Karakor Consulting is an operator-led cybersecurity and software firm. We work with law firms, privileged professional services, healthcare-adjacent organisations, and mid-market companies on assessment, secure engineering, and private AI — and we built Tulgra, the legal operating system that never sends a firm's data to the cloud.
Shahed Daoud.
Founder & principal
The practitioner you meet on the first call is the practitioner who delivers the work. There is no handoff to a junior team because there is no junior team.
Karakor was founded because the prevailing options for serious cybersecurity and software work are unsatisfying — either large consultancies that bill by the slide deck and rotate the team between calls, or solo practitioners without the operational footing to deliver work that stands up to enterprise scrutiny. We sit between those models on purpose.
The firm exists to deliver three things consistently: a written report a senior engineer can act on, code that survives the handoff, and a posture document that closes a deal cycle instead of opening one. Everything else — the methodology, the tooling, the cadence — is in service of those three artefacts.
Engagements are scoped in writing before any clock starts. We say no often, in writing, with a referral when we can give one. Saying no is part of the deliverable.
Three disciplines. One bar.
The practices are separate engagements with separate scopes, but they share a methodology. Each one starts from an adversary, ends in writing, and produces an artefact a senior person at the client can extend after we are gone.
NIST CSF, scoped to the stack.
Two-to-four-week assessments calibrated to the client's environment and threat model. The framework structures the conversation; the deliverable is a thirty- to sixty-page written report with findings ranked by exploitability and a remediation roadmap the in-house team can run with.
Secure by default, first commit.
Greenfield software builds with identity, secrets, audit, and trust boundaries treated as first-class concerns from line one. Three-to-six-month engagements that ship to production and hand off code your engineers can read, extend, and own.
Privacy as architecture, not policy.
On-premises model deployment, matter-aware retrieval, and the governance documentation that lets a firm describe its AI posture on cross-examination. For organisations that cannot send privileged material to a third-party API.
We built Tulgra.
The legal operating system that never sends a firm's data to the cloud. In beta, in 2026, with a founding cohort of design partners.
Most consultancies that advise on private AI have never shipped a private AI product. We built one because the constraints we tell law firms to take seriously — privilege, retrieval discipline, retention, audit, operator viability — are the same constraints we forced ourselves to engineer against.
Tulgra is what the work produces when the firm is its own worst critic. Cases, documents, drafting, billing, discovery, e-filing, and a local AI surface — in one native desktop application for macOS and Windows. No data leaves the firm. No five-vendor stack. No compromise on the threat model.
The product also keeps the consultancy honest. When we advise a firm on the architecture of a privately-hosted model, we are advising from a system we have already built and broken — not from a slide deck.
Remote-first. On-site when the work demands it.
Karakor is headquartered in Westchester, Illinois, in the Chicago metro. We work with clients across the United States, remote by default, on-site where the engagement calls for it — a tabletop exercise that has to happen in one room, a hands-on hardening sprint with the in-house team, a live response.
In writing, before the clock starts.
Statement of work names the deliverable, the timeline, the people. No retainer that drifts. No scope creep absorbed into next month's invoice.
Weekly written updates.
Friday note: what changed this week, what is open, what the client needs to decide. The note is the record. Meetings happen when the note is not enough.
Documentation an operator can run.
The artefact lives with the client. Runbooks, threat models, architecture notes, and remediation roadmaps designed to be extended by the in-house team six months after we are gone.
The work we turn down.
The shape of a practice is decided as much by what it refuses as by what it accepts. Four kinds of engagement we will not take.
Undefined scope
Engagements that begin with "we need help with security" and end with a recurring invoice. We scope, in writing, before any clock starts — or we refer.
Theatre
Reports designed to satisfy a board slide rather than to find what is wrong. If the goal is the document, not the work, we are the wrong firm.
Work outside our competence
Smart-contract audits, defense-prime contracting, healthcare provider security, pre-product startup posture. Specialist fields with specialist firms; we refer.
Incident response we did not scope
Live response is on retainer only. We do not chase incidents in environments we have never read. The first day of an incident is the wrong day to learn a new architecture.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.