Phase iWeek 0
Scope
A thirty-minute scoping call with the partner or administrator commissioning the work. Out of that call: a written scope — in, out, definition of done — signed before any clock starts.
DeliverableSigned scope document
Practice area
A practice for law firms whose worst case is not downtime — it is privileged material in the wrong hands. Karakor advises partners and firm administrators on the technology decisions that decide that outcome, in the same conversation.
Why this practice
Law firms hold material that is privileged by definition. The conventional enterprise security stack was not built for that threat model.
The frameworks most large vendors index against — perimeter defence, generic identity, compliance-driven controls — assume that the worst case is regulatory exposure or downtime. For a firm, the worst case is a partner explaining to a client why privileged work product was accessible to a third-party model vendor, or to a paralegal on the wrong matter, or to a former employee with credentials that were never rotated.
The pressure is also coming from the other direction. Enterprise clients increasingly send their outside counsel security questionnaires that read like the ones their own CISOs face. ABA Model Rule 1.6 has been interpreted, in practice, to require competence with the technology a firm uses to handle client material. State bars are publishing opinions. Cyber insurers are tightening underwriting questions. None of this is going to reverse.
The work of this practice is to close the gap between the security posture a firm has — usually inherited from a managed service provider whose framing was generic — and the posture the firm needs. Without buying tooling the firm does not need. Without inheriting a vendor relationship the firm did not ask for. And in writing, so the next partner who asks the question has an answer.
What an engagement looks like
A typical assessment runs four to five weeks.
Three phases, written deliverables at each handoff, no surprises on the timeline. Larger or compliance-driven engagements run longer; we scope them that way in writing before we start.
Phase iiWeeks 1 – 4
Assess
Quiet, structured review of the firm's current posture against the threat model written for firms — identity, document handling, retention, third-party exposure, AI and external services, incident readiness.
DeliverableWritten findings with severity rankings
Phase iiiWeek 5
Hand off
A working session with the firm's partners and operators to walk through findings, agree priorities, and decide what the firm wants to remediate in-house versus what Karakor implements in a follow-on engagement.
DeliverablePrioritised remediation roadmap
Capabilities
Five capability areas, scoped together or independently.
Secure infrastructure assessment
Identity, network, endpoint, and cloud posture reviewed against a threat model written for firms — not for enterprise IT.
Document architecture & governance
DMS configuration, retention defaults, ethical-wall enforcement, and audit-trail design. The boring decisions that decide privilege exposure.
Private AI for legal practice
On-premises model deployment and retrieval architecture for firms that cannot upload privileged material. Includes Tulgra design-partner onboarding.
Practice management modernisation
Vendor evaluation, migration sequencing, and the discipline to decide what to leave alone — for time, billing, conflicts, and matter management.
Litigation support tooling
Review-platform configuration, chain-of-custody handling, and discovery-workflow security review.
What we will not do
Saying no is part of the deliverable.
Three engagements we have declined, and would decline again.
We will not deliver compliance theatre.
If the scope asks for a report that satisfies an auditor without actually improving posture, we say no. The deliverable is work that holds up six months after we hand it over, not a check-box satisfied on a Friday afternoon.
We will not recommend a vendor we cannot defend.
Every tool we suggest comes with a written security review against the firm's threat model. If we cannot defend the choice on its security posture — not on its marketing — it does not appear in the recommendation.
We will not implement technology a partner cannot operate.
Every deployment ends with a runbook a senior person at the firm can run unattended. If the work would require Karakor to remain on retainer to keep the firm operating, we say so before the engagement begins.
Engage
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.