We will not retainer a managed-service relationship.
Karakor delivers scoped engagements that end. If the work needs a perpetual outside team to run, we say so before the engagement begins and refer you to a firm that does that work.
The three practices below are how we organise the firm internally and how we describe ourselves to clients. They run side by side because the work in each one assumes the discipline of the others. Tulgra is the proof that we ship under those constraints.
A firm that only assesses security writes different reports than a firm that also builds the systems being assessed.
Most boutique consultancies pick one practice and stay inside it. Karakor runs three side by side because the work that matters in each one assumes the threat model of the others. Software we build assumes adversaries from the first commit because the security practice runs alongside it. Security assessments are written by engineers who would have to fix the findings themselves. Private AI infrastructure is designed by people who understand both the security implications and the build constraints.
None of this works as separate engagements. Below are three concrete examples of how one practice changes the deliverable of another.
Security assessments here are written by engineers who would have to fix the findings themselves. That changes what gets ranked as high severity — and what gets cut from a report because it would not actually be exploited.
On-premises AI deployments here start with a written threat model: what data is in the index, who can query it, what the model can leak through prompts. The same discipline that runs a cyber engagement runs an AI deployment.
Software we build for law firms assumes adversaries from the first commit — a partner explaining a leak to a client on cross-examination is the worst case, not regulatory fines. Tulgra is built end-to-end against that threat model.
Each practice has its own page with the engagement shape, the specific services, and the work we decline.
The wedge practice. Law firms hold material that is privileged by definition; every technology decision a firm makes — DMS configuration, AI tooling, retention defaults, who is on the matter team — is a privilege decision before it is a productivity decision. We work with firms in that language, with deliverables a managing partner can defend on cross-examination. Tulgra exists because of this practice.
NIST CSF-aligned assessment, hardening, secure architecture review, vendor risk, incident readiness, and live response. The work is calibrated to the client's environment and threat model, written by engineers who would have to fix the findings themselves. The framework is the structure; the written report is the deliverable.
Greenfield software builds and on-premises AI deployment. For organisations building systems that hold sensitive data, or that cannot send work product to third-party models. Identity, secrets, audit, and trust boundaries are first-class concerns from the first commit — because the cybersecurity practice runs alongside the build, not after it.
The shape of the work is the same across all three. Specific durations and deliverables vary; the rhythm does not.
A scoping call with the partner, principal, or engineering lead commissioning the work. Out of that call: a written scope — in, out, definition of done — signed before any clock starts. Fixed fee against the scope. Usually one week.
Quiet, structured work against the scope. Weekly written updates. The senior person at the client sees the work in flight, not at the end. Two to four weeks for an assessment; three to six months for a build.
Written deliverables — a report, a roadmap, a runbook, a codebase — and a working session with the in-house team to walk through them. Every engagement ends with documentation a senior person at the client can act on without us.
Individual practice pages list practice-specific declines. These three apply to all of them.
Karakor delivers scoped engagements that end. If the work needs a perpetual outside team to run, we say so before the engagement begins and refer you to a firm that does that work.
If the scope asks for a report that satisfies an auditor without actually improving posture, we say no. The deliverable is work that holds up six months after we hand it over.
Live response is on retainer only. The first day of an incident is the wrong day to learn a client's architecture. Without prior scoping, we cannot deliver work that matters under pressure.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.