A Convening Initiative

The legal sector has a
cybersecurity crisis.
Solving it takes all of us.

Most of the world's law firms have no realistic path to cybersecurity readiness. The tools, frameworks, and training they need do not exist yet. The Sentinel Project exists to bring together the practitioners, researchers, lawyers, and technologists who will build them.

Be a Founding Member See the Problem
United StatesEO 14028 and OMB M-22-09
European UnionNIS2 and GDPR
United KingdomNCSC Cyber Essentials
CanadaPIPEDA and Bill C-26
Real consequence. Right now.
$8.5M
Gunster Law Firm, Florida

A cyberattack exposed the personal data of nearly 10,000 people. The firm settled a class-action lawsuit for $8.5 million. The judge cited poor data security practices as a contributing factor.

How many firms are one breach away from the same outcome, with no plan, no policy, and no framework to point to?

See the scale of the problem
Research and Recognition
Canadian Lawyer MagazineFeatured Canadian Journal of Law and TechnologyPending Publication
The Problem

Most law firms are flying blind on cybersecurity. And no one has built the guidance they actually need.

Enterprise cybersecurity frameworks were designed for organisations with IT departments, compliance teams, and six-figure budgets. They were never intended for the solo practitioner, the boutique firm, or the regional practice that makes up the vast majority of the global legal sector.

Regulation is tightening regardless. The U.S., EU, UK, and Canada have all introduced significant cybersecurity mandates since 2021. Not one has produced implementation guidance tailored to smaller law firms. The firms most at risk are also the least served.

This is not a technology problem. It is a coordination problem. The knowledge exists across the sector. It has never been organised, validated, and made freely available. That is what The Sentinel Project is for.

418,181
Law firms in the United States. The vast majority are solo or small practices with no dedicated IT resource.
IBISWorld, Law Firms in the US, 2024
35,313
Law firms in Canada, the majority of which are small or solo practices facing the same compliance gap.
IBISWorld, Law Firms in Canada, 2025
25%
Of law firms reported a data breach or security incident, widely considered an undercount given low reporting rates.
ABA Legal Technology Survey Report, 2023
$8.5M
Settlement paid by Florida law firm Gunster after a cyberattack exposed the personal data of nearly 10,000 people. The judge cited poor data security practices as a factor.
Reuters, via CasePeer legal technology report, 2024
The Vision

What we are setting out to build together.

The Sentinel Project does not yet have a finished platform. That is the point. We are convening the people whose combined knowledge and experience are needed to build something that will actually hold up in practice.

Right now, a law firm that wants to get serious about cybersecurity has two options. It can hire a consultant, at a cost most firms cannot justify. Or it can work through generic frameworks designed for enterprises with IT departments and compliance teams, which offer little practical guidance for a ten-person practice trying to figure out what to actually do on Monday morning.

Neither option serves the sector. And the sector knows it.

What does not yet exist is an honest, free, vendor-neutral resource that takes a firm from wherever it is now through to genuine, defensible cybersecurity readiness. Something that starts with a clear-eyed assessment of where a firm actually stands, maps its obligations across the relevant regulatory frameworks without assuming enterprise resources, and then tells it plainly what to do, in what order, and how to evidence it. Something that reaches the fee-earners and support staff who are often the real vulnerability, not just the people who run the IT.

That is what The Sentinel Project is working toward. Not a product to sell. A public good to build together, licensed openly, maintained collectively, and trusted precisely because no one profits from it.

But it cannot be built by two people, or even ten. The knowledge required spans jurisdictions, practice areas, firm sizes, regulatory regimes, and technical domains. It requires practitioners who know where guidance breaks down in the real world, lawyers who can make it defensible, researchers who can give it academic credibility, and technologists who can make it usable. That is the founding group we are assembling.

The non-negotiable: This will be Creative Commons licensed, non-commercial, and permanently open. It will recommend controls, not products. The moment it becomes a sales tool, it loses the trust that makes it worth anything. We will not let that happen.
What needs to be built
A firm today Exposed. Unguided. Alone.
01
Know where you stand
Maturity assessment calibrated to law firm realities, not enterprise benchmarks
02
Understand what you owe
One coherent map of NIST, ISO, GDPR, NIS2 and U.S. federal obligations
03
Know what to do
Plain-language playbooks. Step by step. Written for practitioners, not IT architects
04
Bring your people with you
Training for fee-earners and support staff. Most breaches start with people, not systems
05
Prove it
Documentation and evidence packs for clients, insurers, and regulators across all four jurisdictions
A firm that is ready Defensible. Documented. Confident.
None of this exists yet as a free, open, practitioner-built resource. That is what we are here to change.
Why Now

The regulatory window is closing.

Four major legal markets have tightened cybersecurity requirements since 2021. None have provided sector-specific guidance for small and mid-sized law firms. The gap between mandate and practical support is widest right now, and it will not stay open.

πŸ‡ΊπŸ‡Έ
United States - Primary Focus

Executive Order 14028 and OMB M-22-09

Federal mandates establishing zero-trust architecture and cybersecurity baseline requirements. Their effects reach the entire legal ecosystem, well beyond firms with federal contracts.

EO 14028 OMB M-22-09 NIST CSF ISO 27001
πŸ‡ͺπŸ‡Ί
European Union

NIS2 Directive and GDPR Article 32

NIS2 significantly expands cybersecurity obligations across EU member states. Combined with GDPR Article 32, EU-based firms face the most complex compliance environment in any jurisdiction.

NIS2 GDPR Art. 32 ENISA
πŸ‡¬πŸ‡§
United Kingdom

NCSC Cyber Essentials and SRA Oversight

The Solicitors Regulation Authority has flagged cybersecurity as an active supervisory priority. Cyber Essentials is increasingly expected for any firm handling government-adjacent work.

Cyber Essentials SRA Standards UK GDPR
πŸ‡¨πŸ‡¦
Canada

PIPEDA and Bill C-26

Bill C-26 will introduce mandatory cybersecurity programs and expanded breach reporting. Canadian firms advising regulated clients already face upstream pressure to demonstrate compliance posture.

PIPEDA Bill C-26 OPC Guidance
Get Involved

This only works if you are part of it.

The Sentinel Project is a convening initiative, not a finished product. We are bringing together the people whose collective knowledge, credibility, and resources will determine what gets built, how credible it is, and how far it reaches.

No institution, regulator, or vendor has solved this. Not because the knowledge does not exist, but because it has never been brought together in an open, neutral, practitioner-led space. The legal sector's cybersecurity gap is a coordination failure, and the only way to fix a coordination failure is collective action.

Founding members will shape the governance, priorities, and scope of what gets built. They will be named in published research. They will have a seat at the table that later contributors will not. The time to join is now, before the agenda is set.

Expressing interest carries zero obligation.

No financial commitment. No time commitment. No obligation of any kind. We are asking you to raise your hand and say this matters to you. What involvement looks like for you specifically , whether that is a conversation, a contribution of knowledge, funding support, or something else entirely , is a discussion we have together, later, on your terms. The only thing we are asking for right now is your voice.

What happens after you express interest
01
We read every submission

No auto-responders. No newsletter sequences. We review what you have written and respond personally, usually within a few business days.

02
A real conversation

We will reach out directly to understand your background, your jurisdiction, and what kind of involvement makes sense for you. No pressure, no pitch.

03
You shape what comes next

Founding members will be involved in defining the governance structure, the research agenda, and the priorities of what gets built. Your voice has weight from day one.

04
Any commitment is agreed together

Whether you contribute time, knowledge, networks, or resources , what that looks like is a conversation, not an expectation. Nothing is assumed. Everything is discussed.

Express interest now

Who we are looking for

We are building a founding group across six constituencies. Each brings something the others cannot.

Law Firm Leaders and Managing Partners

Ground the work in reality

Your firm's lived experience with cybersecurity compliance is irreplaceable. Without it, anything we build risks being accurate in theory and useless in practice.

CIOs and Technology Leaders

Define what actually works

You know where the frameworks fail. Where implementation stalls. Where the guidance assumes resources that do not exist. That knowledge has to be at the centre of what we build.

Privacy Lawyers and Compliance Counsel

Make it legally defensible

Guidance that cannot survive scrutiny from a privacy lawyer is guidance that will get firms into trouble. Your expertise is what separates well-intentioned from genuinely sound.

Academics and Researchers

Give it credibility and permanence

Peer-reviewed research is the foundation that prevents this from being dismissed as opinion. We need researchers who want to co-author, peer review, and extend the evidence base.

Legal Technologists, ILTA and CLOC Members

Ensure it reaches the right people

The best framework in the world is worthless if it does not reach the firms that need it. Your networks and influence inside the legal technology community are how that changes.

Institutional and Financial Partners

Make it sustainable

Building and maintaining free, open tools requires resources. We are seeking grant bodies, bar associations, and institutional partners who want to invest in sector-wide readiness as a public good.

Ways to contribute

Involvement can take many forms. We are as interested in a conversation as a commitment.

🧠

Knowledge and Experience

Advise on what good looks like in your jurisdiction or practice area. Validate drafts. Tell us what we are getting wrong.

🔬

Research and Writing

Co-author. Peer review. Help us extend the academic foundations into new jurisdictions, practice areas, and firm types.

💰

Funding and Resources

Support tool development, training infrastructure, or the time needed to do this properly. Grants, institutional backing, and philanthropic investment are all welcome.

📣

Networks and Reach

Connect us with the people and institutions who need to be in the room. Endorse the initiative within your professional community.

🛠

Technical Skills

Help design the tools, templates, and training modules that will turn the framework from a document into something firms can actually use.

🌍

Regional Expertise

Help ensure the framework works outside North America and Western Europe. Local knowledge of regulatory environments and legal culture is essential.

What founding members receive

  • A genuine voice in shaping what gets built and how
  • Direct access to the project leads, not a mailing list
  • Named recognition in all published research and outputs
  • Early access to all framework materials as they are developed
  • Membership of the founding group before it closes
  • The opportunity to shape a sector standard from the ground up

Start the conversation

Tell us who you are, where you are based, and what draws you to this. We will respond personally. We are looking for the right people, not the most people.

Express Interest
No commitment required. No sales process. Just a conversation.
Who We Are

Why we are the ones convening this. Because someone needs to. And we need you.

The Sentinel Project needs to be led by people who have worked inside the problem, not consultants who have studied it from the outside. We have the credentials, the networks, and the conviction to get this started. But we cannot finish it without the right people around us. That is the honest truth, and it is why we are asking.

Maz Araghrez
Maz Araghrez
Co-Lead, Toronto, Canada

Maz spent a decade inside the institutions that shape how large organisations govern technology. At Dentons, he led global service excellence across 44 regions, sitting at the intersection of technology, operations, and firm leadership at scale. He has seen exactly where cybersecurity guidance built for enterprise breaks down in legal practice, and that is the gap The Sentinel Project is designed to close.

  • Global Service Excellence Lead, Dentons, world's largest law firm
  • Technology Strategy Consultant, Legal and Professional Services Sector
  • Pending publication, Canadian Journal of Law and Technology
  • ITILv4 and PRINCE2 Certified
Dr. Anna Popowicz-Pazdej
Dr. Anna Popowicz-Pazdej
Co-Lead, Wroclaw, Poland

Dr. Anna is a Global Senior Data Privacy Lawyer at Dentons and a university lecturer in Cybersecurity and IT Law. She does not just understand the regulatory landscape, she teaches it. Her depth across GDPR, NIS2, and the EU AI Act means the project has the legal authority to ensure what we build is not just useful but genuinely defensible across the jurisdictions that matter.

  • Global Senior Data Privacy Lawyer, Dentons
  • CIPP/E, Certified Information Privacy Professional Europe
  • Cybersecurity and IT Law Lecturer, university level
  • International Neural Network Society Member
  • Pending publication, Canadian Journal of Law and Technology
  • Expert in GDPR, NIS2 and EU AI Act