Karakor runs three practices side by side — cybersecurity, software engineering, and private AI — because the work that matters in each one assumes the threat model of the others. Software we build assumes adversaries from the first commit. Security assessments are written by engineers who would have to fix the findings themselves. Private AI infrastructure is designed for organisations whose data cannot leave their boundary. None of this works as separate engagements.
Every engagement begins with a written scope: what is in, what is out, what we will deliver, what success looks like. The scope is signed by the partner or principal commissioning the work before any clock starts. We will not begin work on anything that does not appear in that document — and we will tell you, clearly, when you have asked for the wrong engagement.
We turn down work that does not fit the practice. Usually because the scope is undefined; sometimes because the request would require us to operate outside our competence. Saying no is part of the deliverable.
Legal Technology & Security
Most enterprise security postures assume a threat model where the worst outcome is downtime or regulatory fines. Law firms have a different worst case: privileged material in the wrong hands, in writing, on cross-examination. The technology choices a firm makes — DMS configuration, AI tooling, retention defaults, who is on the matter team — are security decisions before they are productivity decisions. We work with firms on those decisions in the same conversation, not as separate engagements.
Request consultationSecure infrastructure assessment
Identity, network, endpoint, and cloud posture reviewed against a threat model written for firms — not for enterprise IT.
Document architecture & governance
DMS configuration, retention defaults, ethical-wall enforcement, and audit-trail design. The boring decisions that decide privilege exposure.
Private AI for legal practice
On-premises model deployment and retrieval architecture for firms that cannot upload privileged material. Includes Tulgra design-partner onboarding.
Practice management modernisation
Vendor evaluation, migration sequencing, and the discipline to decide what to leave alone — for time, billing, conflicts, and matter management.
Litigation support tooling
Review-platform configuration, chain-of-custody handling, and discovery-workflow security review.
Cybersecurity
A typical engagement is a two-to-four-week scoped assessment that ends in a written report — usually thirty to sixty pages — with findings ranked by exploitability and a remediation roadmap your engineering team can run with. We tell you what is wrong, how an attacker would actually exploit it, what to fix first, and what to leave alone. Frameworks like NIST CSF are how we structure the work. They are not the deliverable.
Request consultationSecurity assessment
Two-to-four-week scoped review of identity, access, network posture, and data handling. Output is a written report with prioritised findings, not a slide deck.
System hardening
Hands-on configuration changes, attack-surface reduction, and follow-through after an assessment. Implementation, not advice alone.
Secure architecture review
Threat modelling, trust-boundary analysis, and cryptography review on systems before they hit production.
Vendor & third-party risk
DPA review, sub-processor mapping, and questionnaires calibrated to the data each vendor actually touches — not the standard 200-question matrix.
Incident readiness
Scenario-driven tabletops, detection coverage gap analysis, and communications playbook review. Decided before, not during.
Live incident response
Active response to incidents in progress — forensics, containment, communications. Retainer required; we do not chase incidents we have not scoped.
Software & Private AI
We build greenfield software end-to-end. Three-to-six-month engagements, deliverables shipped to production, code your engineers can read and own once we are gone. The work is opinionated about security because the cybersecurity practice runs alongside it — identity, secrets, audit, and trust boundaries are first-class concerns from the first commit. Tulgra is the proof that we can ship under those constraints.
Request consultationGreenfield software builds
Three-to-six-month engagements building software end-to-end. We ship to production, document the architecture, and hand off code your team can extend.
Architecture & design review
Threat modelling, design-document review, and reference architectures your engineers can act on without an interpreter.
Private AI infrastructure
On-premises and offline-first LLM deployment. Model selection, hardware sizing, data-flow analysis, and runbooks an in-house operator can run unattended.
Retrieval & AI tooling
Retrieval-augmented systems that keep your data inside your boundary. Document indexing, matter-aware query patterns, and review workflows.
AI policy & governance
Acceptable-use policy, data retention, and review processes for organisations deploying AI in regulated contexts. Drafted in writing, not by reference.
Migration & modernisation
Legacy-system assessment, vendor shortlists, and sequencing plans for organisations modernising operational software.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.