Independent External Penetration Test
Australian Legal Practice

A specialist Australian legal services firm engaged CyberCTRL to perform an external penetration test against their internet-facing infrastructure. The driver was twofold: the firm holds sensitive client matter data subject to legal professional privilege, and their professional indemnity insurer had begun requesting evidence of independent technical security testing as part of the renewal cycle.

The firm had previously commissioned manual penetration tests every two to three years. The cost (typically $18,000 to $25,000) and turnaround (six to eight weeks from contract signing to delivered report) had made more frequent testing impractical, leaving long gaps between assurance cycles.

The engagement covered the firm's primary public-facing infrastructure: the corporate website, the public-facing components of their case-management portal, and three static IP addresses housing email, file-transfer, and remote-access services.

The firm had no involvement in the testing process beyond providing the initial scope. The assessment ran autonomously over a 90-minute window. No interruption to live services was observed during testing; no client-facing systems experienced degradation.

The report identified two findings of medium severity, four of low severity, and three informational observations. No critical or high-severity findings were identified. No exploitable vulnerabilities were observed during testing.

The two medium findings concerned legacy TLS cipher support on the case-management portal (retained for compatibility with two specific corporate clients but no longer required) and missing security headers on a small number of administrative endpoints. Both findings included specific remediation guidance, vendor configuration references, and CVSS scores aligned to the firm's risk register.

Lower-severity findings related to information disclosure in HTTP headers (server software version exposed) and a small set of port banners providing service version data. The informational observations covered the absence of a published security.txt file (RFC 9116) and minor DNS configuration items.

The report dedicated explicit attention to the firm's existing security posture. Several controls were specifically noted as being well-implemented and were recorded as positive observations rather than findings:

• HTTP Strict Transport Security correctly configured with appropriate max-age and includeSubDomains directives, with the primary domain on the preload list
• All public-facing services configured for TLS 1.2 minimum, with TLS 1.3 supported
• Email authentication (SPF, DKIM and DMARC) correctly configured across all sending domains, with DMARC set to a quarantine policy
• DNS configuration robust against zone transfer attempts, with no information disclosure observed
• Web application firewall observed and behaving consistently across tested endpoints
• No exposed administrative interfaces, debug endpoints, or development artefacts identified

The firm's overall cyber posture was assessed as Low risk - a conclusion the partners were able to provide directly to their professional indemnity insurer as evidence of due diligence.

Both medium-severity findings were remediated within the engagement's two-week re-test window. Each remediation was independently verified by re-running the scan and confirming the findings no longer appeared. The lower-severity findings were added to the firm's standard quarterly maintenance schedule.

The firm now runs an external penetration test against their infrastructure every quarter rather than every two to three years. The combined annual cost of four CyberCTRL engagements is materially lower than a single traditional manual penetration test, and the increased frequency has changed how the firm thinks about cyber posture: from a periodic event to a continuous discipline.

The CyberCTRL report is structured to be presentable to external auditors, professional indemnity insurers, and clients requesting evidence of security testing as part of supplier due diligence. The methodology section maps testing activities directly to the Australian Signals Directorate Information Security Manual (ASD ISM) and the OWASP Web Security Testing Guide, with findings aligned to Essential Eight Maturity Model controls. Each finding includes CVSS scores, OWASP and CWE references, and a remediation reference URL - formatting that satisfies the typical evidentiary requirements of an Essential Eight uplift assessment, a SOC 2 or ISO 27001 audit, or an insurer attestation review.

For a regulated professional services practice, that documentation chain has proven as valuable as the technical findings themselves.