For law firms and sole practitioners

Website, domain, and email security for law firms and conveyancers.

Recurring external security monitoring on the public surface of your firm. Plain-English findings, dated evidence for professional-indemnity insurers and Law Society questions, written for the IT provider or web developer who actually fixes things. No exploitation, no matter-management access, no replacement for a manual penetration test.

Run a free check View sample report
Why law firms in particular

The shape of the risk for a firm like yours.

Four pressure points where external monitoring earns its keep.

Trust account fraud and BEC

Conveyancing and property settlements are a magnet for business email compromise. Attackers spoof your domain, intercept the email about a settlement payment, and reroute funds to a mule account. By the time the client calls, the money is gone. Email authentication and recurring external monitoring catch the conditions that make this attack possible.

Client confidentiality and privilege

Your firm holds privileged communications, trust account details, and sensitive matters on every client. A public exposure of a portal, a leaky subdomain, or a misconfigured share kills client confidence and may trigger reporting obligations under the Privacy Act and the Notifiable Data Breaches scheme.

Law Society and PI insurance scrutiny

Law society practising-certificate renewals and professional-indemnity insurers ask increasingly detailed questions about cybersecurity controls: vulnerability scanning frequency, email authentication, incident response. Without recurring evidence you either guess or pay a consultant for a one-off report that goes stale.

Billing and matter-management exposure

Practice-management platforms (LEAP, Smokeball, Actionstep, Affinity), client portals, document-share links, and self-hosted billing systems are common entry points. An exposed admin path, an expired TLS certificate, or a forgotten staging copy of your matter portal is the kind of finding that ends up in a breach roll-up.

What we check

The checks that matter for a law firm.

We focus on the public surface of your firm: the website, the domain, email authentication, TLS, and any client portals or services you expose to clients and counterparts.

What we checkWhy it mattersWho fixes it
Email authentication (SPF, DKIM, DMARC)Stops attackers from sending settlement and invoice emails that look like they come from your firm. The single highest-impact control against BEC and conveyancing scams.Your IT provider or whoever manages the domain. Usually a single afternoon to set up properly.
TLS certificate health and expiryExpired or weak TLS on a client portal or document-share page breaks trust and triggers browser warnings. PI insurance assessments flag weak cipher suites.Hosting provider or web developer.
Web application exposures (admin panels, exposed config files)Client portals, document upload pages, and older WordPress installations are common entry points. We flag exposed admin paths, known vulnerable software versions, and orphaned plugins.Web developer or MSP.
Subdomain hygiene and shadow ITA staging copy of the firm website, an old matter portal, or a campaign microsite that still resolves in DNS is a real risk. We discover and report subdomains so nothing is forgotten.Web developer or MSP.
HTTP security headersA small set of headers (HSTS, CSP, X-Frame-Options) stops large categories of browser-side attack against the firm website and client portal logins.Web developer or hosting provider.
Public exposure of firm-owned IP addressesIf the office or a remote-access setup exposes services on a public IP (a mail server, an old file share, an RDP gateway), we report what is reachable and what looks risky.IT provider or MSP.
See full methodology
What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation

AttackEdge observes what is externally visible. We do not exploit findings, brute-force credentials, or send payloads. Nothing we do affects your matters, your trust account, or your client communications.

No practice-management integration

AttackEdge never connects to LEAP, Smokeball, Actionstep, Affinity, PCLaw, or any matter-management or billing system. We only check what is on the public internet under your domain. Privileged data stays inside your systems.

Not a manual penetration test

Automated external scanning is not the same thing as a human-led penetration test. If a corporate client procurement team or a regulator requires a pen test, you still need one. AttackEdge runs alongside, not instead.

No legal advice or compliance certification

We are not lawyers and we do not certify compliance with Law Society rules, professional-indemnity policies, or the Privacy Act. AttackEdge gives you dated evidence of one specific control: recurring external monitoring on your public surface.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps for the IT provider, MSP, or web developer who actually fixes things.

View sample report See full methodology
Plan that fits

Most firms pick SMB.

A few-partner firm with a client portal and a couple of subdomains usually scans fifteen sites monthly, which is the SMB shape at A$99 per month for 50 scan units. Annual billing gives you twelve months for the price of ten. Sole practitioners and very small firms can start on Solo at A$39 per month for 15 scan units. If you only need a single PDF before a PI renewal, a privacy review, or a one-off corporate-client request, the Snapshot at A$149 is a one-off baseline with no ongoing commitment.

View subscriptions View SnapshotRun a free check
Common questions

From other law firms.

  • Will my matter-management system (LEAP, Smokeball, Actionstep, Affinity) be affected?

    No. AttackEdge does not connect to your matter-management or billing system. We only scan what your domain exposes on the public internet (the firm website, DNS, email authentication, TLS, and any portals or services reachable from outside). Privileged matter data stays inside your systems.

  • How does this help with BEC and conveyancing scams?

    Most business email compromise against law firms relies on the attacker spoofing your domain. The simplest and most effective control is email authentication (SPF, DKIM, DMARC) configured correctly, with DMARC at enforce. We report exactly where your records are weak, why it matters, and what your IT provider or domain registrar needs to change. It is not a complete defence (you still need staff training, payment-verification processes, and MFA on email accounts), but it shuts down the easiest version of the attack.

  • Does this satisfy our professional-indemnity insurer?

    AttackEdge provides dated evidence of recurring external vulnerability monitoring, which is one of the items most cyber and PI questionnaires ask about. It is evidence, not a certification. Insurers also ask about MFA, backups, training, and incident response, which sit inside your environment and are out of scope for an external scanner. We are not an accreditation body and we do not certify compliance.

  • We are a two-partner firm. Is AttackEdge overkill?

    No. Sole practitioners and very small firms with a single website and email domain fit the Solo plan at A$39 per month with 15 scan units. Firms with a few partners, a client portal, and a couple of subdomains usually move to SMB at A$99 per month with 50 scan units. If you only need a single PDF before a PI renewal or a one-off client question, the Snapshot at A$149 is a one-off baseline covering up to 15 of your sites in one bundled report.

  • We are a conveyancing-only practice. Same advice?

    Yes, and the email-authentication checks matter even more. Conveyancing settlements are the single highest-frequency target for invoice-redirection scams in Australia. A correctly enforced DMARC record on your sending domain plus dated evidence of recurring monitoring is one of the most defensible answers when an insurer or a client asks what you are doing.

  • Is the data hosted in Australia?

    Primary customer records, scan results, and report metadata are stored in Fly.io Postgres in Sydney. The full data and security commitments are on the security page.

See what attackers see

Ready to see what your firm looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show an insurer or a Law Society audit.

Start a scan Run a free check
Hosted in Sydney · Passive scanning only · From A$39 per month