External pentesting for a law firm

Sector

Legal services · mid-sized firm · 30-60 professionals · client portfolio including corporate and sensitive cases.

Initial situation

At the request of a corporate client, the firm had to provide evidence of recent penetration testing against its internet-facing assets. The infrastructure combined a custom-built client portal, a SaaS document manager and legacy email and video conferencing services inherited from the first digitalisation wave.

Approach

We conducted grey-box external pentesting scoped to the client portal, perimeter infrastructure and identified subdomains. We applied OWASP Top 10 methodology for the web layer and reviewed TLS configuration, exposure of administrative services and session management policies. Each finding was manually validated, classified by CVSS and accompanied by a recommendation specific to the client's technology stack.

Result

We identified 12 valid vulnerabilities (2 critical, 4 high, 6 medium-low) and delivered a prioritised remediation plan with assigned owner and estimated deadline per finding. The firm closed both critical findings within 72 hours and completed the rest within six weeks.

Lesson

A useful pentest is not the one that finds the most issues, but the one that delivers a remediation plan the organisation can actually execute.

Time and effort

3-4 weeks · 60-80 consulting hours · technical report + remediation plan + closing meeting.