Cyber Sentinel is a three-tier detection and response platform built for organisations running MikroTik infrastructure across distributed sites. Deterministic enforcement and IOA detection are live today; AI-assisted correlation is on the roadmap.
MikroTik firewall + auto-expiring address-lists. Where attacks are actually stopped. Stateless, fail-safe, zero latency penalty.
Planned — lightweight anomaly and IOA scoring at critical sites, gated on sufficient training data; it will push confirmed blocks down to Tier 0 and escalate high-confidence events upward. The deterministic IOA detection engine that anchors this tier is already live.
Planned — a local, data-sovereign multi-agent analyst: normalise → correlate → Swarm-of-Experts agents, with LLM escalation reserved for the high-confidence 1%. In design; runs on-prem, never the cloud.
The tiers never mix. Tier 0 never runs AI. Tier 2 never touches the wire directly. This separation is structural — not a policy.
Indicators of Attack are detected before indicators of compromise appear. The Security Graph traverses lateral movement paths across the CMDB, linking entities by owner and criticality — not just IP address.
NetFlow v9/IPFIX + MikroTik syslog ingested directly via UDP listeners. Events normalised to a single Common Security Schema and published to Redis Streams for sub-second pipeline throughput.
FastAPI web dashboard over the ClickHouse event store. Drill-down tables, per-router ingest health, reverse DNS resolution, persistent IP aliases, and inline CMDB asset management.
Microsoft Graph collector pulls Intune, Entra ID, and Defender TVM data into the CMDB. Every finding carries an owner and criticality rating — enabling zero-trust policy enforcement per asset class.
An IOA-first library of 40+ detection rules spanning the kill chain, mapped to MITRE ATT&CK. The highest-confidence rules drive deterministic Tier-0 enforcement; the rest surface for analyst review. Live today.
I'm a software developer and systems architect based in South Africa, focused on practical, production-grade tooling for network security, operational monitoring, and infrastructure automation.
Cyber Sentinel grew out of a live incident response — detecting active brute-force campaigns across MikroTik routers at a large game reserve and building a platform that could respond faster than human operators could react. The core platform — edge enforcement and the deterministic detection engine — is deployed, running, and handling real traffic; the AI tiers are on the roadmap.
I build across the full stack: Python backends, React frontends, RouterOS scripting, Linux system services, and AI-integrated pipelines. The common thread is operational reliability over theoretical elegance.
A cross-section of production and active development work.
On-site, data-sovereign SecOps platform for Welgevonden Game Reserve. Tier-0 edge enforcement and a deterministic IOA detection engine are live across 10+ MikroTik breakouts and ~500 endpoints; the edge-ML and central AI tiers are on the roadmap. Security Graph for lateral movement, ClickHouse event store, and FastAPI dashboard. Systemd-managed.
Comprehensive firewall and brute-force defence framework for MikroTik routers. Born from a live incident: three active attack campaigns detected and blocked in real time. Deployed across 10+ RouterOS 7 devices.
AI-driven multi-server cyber defence platform using local LLM inference (Ollama). Read-only SSH forensics, prompt-injection-guarded analysis, operator-approved remediation plans. Built and hardened during a live mail-server incident.
Network Topology Studio — an IPv4 NAT-avoidance focused topology planner. Electron desktop app with Leaflet map, React Flow canvas, live MikroTik SSH pull, device credential vault, and XLSX export.
Live vehicle movement monitoring integrating the Cartrack Fleet API with ArcGIS spatial layers. Geofence triggers, heatmaps, alerting, and automated reports — built for in-house VM deployment at a game reserve.
Passive Aircraft Awareness Network for Welgevonden Game Reserve JOC. ADS-B / Mode S receiver-agnostic ingest (HackRF → FlightAware Pro Stick), SQLite event store, live web dashboard, and Raspberry Pi production target.
Self-hosted control plane for managing Python apps and Docker/Podman containers on AlmaLinux. REST API, web UI, heartbeat probes, port-conflict detection, GPU monitoring, and ntfy push notifications.
Whether you're running MikroTik infrastructure, dealing with an active incident, or scoping out a SecOps platform — reach out.