Law firm cybersecurity
Managed cybersecurity built for the way a small or mid-size law firm actually runs — NetDocuments or iManage holding privileged matter files, Clio or MyCase running the practice, Microsoft 365 or Google Workspace for the office, real estate closings or settlements moving real money through the firm. Huntress Managed EDR, ITDR, and Security Awareness Training operated end-to-end by Obsidian Ridge, with the written information security plan your bar, your carrier, and ABA Formal Opinion 483 expect you to have.
TL;DR
We operate Huntress Managed EDR, ITDR, and Security Awareness Training for your firm end-to-end. The 24/7 Huntress SOC watches every endpoint and your Microsoft 365 or Google Workspace tenant for the attack patterns documented across the legal vertical — ransomware against the document management server, business email compromise targeting paralegals, and closing-wire-fraud aimed at real-estate settlement funds.
Obsidian Ridge adds the practitioner side: an ABA-aligned written information security plan, MR 5.3-aware vendor management, the FO 483-aligned incident response runbook, cyber-insurance readiness, and the quarterly managing-partner briefing.
Pricing starts at $15 per agent per month for Foundation (endpoint only). Most firms land at Protected, $32 per user per month, which adds identity threat detection and the awareness program — the controls that actually move cyber insurance premiums and stop the BEC pattern that costs firms millions in closing fraud. Complete (from $55 per user per month) adds Managed SIEM and the full compliance evidence program.
What's included
Attorney laptops, paralegal workstations, the document management server, the firm's M365 / Workspace box. 24/7 Huntress SOC watching for ransomware canaries, credential theft, and the lateral-movement patterns documented in legal-vertical attacks.
Catches the adversary-in-the-middle phishing kits (EvilProxy, Tycoon) that bypass MFA, the inbox rules used to hide closing-wire-fraud activity, and the OAuth-consent attacks against firm tenants.
Phishing simulations and 5-minute micro-lessons tuned for legal staff: closing-wire-redirect themes for paralegals, court-notice phishing for legal assistants, sealed-records hygiene for partners.
The written security plan many state bars and all cyber insurance carriers now require, plus the audit-control logs, MFA coverage report, encryption attestation, training records, and the firm-tailored incident response plan.
Account hygiene for NetDocuments, iManage, Clio, MyCase, ProLaw, and PracticePanther. MFA on every admin, audit-log review cadence, integration-token inventory, BYOD App Protection Policies, encrypted client portals for sensitive matters.
If something happens, you are not alone with a vendor portal. We coordinate forensics, walk through ABA Formal Opinion 483 notification obligations to current clients, file the cyber-insurance claim, and produce the documented response evidence the bar and the carrier expect.
The threat model
Law firms have moved up the target list in the last 36 months. Three patterns account for the majority of the losses we see.
The attacker phishes a paralegal, lands a loader, moves laterally to the document management server (or to the SSO that fronts a cloud DMS), exfiltrates sensitive matter files, and encrypts everything over a long weekend. Monday morning the firm cannot work open matters, meet deadlines, or service clients. Recovery time without preparation: 7 to 21 days, and the court-deadline impact extends well beyond that. Full walkthrough of the attack chain.
The attacker phishes the paralegal's Microsoft 365 credentials through an adversary-in-the-middle kit, captures the session token (MFA is already satisfied), sets an inbox rule that hides wire and escrow emails, and reroutes a closing payment to a foreign bank account. Average loss for a real estate closing: $500,000 to $2,000,000. IOLTA trust account exposure compounds the bar disciplinary risk. The pattern in detail.
Shared paralegal accounts at reception, no MFA on the DMS admin, BYOD partner laptops with matter files in personal Gmail, vendor access never reviewed. The kind of pattern that breaks attorney-client privilege when a court looks at the firm's actual confidentiality practices. What MR 1.6 and FO 477R actually require.
Law firm field notes
Practitioner-written long reads. No marketing copy, no acronym soup. Each one written for a managing partner or firm administrator, not a CISO.
The pillar piece. MR 1.6's reasonable-efforts test, the 477R email guidance, the 483 breach-response duties, and where small firms get it wrong.
Read the article →The attack chain that ends with an encrypted DMS over a long weekend, and the controls that break it.
Read the article →MFA on the DMS itself, audit-log review, integration-token inventory, BYOD App Protection, and the on-prem-DMS hardening checklist.
Read the article →The 2026 underwriting questionnaire, the social-engineering rider that matters for closings, and the operational sequence that passes the application.
Read the article →The composite real-estate-closing incident, the AiTM session-token theft, and the callback-verification policy that costs nothing and stops it.
Read the article →Pre-merger cyber diligence, the lateral-hire onboarding problem, the 4-quarter program, and the identity-consolidation question every growing firm hits.
Read the article →Honest fit check
How we start
Tell us how the firm runs. Practice areas, DMS, office count, attorney + staff headcount, current IT firm, cyber-insurance renewal date, any recent incidents, and what is driving the conversation. We tell you which tier fits and where the real risks are.
Endpoint and user counts, tier recommendation, the implementation schedule, and the ABA-aligned deliverables (written security plan, IR plan, vendor management review). Fixed monthly pricing. Month-to-month or annual. No vendor markup games.
Huntress Managed EDR agent on every endpoint and server. Huntress Managed ITDR connected to your Microsoft 365 or Google Workspace tenant. Awareness program launched with a phishing simulation calibrated to the firm's practice areas. Written engagement agreement covering MR 5.3 supervisory expectations signed before any access.
The Huntress SOC is watching from day one. Obsidian Ridge handles escalations, quarterly managing-partner briefings, the written security plan, the FO 483 incident response runbook, the cyber-insurance renewal support, and the tabletop exercise every firm should be running annually.
Questions managing partners ask
We deliver the technical safeguards that ABA Model Rule 1.6 requires — audit controls, encryption, identity threat detection, integrity monitoring — and we sign a written engagement agreement that addresses MR 5.3 supervisory expectations before any work begins. Vendors are not 'ABA certified' in any formal sense; the meaningful question is whether they can produce the technical evidence and meet the firm's supervisory standards. We can do both. We are not the firm's ethics counsel and we do not claim to be.
No, and we are explicit about that. We are a managed cybersecurity firm, not a legal-IT MSP. Your IT company continues to handle help-desk, Wi-Fi, hardware, e-filing system support, and DMS administration. We handle 24/7 monitoring, identity threat detection, security awareness training, incident response coordination, and the FO 483 breach response support. The two functions belong with different specialists; most general legal-IT MSPs are not staffed or licensed to operate a 24/7 SOC.
Foundation starts at $15 per agent per month — that covers every workstation, every server, and partner laptops with 24/7 monitoring. Protected at $32 per user per month adds Huntress Managed ITDR on the M365 or Google Workspace tenant and the awareness training program. That is the tier most law firms land on once they understand how identity-layer attacks bypass MFA. Complete at $55 per user per month adds Managed SIEM and the formal compliance evidence program for firms with an upcoming insurance renewal or matter-specific compliance obligation.
Yes. Huntress Managed EDR covers every endpoint and server, including on-prem DMS servers (iManage Work on-prem, ProLaw, older NetDocuments hybrid deployments). Huntress Managed ITDR covers the identity-layer attacks that target the DMS through SSO compromise. For the DMS itself, we audit the configuration — MFA on every admin account, audit-log review cadence, integration-token inventory, BYOD App Protection Policies — and document the hardening evidence in the firm's written security plan.
Yes, arguably more. Cloud DMS shifts the server burden to the vendor and the threat model toward account compromise. That is exactly where Huntress Managed ITDR matters most: monitoring sign-in anomalies, mailbox rules, OAuth consent, and token-replay attacks on your M365 or Workspace tenant — the front door to the cloud DMS. The endpoint side is still important — laptops accessing the cloud DMS still get phished — so the Protected tier is usually the right starting point for cloud-only firms.
Endpoint agent rollout typically completes within 5 business days of contract signing. Identity threat detection on Microsoft 365 or Google Workspace activates within 24–48 hours of tenant connection. The awareness training program launches within the first two weeks. The written security plan and incident response plan are drafted in the first 30 days and reviewed with the managing partner before finalization.
Yes. Our Cyber Insurance Readiness sprint maps the carrier questionnaire to the actual controls you have or need, packages the evidence the underwriter wants to see, and tells you honestly which gaps are worth closing before renewal. Most firms we work with move from 'declined or surcharged' to 'standard rating' inside one renewal cycle. We are not an insurance broker — we don't sell the policy, we help you qualify for it.
You get an incident-response practitioner on the phone, not a ticket-queue auto-responder. We coordinate forensics, walk through ABA Formal Opinion 483 notification obligations to current clients whose material confidential information was affected, help file the cyber-insurance claim, and produce the documented response evidence. The managing partner remains the decision-maker for client communication and ethical disclosures — we operate every technical and process step required by the breach response.
Two ways to start
The 20-minute triage is the fastest way to find out whether this program fits your firm. The 30-minute law-firm briefing goes deeper — DMS, office count, practice areas, insurance renewal, the threat model, and what your first 90 days would look like. Both are free, both are no-obligation, and we tell you when you don't need us.
