Why we have NCC Group (Fox-IT) pentest Andri ai

The legal profession handles some of the most sensitive information in existence. Medical records in personal injury claims, audio recordings from criminal investigations, privileged correspondence between solicitor and client. If you are building a platform that processes this kind of data, security is not a feature. It is a responsibility.

At Andri, we work with a growing number of law firms across the Netherlands and England. Our AI assistant helps solicitors with legal research, document drafting and building a dedicated knowledge base per case. That growth brings with it a serious obligation: the data entrusted to us deserves the highest standard of protection.

What happens when security is an afterthought

The examples are uncomfortably close to home. In 2025, Marks & Spencer suffered a major ransomware attack after criminals gained access through a third-party supplier using social engineering. Millions of customer records were exposed. That same year, the ICO issued its largest-ever fine of £14 million against Capita for cybersecurity failures that compromised the data of millions of people. According to SRA enforcement data, cyberattacks against UK law firms nearly doubled from 538 to 954 reported incidents, with £4 million of client money stolen from just 23 firms reporting breaches.

Now imagine something similar happening at a platform that manages legal case files. Medical reports, criminal case documents, privileged correspondence. The consequences would go well beyond financial loss. They strike at the heart of legal privilege and the duty of confidentiality that underpins the entire profession.

The Solicitors Regulation Authority sets clear expectations for the digital security of law firms. Solicitors have a duty of confidentiality and must take appropriate measures to safeguard client information, including when relying on third-party technology. The Dutch Bar Association (NOvA) imposes similarly strict requirements on advocates. Yet according to research by Arctic Wolf, 39% of law firms reported a security breach in the past year, and among those, 56% lost confidential client data.

In practice, many legal tech providers still treat security as an afterthought. An SSL certificate and a password, and that is that. But genuine security goes much further. You need to examine the entire chain: the agreements you hold with your suppliers, where data flows, how access is governed, and what framework you have in place to manage this on an ongoing basis. That is not something you solve by ticking a box on your website. It takes years of experience to understand what is truly involved. Particularly in the legal profession, where AI may have access to privileged case files, this is not a luxury but a necessity.

Working with NCC Group (Fox-IT)

The choice for NCC Group and its Dutch subsidiary Fox-IT was not arbitrary. From our own careers in financial services, healthcare and government, we have encountered Fox-IT time and again as the firm organisations turn to when data genuinely matters. That experience is why we hold Andri.ai to the same standard.

NCC Group is listed on the London Stock Exchange and is one of the largest cybersecurity consultancies in the United Kingdom, with over 2,000 security experts worldwide. Fox-IT, its Dutch subsidiary, has been one of the most respected names in cybersecurity in the Netherlands for over 25 years, with more than 280 specialists. It is a firm that operates at the very top of the field in both the UK and the Netherlands.

To give a sense of the calibre involved: Fox-IT was engaged by the Dutch Ministry of Foreign Affairs as the IT security partner for the 2025 NATO Summit in The Hague, staffing a Security Operations Center and Computer Emergency Response Team on location. Fox-IT also has a longstanding partnership with the Dutch Ministry of Defence on cryptography and cyber resilience, and has recently entered a strategic partnership with the Association of Dutch Insurers to improve the insurability of cyber risk in the Netherlands.

Fox-IT is no stranger to the legal profession, either. The NOvA previously engaged Fox-IT to advise on their factsheet on secure IT for law firms, a document that helps practices secure their digital communications and prevent data breaches. The fact that the same firm advising the Dutch Bar Association now tests our platform speaks to the standard we set for ourselves. For UK firms, the relevance is equally clear: NCC Group works with some of the most heavily regulated organisations in the City and across the public sector.

In practice, NCC Group (Fox-IT) carries out an extensive penetration test on our web application and infrastructure. Experienced security researchers actively try to find vulnerabilities in our platform, exactly as a malicious attacker would, but under controlled conditions and with the sole aim of strengthening our defences.

What this means for our clients

For the law firms that work with Andri.ai, this has three concrete implications.

Independent validation. Our security is not assessed solely by our own team. External experts who do this day in, day out bring fresh, critical eyes to our platform.

Continuous improvement. This is not a one-off exercise. We treat security as an ongoing process that evolves with our platform. As we add new capabilities, we continue to invest in regular security audits.

Transparency. We are open about the fact that we invest in security. Not because we have to be, but because we believe our clients deserve to know how seriously we take the protection of their data.

Why quality comes at a price

We are sometimes seen as a more expensive option in the legal tech market. That is fair, and we stand behind it. The reason is quite simple: we consistently invest in things that are not immediately visible but matter enormously when it counts. Penetration tests by leading firms such as NCC Group, robust architecture, ongoing security audits. These are not overheads. They are investments in the trust our clients place in us.

The alternative is something we have all seen by now. Cutting corners on security can seem attractive until something goes wrong. In the legal profession, "something went wrong" is simply not an option. Not with the data you entrust to us. Those who want to see how we won the first court case prepared with AI will recognise the same principle: quality over speed.

Privacy and security by design

At Andri.ai, security is not something bolted on after the fact. Our platform has been built from day one with privacy and security by design as its foundation. Security and privacy protection are woven into every architectural decision, every development process and every new feature we deliver. You can read in detail how we protect your documents.

The legal profession is in the midst of a digital transformation. AI tools are increasingly being used to support solicitors in their daily work. That is a welcome development, but only if the technology behind it meets the highest standards of security and confidentiality.

The lesson from recent breaches is clear: it is not a question of whether you become a target, but when. The difference lies in how well prepared you are. Our partnership with NCC Group (Fox-IT) is a concrete example of that preparation. The trust that law firms place in us is something we aim to earn every single day.

Interested in how Andri.ai works? Have a look at our security page or get in touch.