We work with a narrow set of industries by choice. The constraints differ — privilege, regulated data, enterprise scrutiny — but the discipline behind the work is the same: build for an adversary, write down what we did, hand over something an in-house lead can extend.
Law firms
Privilege is a security property, not a legal one.
Law firms are the wedge practice. Every technology decision a firm makes — DMS configuration, AI tooling, retention defaults, who is on the matter team — is a privilege decision before it is a productivity decision. Most enterprise security postures cannot meet that bar because they were written for a different threat model. We work with firms in the language of privilege, with deliverables a managing partner can defend on cross-examination. Tulgra exists because of this practice, not the other way around.
- DMS and document-architecture review against an ethical-wall threat model
- On-premises AI deployment for firms that cannot send privileged material to third-party APIs
- Secure-infrastructure assessment scoped to the matter team, not the IT department
Managing partner or general counsel, with the firm's IT lead in the room.
Professional services with privileged work
Client material that has to survive subpoena.
Accounting firms, expert-witness practices, IP consultancies, and advisory shops where client documents are admissible evidence, not just internal memos. The discipline that applies to law firms applies here for the same reason: the worst case is sensitive material in the wrong hands, in writing, in front of a tribunal. We treat these engagements with the same threat model and the same deliverable standard as our legal practice.
- Written security posture and questionnaire library to compress enterprise client onboarding
- Document handling and retention review for engagements that may be entered into evidence
- Practice-management modernisation that keeps work product on infrastructure the firm controls
Managing principal or COO, usually triggered by an enterprise client's security questionnaire.
Healthcare-adjacent organisations
HIPAA-aligned discipline without a hospital's resources.
Not hospitals. The companies that sit alongside the healthcare system — clinical research operations, life-sciences vendors, claims processors, digital-health platforms — where HIPAA, HITECH, and state-level health privacy law set the floor. These organisations carry regulated data and audit obligations comparable to a hospital, with a fraction of the security staffing. The work is calibrated to that asymmetry: documentation that holds up to an OCR audit, controls that an in-house IT lead can actually maintain.
- HIPAA-aligned security risk analysis with written remediation roadmap
- Vendor and business-associate review, including DPA and sub-processor mapping
- Private AI advisory for organisations that cannot let clinical data leave the boundary
CISO, head of compliance, or VP of engineering — depending on which side of the org runs the risk register.
Mid-market organisations
Too large to outsource everything. Too small to staff a CISO org.
Organisations between roughly two hundred and two thousand employees. Large enough that a serious incident is a board-level event; small enough that there is no security organisation, only one or two competent practitioners who already wear three other hats. The work that lands here is an outside practitioner who delivers a written posture the in-house team can actually run with — not a perpetual managed-service relationship, not a slide deck that ends at the first executive review.
- Two-to-four-week NIST CSF-scoped assessment with a written report ranked by exploitability
- Hands-on hardening and remediation after the assessment — implementation, not advice alone
- Secure-software engagements for product teams that handle customer data and cannot get an SOC 2 finding wrong
VP of engineering, head of IT, or principal — whoever is accountable when an enterprise customer sends their questionnaire.
The work we turn down.
Saying no is part of the deliverable. Four categories where we are the wrong firm — and where we will refer you to one that is right.
Hospitals and health systems
Direct provider security is its own discipline with its own vendors. We work with the organisations around them.
Public-sector and defense primes
Clearance regimes and FAR/DFARS contracting are a separate practice. We refer.
Pre-product startups
Our engagements assume a system worth protecting. Before product-market fit, the security spend is rarely the right next dollar.
Cryptocurrency and on-chain protocols
Smart-contract auditing is a specialist field. We are not the right firm for it.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.