Karakor
Practices

The three practices below are how we organise the firm internally and how we describe ourselves to clients. They run side by side because the work in each one assumes the discipline of the others. Tulgra is the proof that we ship under those constraints.

Why three, not one

Each practice sharpens the others.

A firm that only assesses security writes different reports than a firm that also builds the systems being assessed.

Most boutique consultancies pick one practice and stay inside it. Karakor runs three side by side because the work that matters in each one assumes the threat model of the others. Software we build assumes adversaries from the first commit because the security practice runs alongside it. Security assessments are written by engineers who would have to fix the findings themselves. Private AI infrastructure is designed by people who understand both the security implications and the build constraints.

None of this works as separate engagements. Below are three concrete examples of how one practice changes the deliverable of another.

SoftwareSecurity

Security assessments here are written by engineers who would have to fix the findings themselves. That changes what gets ranked as high severity — and what gets cut from a report because it would not actually be exploited.

SecurityAI

On-premises AI deployments here start with a written threat model: what data is in the index, who can query it, what the model can leak through prompts. The same discipline that runs a cyber engagement runs an AI deployment.

LegalSoftware

Software we build for law firms assumes adversaries from the first commit — a partner explaining a leak to a client on cross-examination is the worst case, not regulatory fines. Tulgra is built end-to-end against that threat model.

The practices

Three areas of operating depth.

Each practice has its own page with the engagement shape, the specific services, and the work we decline.

How a practice runs

The inside of an engagement, regardless of which practice.

The shape of the work is the same across all three. Specific durations and deliverables vary; the rhythm does not.

  1. iScope

    A scoping call with the partner, principal, or engineering lead commissioning the work. Out of that call: a written scope — in, out, definition of done — signed before any clock starts. Fixed fee against the scope. Usually one week.

  2. iiWork

    Quiet, structured work against the scope. Weekly written updates. The senior person at the client sees the work in flight, not at the end. Two to four weeks for an assessment; three to six months for a build.

  3. iiiHand off

    Written deliverables — a report, a roadmap, a runbook, a codebase — and a working session with the in-house team to walk through them. Every engagement ends with documentation a senior person at the client can act on without us.

Across all three

Three engagements no practice will run.

Individual practice pages list practice-specific declines. These three apply to all of them.

01 — Decline

We will not retainer a managed-service relationship.

Karakor delivers scoped engagements that end. If the work needs a perpetual outside team to run, we say so before the engagement begins and refer you to a firm that does that work.

02 — Decline

We will not deliver compliance theatre.

If the scope asks for a report that satisfies an auditor without actually improving posture, we say no. The deliverable is work that holds up six months after we hand it over.

03 — Decline

We will not respond to incidents we did not scope.

Live response is on retainer only. The first day of an incident is the wrong day to learn a client's architecture. Without prior scoping, we cannot deliver work that matters under pressure.

Engage

We respond within two business days. Scoping calls are obligation-free and run thirty minutes.