Karakor
Services

A catalog of scoped engagements — not retainers, not packages, not subscriptions. Each one has a written brief, a defined deliverable, and a date it ends. Tulgra is the proof that we ship under those constraints.

How we sell

Engagements that end.

Every service below is a scoped engagement with a written brief, a fixed fee against that brief, and a date it concludes.

We do not run perpetual managed-service relationships. We do not bill by the hour against an open clock. If the work requires Karakor to remain on retainer to keep the client operating, we say so before the engagement begins and refer to a firm that does that work. The catalog below is what we will sign for.

Services are organised by what a buyer comes here to do, not by which of our three practices the work technically sits inside. The practice underneath every engagement is the same — the practices page is for the firm structure; this page is for the work.

How we scope

Signed before the clock starts.

Every engagement begins with a written scope: what is in, what is out, what we will deliver, what success looks like.

The scope is signed by the partner or principal commissioning the work before any clock starts. We will not begin work on anything that does not appear in that document — and we will tell you, clearly, when you have asked for the wrong engagement.

We turn down work that does not fit the practice. Usually because the scope is undefined; sometimes because the request would require us to operate outside our competence. Saying no is part of the deliverable.

The catalog

Engagements, grouped by what you came here to do.

Six clusters. Some clients walk in knowing which service they want; most walk in knowing the outcome they need and ask us to scope the engagement that gets there.

01Assessment

Assessment.

Find out what is actually wrong before deciding what to fix. Each ends in a written report a senior person at the client can act on without an interpreter.

Discuss an engagement
  • Security assessment

    Two-to-four-week scoped review of identity, access, network posture, and data handling. The report ranks findings by exploitability, not by checkbox.

  • NIST CSF gap analysis

    Structured posture review against the framework, calibrated to the client's environment and threat model. The framework is the structure; the report is the deliverable.

  • Secure architecture review

    Threat modelling, trust-boundary analysis, and cryptography review on systems before they hit production. Design-doc phase, not retrofit phase.

  • Document architecture review

    DMS configuration, retention defaults, ethical-wall enforcement, audit-trail design. The boring decisions that decide privilege exposure for law firms.

  • Vendor & third-party risk

    DPA review, sub-processor mapping, and questionnaires calibrated to the data each vendor actually touches — not the standard 200-question matrix.

02Implementation

Implementation.

Hands-on changes that follow an assessment, or stand-alone hardening engagements with a written scope. Implementation, not advice alone.

Discuss an engagement
  • System hardening

    Configuration changes, attack-surface reduction, and follow-through after an assessment. The fix list from the report, executed.

  • Identity & access redesign

    SSO, conditional access, role-based permission models, and break-glass procedures. Designed against a written threat model, not a vendor template.

  • Secure cloud baseline

    Reference architecture and hardening for AWS, Azure, or GCP — landing zones, guardrails, audit, and the runbook to keep them that way.

  • DMS configuration & rollout

    Document-management system selection or reconfiguration calibrated to the firm's matter team structure, retention obligations, and ethical-wall requirements.

03Build

Build.

Greenfield software shipped end-to-end. Three-to-six-month engagements, code your engineers can read and own after we are gone. Security is a first-class concern from the first commit.

Discuss an engagement
  • Greenfield software builds

    End-to-end product builds shipped to production. We hand off code your team can extend, with the architecture documented in writing.

  • Internal tools development

    Admin consoles, operations dashboards, and workflow tools for in-house teams. Scoped to ship, not to scale into a platform.

  • Legacy migration & modernisation

    Migration sequencing, replatforming, and the discipline to decide what to leave alone. We tell you when the right answer is to keep the legacy system running.

  • Architecture & design review

    Threat modelling and reference architectures your engineers can act on without an interpreter. For teams about to start a build, or stuck mid-build.

04AI & data

AI & data.

AI deployments that keep client material inside the client's boundary. On-premises models, retrieval over private data, and the governance to operate it.

Discuss an engagement
  • On-premises LLM deployment

    Frontier open-weight models running on the client's own hardware. Model selection, sizing, hardening, and runbooks an in-house operator can run unattended.

  • Retrieval over private data

    Document indexing, matter-aware query patterns, and review workflows that keep your data inside your boundary. No third-party API in the data path.

  • AI policy & governance

    Acceptable-use policy, retention defaults, and review processes for organisations deploying AI in regulated contexts. Drafted in writing, not by reference.

  • Model selection & sizing

    Independent advisory on which open-weight model fits the task, what hardware to run it on, and what to measure to know it is working.

05Operate

Operate.

Engagements for organisations that need to be ready for incidents — and a narrow set for organisations responding to one already.

Discuss an engagement
  • Incident readiness

    Scenario-driven tabletops, detection coverage gap analysis, and communications playbook review. Decided before the incident, not during.

  • Live incident response

    Active response to incidents in progress — forensics, containment, communications. Retainer required; we do not chase incidents we have not scoped.

  • Compliance preparedness

    SOC 2, HIPAA-aligned, and ABA Model Rule 1.6 preparation. The work that gets the documentation defensible before the auditor or questionnaire shows up.

  • Litigation support tooling

    Review-platform configuration, chain-of-custody handling, and discovery-workflow security review for firms running their own e-discovery in-house.

06Advisory

Advisory.

Short, defined engagements where the deliverable is a decision, not a system. Used by partners, founders, and engineering leads to get an opinion on the record.

Discuss an engagement
  • Practice management modernisation

    Vendor evaluation, migration sequencing, and the discipline to decide what to leave alone — for time, billing, conflicts, and matter management.

  • Fractional security leadership

    Time-boxed vCISO arrangements — sixty to ninety days — for organisations that need a security leader to write the strategy, not perpetually sit in the seat.

  • Questionnaire & board advisory

    Written responses to enterprise security questionnaires, board-level security briefings, and the materials a non-technical exec needs to hold an informed line.

  • Independent technology review

    Second-opinion engagement on a vendor selection, an in-flight build, or a security architecture. We tell you what we would do, in writing, and refer when we cannot.

The discipline

What every engagement has in common.

The services in the catalog above are different kinds of work — an assessment is not a build, an advisory engagement is not an incident response. The discipline underneath them is the same.

01

Scoped, written, fixed-fee.

Every engagement begins with a written scope — in, out, definition of done — signed before any clock starts. The fee is fixed against that scope. If the scope changes, we re-scope in writing. We do not run the meter.

02

The handoff is the test.

A deliverable that requires Karakor to remain on retainer to operate is a deliverable we did not finish. Every engagement ends with documentation, runbooks, or code an in-house person can take over without us.

03

We refer when it is not our work.

If the request would require us to operate outside our competence, we name the firms who do that work well and pass the engagement. The list is short and it is written down.

What we will not sell

Saying no is part of the deliverable.

Four categories of work we explicitly decline — written down so a prospect can decide before the first call whether the engagement they want is the engagement we sign for.

01 — Decline

Perpetual managed-service retainers.

We do not stand up a managed-security relationship that has no end date. Every engagement has a defined deliverable and a date it concludes. If the work needs a perpetual outside team to run, we say so before we start and refer to a firm that does that work.

02 — Decline

Compliance theatre.

If the goal is a report that satisfies an auditor or a procurement team without actually improving posture, we say no. The deliverable is work that holds up six months after handoff, not a checkbox satisfied on a Friday afternoon.

03 — Decline

Incidents we did not scope.

Live response is on retainer only. The first day of an incident is the wrong day to learn a client's architecture. Without prior scoping, we cannot deliver work that matters under pressure — and we will not pretend otherwise.

04 — Decline

Vendors we cannot defend.

Every tool we recommend comes with a written security review against the client's threat model. If we cannot defend the choice on its security posture — not on its marketing — it does not appear in the recommendation.

Engage

We respond within two business days. Scoping calls are obligation-free and run thirty minutes.