Phase iWeek 0
Scope
A scoping call with the VP of engineering, head of IT, or principal commissioning the work. Out of that call: a written scope — in, out, definition of done — and a fixed fee.
DeliverableSigned scope document
Practice area
A practice for organisations that are large enough that a serious incident is a board-level event, and small enough that there is no security organisation — only one or two competent practitioners already wearing three other hats.
Why this practice
The frameworks are not the work. The work is what they structure.
NIST CSF, ISO 27001, SOC 2 — useful structure for the conversation, but none of them are the answer to it. A firm with the right certifications and the wrong operating discipline fails during a real incident in the same way a firm with no certifications and the wrong discipline does. The audit and the rehearsal are different.
The pressure on the mid-market is from two directions at once. Enterprise customers send security questionnaires that read like the ones their own CISOs face. Cyber insurers index premiums tightly against documented controls. Regulators publish guidance on a quickening cadence. The cost of operating without a written posture is no longer theoretical — it shows up as a deal lost in diligence, a premium that absorbs the budget that would have funded the controls in the first place, or a senior practitioner who quietly leaves.
The work of this practice is to close the gap between the posture a firm has and the posture a firm needs, in writing, against a threat model written for the firm — not for a generic enterprise IT department. Without buying tooling the firm does not need. Without inheriting a managed-service relationship that does not end.
What an engagement looks like
Two to four weeks. One written report.
A scoped assessment ends with a report a senior engineer at the client can act on. Implementation engagements that follow an assessment are scoped separately, in writing, after the findings land.
Phase iiWeeks 1 – 3
Assess
Structured review of the environment against NIST CSF, calibrated to the client's threat model. Identity, access, network posture, data handling, vendor exposure, incident readiness. We tell you what is wrong and how an attacker would exploit it.
DeliverableFindings ranked by exploitability
Phase iiiWeek 4
Report
A written report — usually thirty to sixty pages — with a remediation roadmap the in-house team can run with. A working session with the engineering or IT lead to walk through priorities and agree what is next.
DeliverableWritten report & remediation roadmap
Capabilities
Six capability areas, scoped together or independently.
Security assessment
Two-to-four-week scoped review of identity, access, network posture, and data handling. Output is a written report with prioritised findings, not a slide deck.
System hardening
Hands-on configuration changes, attack-surface reduction, and follow-through after an assessment. Implementation, not advice alone.
Secure architecture review
Threat modelling, trust-boundary analysis, and cryptography review on systems before they hit production.
Vendor & third-party risk
DPA review, sub-processor mapping, and questionnaires calibrated to the data each vendor actually touches — not the standard 200-question matrix.
Incident readiness
Scenario-driven tabletops, detection coverage gap analysis, and communications playbook review. Decided before, not during.
Live incident response
Active response to incidents in progress — forensics, containment, communications. Retainer required; we do not chase incidents we have not scoped.
What we will not do
Saying no is part of the deliverable.
Three engagements we have declined, and would decline again.
We will not run a checkbox audit.
If the goal is a slide deck that satisfies a board or a procurement team without actually finding what is wrong, we say no. The report is for the engineer who has to fix things, not for the meeting.
We will not retainer a managed-service relationship.
Karakor delivers scoped engagements that end. If the work needs a perpetual outside team to run, we say so before the engagement begins and refer you to a firm that does that work.
We will not respond to incidents we did not scope.
Live response is on retainer only. The first day of an incident is the wrong day to learn a client's architecture. Without prior scoping, we cannot deliver work that matters under pressure.
Engage
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.