Attack Surface Management for Law Firms: Finding Exposed Portals Before Attackers Do
Ask most law firm IT administrators how many internet-facing systems their firm has, and they will undercount by 30–50%. Client portals added by practice groups, case management systems with web interfaces, remote desktop services left open from the pandemic, legacy document management portals, external email servers — the modern law firm has a much larger external footprint than anyone mapped. Hadrian finds all of it, continuously, and tells you what attackers see when they look at your firm.
Hadrian discovers an average of 35% more internet-exposed assets than organisations believe they have.
What the Legal Sector Attack Surface Looks Like
A typical law firm's external attack surface includes systems many IT teams are unaware of:
- Client portals: document sharing platforms, client login portals, deal rooms — often added by fee earners or practice groups without IT oversight
- Case management web interfaces: LEAP, Clio, Proclaim, and other platforms with external access for remote fee earner working
- Remote access services: VPN endpoints, Remote Desktop, Citrix — often configured during the pandemic rush and not reviewed since
- Email infrastructure: web mail interfaces, SMTP servers, autodiscovery services — each a potential attack surface
- Legacy systems: old client intranets, decommissioned portals that were never properly closed, subdomains that still resolve to something
- Cloud infrastructure: misconfigured storage buckets, forgotten development environments, orphaned cloud resources
What Attackers Do With This Information
Before targeting a law firm, sophisticated attackers spend hours mapping exactly what Hadrian maps: every subdomain, every open port, every service with a login page, every software version banner. This reconnaissance is silent, leaves no logs on your systems, and is entirely legal. The resulting map tells them where to focus their attack — which services are running outdated software, which login pages have no MFA, which systems are directly internet-accessible without VPN.
Hadrian: Continuous Attack Surface Monitoring for Law Firms
Hadrian continuously maps your external attack surface from the attacker's perspective. It discovers assets you did not know you had, identifies exposed vulnerabilities, maps login pages without MFA protection, and flags services running outdated software versions. Critically, it monitors continuously — not just at a point in time. When a new client portal is added by a fee earner without IT involvement, Hadrian finds it within hours, not months.
How Hadrian Supports SRA and ISO 27001 Compliance
The SRA expects firms to understand and manage their information assets. ISO 27001 Annex A.8.8 requires management of technical vulnerabilities. Both obligations require you to know what you have. Hadrian's continuous asset discovery and vulnerability reporting provides the documented evidence of ongoing security monitoring that regulators expect — and produces audit-ready reports that satisfy ISO 27001 surveillance requirements.
Frequently Asked Questions
How does Hadrian differ from an annual penetration test?
A penetration test is a point-in-time assessment — it tells you what was exposed on the day of the test. Your attack surface changes continuously as systems are added, updated, and changed. Hadrian monitors continuously, so new exposures are identified within hours, not months. For ISO 27001 compliance, continuous monitoring increasingly satisfies the vulnerability management requirement better than annual testing alone.
Can Hadrian discover systems added by fee earners without IT involvement?
Yes. Hadrian discovers assets by mapping your external-facing infrastructure — any system that can be reached from the internet and is associated with your organisation's domains and IP ranges. It finds these regardless of whether they were added through IT or directly by practice groups.
Does attack surface monitoring replace penetration testing?
No — it complements it. Hadrian provides continuous external visibility and automated vulnerability identification. A manual penetration test by qualified testers still provides depth that automated scanning cannot — particularly for complex business logic flaws and chained vulnerabilities. The combination delivers both coverage and depth.
See your law firm through an attacker's eyes
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.