Cyber Sentinel is a three-tier detection and response platform built for organisations running MikroTik infrastructure across distributed sites. Deterministic enforcement at the edge. AI-escalated correlation at the centre.
MikroTik firewall + auto-expiring address-lists. Where attacks are actually stopped. Stateless, fail-safe, zero latency penalty.
Anomaly and IOA scoring at critical sites. Pushes confirmed blocks down to Tier 0. Escalates high-confidence events upward.
Normalise → correlate → Swarm-of-Experts agents. LLM escalation reserved for the high-confidence 1% only.
The tiers never mix. Tier 0 never runs AI. Tier 2 never touches the wire directly. This separation is structural — not a policy.
Indicators of Attack are detected before indicators of compromise appear. The Security Graph traverses lateral movement paths across the CMDB, linking entities by owner and criticality — not just IP address.
NetFlow v9/IPFIX + MikroTik syslog ingested directly via UDP listeners. Events normalised to a single Common Security Schema and published to Redis Streams for sub-second pipeline throughput.
FastAPI web dashboard over the ClickHouse event store. Drill-down tables, per-router ingest health, reverse DNS resolution, persistent IP aliases, and inline CMDB asset management.
Microsoft Graph collector pulls Intune, Entra ID, and Defender TVM data into the CMDB. Every finding carries an owner and criticality rating — enabling zero-trust policy enforcement per asset class.
I'm a software developer and systems architect based in South Africa, focused on practical, production-grade tooling for network security, operational monitoring, and infrastructure automation.
Cyber Sentinel grew out of a live incident response — detecting active brute-force campaigns across MikroTik routers at a large game reserve and building a platform that could respond faster than human operators could react. Everything here is deployed, running, and handling real traffic.
I build across the full stack: Python backends, React frontends, RouterOS scripting, Linux system services, and AI-integrated pipelines. The common thread is operational reliability over theoretical elegance.
A cross-section of production and active development work.
On-site SecOps platform for Welgevonden Game Reserve. Three-tier detection and response across 10+ MikroTik breakouts and ~500 endpoints. IOA-first detection engine, Security Graph for lateral movement, ClickHouse event store, and FastAPI dashboard. Systemd-managed on NerdHub.
Comprehensive firewall and brute-force defence framework for MikroTik routers. Born from a live incident: three active attack campaigns detected and blocked in real time. Deployed across 10+ RouterOS 7 devices.
AI-driven multi-server cyber defence platform using local LLM inference (Ollama). Read-only SSH forensics, prompt-injection-guarded analysis, operator-approved remediation plans. Currently handling a live mail-server incident.
Network Topology Studio — an IPv4 NAT-avoidance focused topology planner. Electron desktop app with Leaflet map, React Flow canvas, live MikroTik SSH pull, device credential vault, and XLSX export.
Live vehicle movement monitoring integrating the Cartrack Fleet API with ArcGIS spatial layers. Geofence triggers, heatmaps, alerting, and automated reports — built for in-house VM deployment at a game reserve.
Passive Aircraft Awareness Network for Welgevonden Game Reserve JOC. ADS-B / Mode S receiver-agnostic ingest (HackRF → FlightAware Pro Stick), SQLite event store, live web dashboard, and Raspberry Pi production target.
Self-hosted control plane for managing Python apps and Docker/Podman containers on AlmaLinux. REST API, web UI, heartbeat probes, port-conflict detection, GPU monitoring, and ntfy push notifications.
Whether you're running MikroTik infrastructure, dealing with an active incident, or scoping out a SecOps platform — reach out.