By EJN Labs · 13 Jul 2026 · 8 min read
Penetration testing for law firms is a controlled, authorised attack on your systems that proves whether client data, case files and the practice management platform can be reached by an attacker. UK firms use it to meet SRA confidentiality duties, satisfy Lexcel and client security questionnaires, and demonstrate the assurance that insurers and corporate clients increasingly demand.
Penetration testing for law firms sits at the meeting point of two pressures that no other professional sector faces in quite the same way: a regulatory duty of confidentiality that is close to absolute, and a threat profile that treats legal practices as a soft route to high-value money and secrets. This guide explains what to test, which obligations drive the work, how scope translates into budget, and what a defensible programme looks like. For the wider view of the regulated industries we support, see the sectors we serve.
Why law firms are a priority target
Law firms concentrate exactly what attackers want. A single matter file can hold corporate deal terms, litigation strategy, personal data of clients and counterparties, and the banking details that move completion funds. Conveyancing and probate practices route large client-account balances, which is why completion fraud and mandate interception remain the most lucrative attacks against the sector. The SRA and the National Cyber Security Centre both flag legal services as a high-risk industry, with firms suffering business email compromise, ransomware and client-account theft.
The reputational stakes magnify the technical ones. A breach that exposes privileged material can compromise live cases, breach confidentiality owed to every client, and trigger reporting obligations to the SRA and the Information Commissioner’s Office. Penetration testing finds the exploitable weaknesses before an attacker does, so the firm is dealing with a report and a remediation plan rather than a notifiable incident and a regulatory investigation.
The regulatory and contractual drivers
No single rule says “a law firm must commission a penetration test”, but several obligations converge on the same outcome: you must evidence that you protect client information competently. The drivers below come up most often in our scoping calls.
- SRA Standards and Regulations: the duty of confidentiality and the requirement to run your business with proper systems and controls mean you must take reasonable steps to keep client data secure. Untested controls are difficult to defend as reasonable.
- UK GDPR and the Data Protection Act 2018: Article 32 requires security appropriate to the risk, including regularly testing the effectiveness of technical measures. A penetration test is the recognised way to produce that evidence.
- Lexcel and ISO 27001: the Law Society’s Lexcel standard and ISO 27001 both expect security risk to be assessed and controls validated, and a current test report is the cleanest evidence for an assessor.
- Client and insurer questionnaires: corporate clients and professional indemnity insurers increasingly ask whether you carry out independent penetration testing. A clear yes, backed by a CREST report, is now a competitive necessity on panels.
Read together, these drivers turn testing into part of how a well-run firm demonstrates competence. The question for most practices is not whether to test, but how to scope it so the report answers every obligation at once.
What to test inside a typical law firm
A law firm’s attack surface is broader than the website. The systems that hold or move client data are the ones that matter, and a good scope follows the data rather than the org chart. The components below are where we focus most engagements.
Practice and case management systems
Your case management, document management and time-recording systems are the crown jewels: they hold matter files, privileged correspondence and client identities. Whether self-hosted or cloud-based, these warrant application and access-control testing to confirm that one compromised user cannot read another team’s matters and that role-based permissions hold.
Email and Microsoft 365
Business email compromise is the dominant attack against legal services, so the Microsoft 365 or Google Workspace tenancy is a priority. Testing examines conditional access, multi-factor enforcement, mailbox forwarding rules, OAuth app consents and the weaknesses that let an attacker sit silently in a partner’s inbox to hijack a payment.
External infrastructure and remote access
Your internet-facing footprint, VPNs, remote desktop gateways and the firewall perimeter define how an external attacker gets a foothold. External infrastructure testing maps exposed services, weak authentication and unpatched edge devices, a common ransomware entry point for firms with hybrid working.
Internal network and client account systems
Once inside, can an attacker move from a junior fee-earner’s laptop to the file server, the domain controller and the client-account interface? Internal network testing models that lateral movement, where the risk of client-account fraud and data exfiltration is proven or disproven.
How a law firm engagement runs
A professional test for a legal practice is structured to avoid disrupting live matters and to respect privilege throughout. The work is authorised in writing, scoped against the systems that hold client data, and run by senior testers who understand that a conveyancing system going offline during completions is not acceptable. Reconnaissance maps the real attack surface, exploitation confirms which weaknesses are genuinely usable, and post-exploitation analysis shows how far an attacker could reach toward client data or funds. Engagements run under non-disclosure terms with findings delivered over encrypted channels, and the report carries a technical remediation section for your IT provider alongside a plain summary a managing partner, COLP or insurer can act on without a security background.
What it costs and how scope drives the price
Price for a law firm test is driven by scope complexity measured in tester days, not by the size of the firm’s name. A focused engagement covering Microsoft 365 and external infrastructure runs to a handful of tester days, while a larger firm adding case management application testing and an internal network assessment needs more. All testing is delivered by senior and principal testers at a typical UK day rate of around £1,200 to £1,300, so a four to six day engagement sits in the region of £4,800 to £7,200.
The way to keep cost proportionate is a tight scope that follows your client data rather than testing everything by reflex. We set out how day counts translate into budget in our guide to UK penetration testing cost, so the partnership can plan the spend before committing. Fixed pricing against a defined scope means no day-rate creep.
How EJN Labs approaches testing for law firms
EJN Labs is a CREST-accredited penetration testing firm, and we hold Cyber Essentials, Cyber Essentials Plus, ISO 27001 and ISO 9001 ourselves. That matters to a legal practice, because the report you hand to your insurer or a corporate client’s security team carries the weight of an independently assessed provider. Our testing is delivered by senior and principal testers, never junior staff, which is the level of competence the SRA’s expectation of reasonable steps implies.
Every engagement maps findings to the obligations that matter to you, including UK GDPR Article 32, SRA confidentiality duties and, where relevant, Lexcel or ISO 27001 controls, so the report drops straight into your evidence pack. We scope on a defined day count with fixed pricing, write the report for both your IT team and the partnership, and include a free retest to confirm that fixes have closed the findings. To see the regulated industries we support, browse our sectors, or read more about our services.
Frequently Asked Questions
Do UK law firms have to do penetration testing?
No single rule names penetration testing as mandatory, but several obligations make it the practical standard. SRA confidentiality duties, UK GDPR Article 32, which requires regular testing of technical measures, and Lexcel or ISO 27001 all expect you to evidence that client data is protected by validated controls. For firms holding client funds or acting for corporate clients, a penetration test is the reliable way to meet those expectations and answer insurer and client security questionnaires.
How often should a law firm carry out a penetration test?
The accepted baseline is at least annually, and additionally after any significant change such as a new case management system, a cloud migration or a major infrastructure upgrade. Conveyancing and probate practices handling large client-account balances often benefit from more frequent testing given their exposure to completion fraud. Tying testing to change as well as the calendar is the risk-based approach regulators and insurers prefer to see.
What does penetration testing for a law firm cost?
Cost is driven by scope complexity in tester days rather than firm size. A focused test of Microsoft 365 and external infrastructure for a smaller practice typically runs to four to six tester days at a UK day rate of around £1,200 to £1,300, which is roughly £4,800 to £7,200. Adding case management and internal network testing increases the day count, so a tightly defined scope that follows your client data keeps the price proportionate.
Will a penetration test put privileged client data at risk?
No, when run properly it reduces that risk. Engagements operate under written authorisation and non-disclosure terms, findings are delivered over encrypted channels, and any incidental access to privileged material is documented and contained rather than retained. Senior testers schedule work to avoid disrupting live matters and completions, so the test strengthens confidentiality rather than threatening it.
What systems should a law firm include in scope?
Scope should follow client data. The priorities are usually the case and document management platforms, the Microsoft 365 or Google Workspace tenancy where business email compromise begins, external infrastructure and remote access, and the internal network path toward file servers and the client-account interface. A scope built around these systems answers both your regulatory obligations and the real attack paths an adversary uses.
Protect client confidentiality with a test built for legal practices
If your firm holds client data and moves client funds, penetration testing is the most reliable way to prove that your confidentiality duties are backed by controls that work, mapping cleanly to SRA expectations, UK GDPR Article 32 and Lexcel or ISO 27001. To get a fixed scope and price delivered by senior, CREST-certified testers, request a penetration testing quote, or explore the regulated sectors we support first.




Leave a Reply