On-Site SecOps Platform

Machine-speed defence
for enterprise networks

Cyber Sentinel is a three-tier detection and response platform built for organisations running MikroTik infrastructure across distributed sites. Deterministic enforcement and IOA detection are live today; AI-assisted correlation is on the roadmap.

● Live Deployment 10+ MikroTik Breakouts ~500 Endpoints Data-Sovereign · On-Prem IOA-First Detection
See the Platform Discuss Your Network
Live
Tier 0 — Inline
Deterministic Enforcement
µs – ms · No AI

MikroTik firewall + auto-expiring address-lists. Where attacks are actually stopped. Stateless, fail-safe, zero latency penalty.

Roadmap
Tier 1 — Edge Swarm
Lightweight ML Scoring
ms – ~1 s · Small ML

Planned — lightweight anomaly and IOA scoring at critical sites, gated on sufficient training data; it will push confirmed blocks down to Tier 0 and escalate high-confidence events upward. The deterministic IOA detection engine that anchors this tier is already live.

Roadmap
Tier 2 — Central Reasoning
AI Correlation Engine
Seconds · Swarm-of-Experts

Planned — a local, data-sovereign multi-agent analyst: normalise → correlate → Swarm-of-Experts agents, with LLM escalation reserved for the high-confidence 1%. In design; runs on-prem, never the cloud.

10+
MikroTik Breakouts Monitored
~500
Endpoints Protected
3
Detection & Response Tiers
24h
Auto-Expiring Block Duration
The Platform

Built around the three-tier invariant

The tiers never mix. Tier 0 never runs AI. Tier 2 never touches the wire directly. This separation is structural — not a policy.

🛡️
IOA-First Detection

Indicators of Attack are detected before indicators of compromise appear. The Security Graph traverses lateral movement paths across the CMDB, linking entities by owner and criticality — not just IP address.

IOA Engine Security Graph CMDB
Real-Time Ingest

NetFlow v9/IPFIX + MikroTik syslog ingested directly via UDP listeners. Events normalised to a single Common Security Schema and published to Redis Streams for sub-second pipeline throughput.

IPFIX Syslog CEF Redis Streams ClickHouse
📊
Operational Dashboard

FastAPI web dashboard over the ClickHouse event store. Drill-down tables, per-router ingest health, reverse DNS resolution, persistent IP aliases, and inline CMDB asset management.

FastAPI ClickHouse Live Ingest Health
🔗
Identity & Asset Integration

Microsoft Graph collector pulls Intune, Entra ID, and Defender TVM data into the CMDB. Every finding carries an owner and criticality rating — enabling zero-trust policy enforcement per asset class.

MS Graph Intune Entra ID Zero-Trust

Detection Coverage

The IOA detection library

An IOA-first library of 40+ detection rules spanning the kill chain, mapped to MITRE ATT&CK. The highest-confidence rules drive deterministic Tier-0 enforcement; the rest surface for analyst review. Live today.

Network & flow
IOA-001 Zero-trust peer-policy breach
IOA-002 First-ever connection (lateral movement)
IOA-003 Brute-force / password-spray burst
IOA-004 Watched-user credential replay
IOA-005 Insecure management access
IOA-006 SOCKS proxy activity
IOA-007 Supply-chain management access
IOA-008 IPsec / IKE phase-1 failure burst
IOA-009 Per-class behavioural deviation
IOA-010 Trusted-source anomaly
Identity & Entra ITDR
IOA-012 Entra sign-in anomaly (burst / spray)
IOA-013 Identity ↔ network correlation
IOA-014 Suspicious sign-in success
IOA-015 AD privilege drift & posture
IOA-019 UEBA sign-in & device behaviour
IOA-031 MFA-method tampering
IOA-032 Illicit OAuth consent grant
IOA-033 Conditional-Access policy drift
IOA-034 Authentication-strength drift
IOA-035 Credential-spray burst
Vulnerability & attack surface
IOA-016 RouterOS version → CVE
IOA-017 RouterOS attack surface & service CVE
IOA-018a IoT / CCTV / VoIP / printer CVE
IOA-018b Linux, container & Windows endpoint CVE
Exfil, beaconing & DNS
IOA-023 Data-critical asset egress
IOA-024 Beaconing / periodic C2
IOA-025 DNS domain beaconing
IOA-026 DGA-domain resolution
IOA-027 DNS exfiltration
IOA-029 Camera / NVR egress to unlisted peer
Endpoint & ingest
IOA-021 Credential found in breach corpus
IOA-022 Endpoint posture & suspicious execution
IOA-028 Suricata IDS signature match
IOA-D1 Microsoft Defender alert ingest
Correlation & self-monitoring
IOA-C4 Multi-rule correlation
IOA-C6 RouterOS config drift
IOA-020 Cross-domain entity correlation
WATCHDOG Platform self-monitoring (001–004)

About

Systems built close to the problem

I'm a software developer and systems architect based in South Africa, focused on practical, production-grade tooling for network security, operational monitoring, and infrastructure automation.

Cyber Sentinel grew out of a live incident response — detecting active brute-force campaigns across MikroTik routers at a large game reserve and building a platform that could respond faster than human operators could react. The core platform — edge enforcement and the deterministic detection engine — is deployed, running, and handling real traffic; the AI tiers are on the roadmap.

I build across the full stack: Python backends, React frontends, RouterOS scripting, Linux system services, and AI-integrated pipelines. The common thread is operational reliability over theoretical elegance.

Python / FastAPI
MikroTik / RouterOS
ClickHouse / Redis
React / TypeScript
Docker / Podman
Linux / systemd
MS Graph / Entra
PostgreSQL / PostGIS
NetFlow / IPFIX
Electron / Node
LLM / AI Pipelines
ADS-B / RF

Projects

What else is running

A cross-section of production and active development work.

🔥
Active
Smart MikroTik Cyber Defence

Comprehensive firewall and brute-force defence framework for MikroTik routers. Born from a live incident: three active attack campaigns detected and blocked in real time. Deployed across 10+ RouterOS 7 devices.

RouterOS GeoIP Brute-Force Threat Feeds
🖥️
Active
Server Security System

AI-driven multi-server cyber defence platform using local LLM inference (Ollama). Read-only SSH forensics, prompt-injection-guarded analysis, operator-approved remediation plans. Built and hardened during a live mail-server incident.

FastAPI Ollama React SSH PostgreSQL
🗺️
In Dev
NetTopo Studio

Network Topology Studio — an IPv4 NAT-avoidance focused topology planner. Electron desktop app with Leaflet map, React Flow canvas, live MikroTik SSH pull, device credential vault, and XLSX export.

Electron React Leaflet SQLite MikroTik SSH
🚗
In Dev
Wildlife Fleet Monitoring

Live vehicle movement monitoring integrating the Cartrack Fleet API with ArcGIS spatial layers. Geofence triggers, heatmaps, alerting, and automated reports — built for in-house VM deployment at a game reserve.

FastAPI PostGIS Leaflet Cartrack API ArcGIS
✈️
Pilot
Aircraft Identification (PAAN)

Passive Aircraft Awareness Network for Welgevonden Game Reserve JOC. ADS-B / Mode S receiver-agnostic ingest (HackRF → FlightAware Pro Stick), SQLite event store, live web dashboard, and Raspberry Pi production target.

ADS-B HackRF Raspberry Pi SQLite Python
⚙️
Active
NerdHub

Self-hosted control plane for managing Python apps and Docker/Podman containers on AlmaLinux. REST API, web UI, heartbeat probes, port-conflict detection, GPU monitoring, and ntfy push notifications.

Python FastAPI Podman AlmaLinux systemd

Contact

Let's talk about your network

Whether you're running MikroTik infrastructure, dealing with an active incident, or scoping out a SecOps platform — reach out.

dev@cyber-sentinel.net