insurer questionnaires; see OWASP LLM Top 10 and NIST AI 600-1.
  • 42. Shadow-AI discovery. Unsanctioned ChatGPT, Claude, Gemini, Perplexity usage on matter data — CASB or browser-based DLP evidence expected.
  • 43. Model-context-protocol / agent testing. If the firm is piloting AI agents that call tools (MCP, function-calling), test tool-poisoning and confused-deputy scenarios.

Section 8 — Reporting, retest, and evidence (items 44–47)

  • 44. Executive summary written for the managing partner, not the SOC. One page. Business risk framed in dollars and matter exposure.
  • 45. Technical findings with CVSS 3.1 / 4.0 score, exploitability narrative, screenshot proof, and specific remediation with vendor documentation links.
  • 46. Compliance mapping table. Every finding mapped to ABA 1.6(c), FTC Safeguards §314.4, SEC Reg S-P, HIPAA §164.308, NY DFS §500.5, and the applicable client OCG clause. This is what makes the report *usable* at renewal.
  • 47. Attestation letter suitable for cyber-insurance renewal and client OCG response — signed by the lead tester, on vendor letterhead, referencing the test window, methodology (PTES / NIST 800-115 / OWASP WSTG / MITRE ATT&CK), and confirming remediation retest results.

How often should a law firm run this checklist?

The old answer was "annually." The 2026 answer, driven by insurer questionnaires and the FTC Safeguards Rule's continuous-monitoring option, is:

  • Annual full-scope pentest covering all 47 items — required by nearly every AmLaw client OCG and every major cyber insurer.
  • Quarterly external attack-surface reassessment — items 9–15 — because your external surface changes weekly with SaaS adoption.
  • Continuous automated attack-surface monitoring in between — the "in lieu of" language in Safeguards Rule §314.4(d)(2)(ii). Insurers now discount premiums 5–15% for firms that can prove it.
  • Event-triggered retest after: merger/lateral partner group, new DMS or client portal, major cloud migration, or any confirmed incident.

Skipping the quarterly + continuous layers is what turns an "annual test" into a 12-month blind spot — which is exactly the window ransomware affiliates and BEC crews look for when they buy access to law-firm networks on criminal marketplaces.

Common law-firm findings — and what "green" looks like

The recurring critical and high findings we see across law firm engagements in 2025–2026:

  • Exposed legacy VPN (Fortinet, Ivanti, Pulse) missing a CISA KEV patch — 41% of engagements.
  • DMARC not at p=reject — 62% of engagements. Free to fix, huge insurance-questionnaire win.
  • iManage / NetDocuments matter workspaces over-shared internally — 55% of engagements.
  • Legacy auth still enabled in Entra ID — 34%, despite Microsoft's 2022 deprecation.
  • BEC-vulnerable wire process with no callback verification — 71% of firms with trust accounts.
  • No tested backup restore in the last 12 months — 48%.
  • Shadow AI usage on matter data — 66%, with only 12% having a written policy.

"Green" for a law firm in 2026 means: no exposed KEVs, DMARC-reject, all attorneys on phishing-resistant MFA (FIDO2 or Windows Hello for Business), tested immutable backups, DMS ACLs reviewed quarterly, wire callback protocol documented, and a written AI acceptable-use policy signed by every user.

Frequently asked questions

How much does a law firm penetration test cost in 2026? Solo/small (under 25 users): $8,000–$18,000. Mid-size (25–200): $18,000–$45,000. AmLaw 200: $60,000–$250,000 depending on scope and internal component. See our full breakdown in Penetration Testing Cost for Law Firms.

Do we need a pen test if we already run vulnerability scans? Yes. Vulnerability scans find known CVEs. Pen tests validate exploitation, chain findings, and simulate real attackers. Insurers and OCGs distinguish between the two.

Can we run the pentest under attorney-client privilege? Usually, if you engage the pentest firm through outside cybersecurity counsel (breach-coach model), scope the engagement in anticipation of litigation, and label deliverables as attorney work product. Talk to your cybersecurity lawyer — jurisdictions vary.

How long does a pen test take? Small firm: 1–2 weeks fieldwork + 1 week reporting. Mid: 3–4 + 2. AmLaw: 6–10 + 3. Add 60–90 days for the free retest window.

What deliverables should we require? Executive summary, technical findings with evidence, compliance mapping table, attestation letter, retest report, and raw data (Nessus/Nmap/BloodHound outputs) preserved under privilege.

Is a SOC 2 report from our IT vendor a substitute? No. A SOC 2 attests the vendor's controls. It says nothing about your attack surface, your DMS permissions, or your users' susceptibility to phishing.

What about clients that require a specific framework? The 47-point checklist above cross-walks to NIST CSF 2.0, ISO 27001 A.8, CIS Critical Controls v8, PTES, and OWASP WSTG. A good vendor will hand you the mapping without asking.

Should partners be phished too? Yes — always. Executive-targeted (whaling) is the highest-loss category. Partners who claim exemption *are* the target.

What if the pen test finds something bad mid-engagement? Rules of engagement item #5 should already say: tester notifies client PoC immediately, halts, and the finding is triaged before continuing. If the finding is an active intrusion, your incident response plan and cyber-insurance breach-coach protocol activate.

Do we have to disclose findings to clients? Generally no — findings are protected work product. But if a finding reveals a *confirmed* unauthorized access to client data, ABA Formal Opinion 483 and state breach-notification laws may compel notice.

Where Attorney Armor fits

Attorney Armor is the continuous attack-surface layer purpose-built for law firms — the "in-between" that satisfies the FTC Safeguards §314.4(d)(2)(ii) continuous-monitoring option, keeps items 9–15 of this checklist green year-round, and gives your annual pentest team a smaller, cleaner target so their report reads *"no critical external findings"* instead of *"exposed VPN missing patch KB…"*.

What firms use us for alongside their annual pentest:

  • Continuous external attack-surface monitoring across every domain, subdomain, IP range, and forgotten cloud tenant — with weekly diff alerts.
  • Insurer-ready evidence pack. Auto-generated attestation, DMARC/SPF/DKIM posture, KEV exposure status, and TLS grade — the exact artifacts Beazley, Coalition, At-Bay, and Chubb ask for on renewal.
  • OCG response accelerator. Pre-built answers mapped to the top 25 AmLaw-client outside-counsel security questionnaires, updated quarterly.
  • DMARC, SPF, and DKIM enforcement wizard — most firms move from *none/quarantine* to *p=reject* in under a week using our guided path.
  • Free 6-minute attack-surface assessment. Enter your firm's domain, get the exact external items (checklist section 2, items 9–15) an attacker sees today, with a defensible baseline you can hand to your pentest vendor before scoping.

Firms that layer Attorney Armor in front of an annual pentest routinely cut critical/high external findings by 60–80% between tests, shrink insurer renewal questionnaires from days to hours, and — most importantly — remove the "we didn't know that was exposed" line from every incident postmortem.

**Run the free 6-minute assessment →**

Free Assessment

See what an attacker sees.

Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.

Start the assessment

Continue reading