Karakor
Industries

We work with a narrow set of industries by choice. The constraints differ — privilege, regulated data, enterprise scrutiny, IP exposure — but the discipline behind the work is the same: build for an adversary, write down what we did, hand over something an in-house lead can extend.

How we pick

Why these five.

Karakor is not a generalist firm. We work where four conditions are true at once.

The five industries below sit inside our competence because each one satisfies all four. When a prospective engagement falls outside even one, we usually refer it to a firm whose practice fits the work better than ours would. The list below is the actual filter we apply, not a positioning statement.

01

The worst case is reputational, not operational.

We work in industries where a security failure means a client conversation, a regulatory letter, or a cross-examination — not just downtime. The threat model is calibrated to what survives a tribunal, an auditor, or a procurement review.

02

Work product is written, retained, and discoverable.

Industries we serve produce documents that have to outlast the engagement. Privileged work product, clinical records, audit trails, IP. That changes what retention defaults, audit logs, and access controls are actually for.

03

An in-house lead has to operate it after we leave.

Every industry we work in has one or two competent practitioners already running it. Our deliverable is calibrated to what they can extend and maintain — not to what a perpetual outside team would manage on their behalf.

04

Enterprise scrutiny is already asking.

We work where enterprise procurement, insurers, regulators, or partners are already asking the security question. The work pays off because the answer is now load-bearing — not because we have to convince the client it should be.

The threat model

The discipline is the threat model. The industries are the places it pays off.

A pre-IPO biotech, a litigation firm, a clinical research operation, and a six-hundred-person professional-services firm do not look alike on the surface. What they share is the shape of the worst case: a small breach in a tightly held system, evident in writing, in front of someone whose decision is irrevocable. The work that matters in each industry assumes that worst case — and that is the work we do.

The five

Five places the discipline pays off.

01

Law firms

Privilege is a security property, not a legal one.

Law firms are the wedge practice. Every technology decision a firm makes — DMS configuration, AI tooling, retention defaults, who is on the matter team — is a privilege decision before it is a productivity decision. Most enterprise security postures cannot meet that bar because they were written for a different threat model. We work with firms in the language of privilege, with deliverables a managing partner can defend on cross-examination. Tulgra exists because of this practice, not the other way around.

6 – 12 wksTypical engagement length
DMS reviewMost common scope
Partner-defensibleDeliverable standard
What the work looks like
  • DMS and document-architecture review against an ethical-wall threat model
  • On-premises AI deployment for firms that cannot send privileged material to third-party APIs
  • Secure-infrastructure assessment scoped to the matter team, not the IT department
Who signs the engagement

Managing partner or general counsel, with the firm's IT lead in the room.

See a representative engagement: A DMS configuration a managing partner can defend
02

Professional services with privileged work

Client material that has to survive subpoena.

Accounting firms, expert-witness practices, IP consultancies, and advisory shops where client documents are admissible evidence, not just internal memos. The discipline that applies to law firms applies here for the same reason: the worst case is sensitive material in the wrong hands, in writing, in front of a tribunal. We treat these engagements with the same threat model and the same deliverable standard as our legal practice.

4 – 8 wksTypical engagement length
Posture docMost common deliverable
187 → 4 hrsCompressed questionnaire turnaround, mid-market sample
What the work looks like
  • Written security posture and questionnaire library to compress enterprise client onboarding
  • Document handling and retention review for engagements that may be entered into evidence
  • Practice-management modernisation that keeps work product on infrastructure the firm controls
Who signs the engagement

Managing principal or COO, usually triggered by an enterprise client's security questionnaire.

See a representative engagement: A written security posture before procurement asked
03

Healthcare-adjacent organisations

HIPAA-aligned discipline without a hospital's resources.

Not hospitals. The companies that sit alongside the healthcare system — clinical research operations, life-sciences vendors, claims processors, digital-health platforms — where HIPAA, HITECH, and state-level health privacy law set the floor. These organisations carry regulated data and audit obligations comparable to a hospital, with a fraction of the security staffing. The work is calibrated to that asymmetry: documentation that holds up to an OCR audit, controls that an in-house IT lead can actually maintain.

3 – 5 monthsTypical engagement length
0 bytesPatient data that left the client boundary, sample build
HIPAA-alignedDocumentation posture
What the work looks like
  • HIPAA-aligned security risk analysis with written remediation roadmap
  • Vendor and business-associate review, including DPA and sub-processor mapping
  • Private AI advisory for organisations that cannot let clinical data leave the boundary
Who signs the engagement

CISO, head of compliance, or VP of engineering — depending on which side of the org runs the risk register.

See a representative engagement: A private-AI deployment a partner can defend
04

Mid-market organisations

Too large to outsource everything. Too small to staff a CISO org.

Organisations between roughly two hundred and two thousand employees. Large enough that a serious incident is a board-level event; small enough that there is no security organisation, only one or two competent practitioners who already wear three other hats. The work that lands here is an outside practitioner who delivers a written posture the in-house team can actually run with — not a perpetual managed-service relationship, not a slide deck that ends at the first executive review.

2 – 6 wksTypical engagement length
30 – 60 ppLength of a written assessment report
60 → 16 ppIncident-response plan reduced to a usable document, sample readiness engagement
What the work looks like
  • Two-to-four-week NIST CSF-scoped assessment with a written report ranked by exploitability
  • Hands-on hardening and remediation after the assessment — implementation, not advice alone
  • Secure-software engagements for product teams that handle customer data and cannot get an SOC 2 finding wrong
Who signs the engagement

VP of engineering, head of IT, or principal — whoever is accountable when an enterprise customer sends their questionnaire.

See a representative engagement: An incident response plan tested before it was needed
05

Founder-led companies with sensitive IP

A small team holding work product that has to outlast them.

Pre-IPO technology companies, biotech research operations past Series B, and hardware startups with real engineering depth — organisations where the work product is patentable, the code base is the company's core asset, and the team is small enough that one wrong access decision can leak years of investment. Founders and CTOs at these companies face the same threat model as a mid-market firm but with a tighter time horizon, a less mature security organisation, and an investor base that started asking security questions during the last round.

3 – 6 monthsTypical build engagement length
Greenfield + IPMost common scope shape
Production handoffAlways ends with code the in-house team owns
What the work looks like
  • Greenfield software builds where IP protection is a first-class architectural concern, not a follow-on requirement
  • Trade-secret discipline review — repositories, key escrow, departure procedures, NDA enforcement points
  • Private AI deployment for product teams that cannot send training data or model context to a third-party API
Who signs the engagement

CTO, founder, or VP of engineering — usually triggered by an enterprise pilot, a due-diligence conversation, or an IP-bearing team member's exit.

See a representative engagement: A greenfield internal platform that shipped on time
Three signals

Three questions to answer before the first call.

Industry alone does not decide whether we are the right firm. The three questions below do. If the answers are clear, the first call gets straight to scope.

01

Has a client, regulator, or insurer asked you a security question this quarter?

If yes, your security posture has moved from optional documentation to operational infrastructure. The work pays off because the answer is now load-bearing.

02

Could you defend your current configuration in writing?

Not 'is it documented somewhere' — could a senior person at your firm hand a client a defensible written account of how the system is configured and why. If the answer is no, that is the work.

03

Do you want a deliverable that ends, or a managed-service relationship?

Karakor delivers scoped engagements that conclude. If you want a perpetual outside team in the seat, we will tell you that on the first call and refer to a firm that does that work.

One more thing

Industry is a heuristic, not a wall.

The five industries above are how we describe the work, not how we gate it.

Organisations that do not fit cleanly into one of the five but satisfy the four criteria from earlier in this page — the worst case is reputational, the work product is written and retained, an in-house lead can operate the deliverable, enterprise scrutiny is already asking — are the kind of engagement we sign for. The label is less important than the threat model underneath it.

If the constraint you operate under is in this rhythm but the industry name above does not quite fit, write to us through the contact page. The first call is a scoping conversation, not a sales call.

Where we do not work

The work we turn down.

Saying no is part of the deliverable. Four categories where we are the wrong firm — and where we will refer you to one that is right.

Hospitals and health systems

Direct provider security is its own discipline with its own vendors. We work with the organisations around them.

Public-sector and defense primes

Clearance regimes and FAR/DFARS contracting are a separate practice. We refer.

Pre-product startups

Our engagements assume a system worth protecting. Before product-market fit, the security spend is rarely the right next dollar.

Cryptocurrency and on-chain protocols

Smart-contract auditing is a specialist field. We are not the right firm for it.

Engage

We respond within two business days. Scoping calls are obligation-free and run thirty minutes.