Final-year Computing Systems student passionate about building privacy-first, secure systems. I combine engineering rigour with a security-first mindset — and always document the why behind every decision, not just the what.
// building the future, one commit at a time
ML-powered network security monitor for Raspberry Pi. Zeek for deep packet inspection + River ML for online anomaly detection, with an educational dashboard explaining every alert.
Full-stack cyber threat intelligence platform. Tracks dark web data breaches, maps global cyber-attacks with geo-visualisation, and monitors compromised assets via automated alert pipelines.
// completed projects with measurable outcomes
Production marketplace connecting users with verified local tradespeople — plumbers, electricians, and more. Stripe payments, Google Maps, full AWS CI/CD.
End-to-end formal security audit: PCI DSS, GDPR, SOC compliance with Python risk tooling and network topology analysis.
ICMP flood incident post-mortem using all five NIST CSF functions. Firewall ACL ruleset designed to block spoofed floods.
Systematic Linux permission audit and remediation using chmod, chown, and access control principles across a multi-user environment.
// impact, credibility, and production mindset beyond generic portfolio claims
| Project | Metric | Outcome |
|---|---|---|
| IoTSentinel | Detection quality | 84% anomaly detection accuracy across 180+ tests |
| IoTSentinel | Noise reduction | 32% false-positive reduction vs static rules |
| Local Services Directory | Deployment reliability | Zero-downtime AWS deploy flow gated by automated tests |
| BreachLens | Analyst visibility | 50+ OSINT sources unified into one triage workflow |
Problem: Consumer IoT traffic shifts fast, making static IDS rules noisy and stale.
Constraint: Low RAM/CPU hardware, privacy-first deployment, no cloud offload.
Decision: Half-Space Trees + adaptive thresholds + on-device processing only.
Result: 24/7 flow monitoring with fewer false alarms and explainable alerts.
Problem: Threat telemetry scattered across feeds slows response and prioritization.
Constraint: Inconsistent breach schemas and high-volume API traffic.
Decision: MongoDB flexible schema + zero-trust API + Redis rate limiting.
Result: Faster triage context via unified breach + geo-attack visibility.
Interactive attack replays where visitors can inspect packet-flow timelines, model decisions, and mitigation outcomes in plain English.
| Project | Next upgrade |
|---|---|
| IoTSentinel | Adversarial robustness tests + model drift auto-retraining guardrails. |
| BreachLens | Graph-based entity resolution for multi-source breach correlation. |
| Local Services | Policy-as-code for security controls in CI/CD promotion gates. |
// how I build scalable, secure architectures from first principles
| Decision | Why it matters |
|---|---|
| Dynamic baseline | Home traffic has no fixed distribution, so batch models go stale quickly. |
| Half-Space Trees | Per-sample updates with O(1) memory avoid expensive retraining windows. |
| Adaptive thresholds | No labeled attack set required, enabling unsupervised deployment. |
| Decision | Security impact |
|---|---|
| Passive Zeek tap mode | Traffic is observed only, avoiding packet modification and MITM risk. |
| On-device processing | No network data leaves the Pi, preserving privacy and reducing exposure. |
| Explainable alerts | SHAP-style attribution makes each alert auditable and understandable. |
| Optimization | Resource benefit |
|---|---|
| Async extraction pipeline | Non-blocking processing supports continuous 24/7 ingestion. |
| SQLite + WAL | No daemon overhead and safer write behavior for SD-card storage. |
| SSE for live dashboard | Lower CPU and RAM overhead than WebSocket keepalive traffic. |
| Zeek log rotation (100MB) | Prevents disk exhaustion on constrained local storage. |
// what separates security thinking from regular engineering
I design systems assuming breach by default. The question is never "will we be attacked?" — it's "what is the blast radius when we are?" Every architectural decision I make is shaped by this adversarial lens.
Good security is also understandable security. A perfectly hardened system that nobody knows how to operate is a liability. I document the "why" behind every control so anyone can reason about trust boundaries — that's why IoTSentinel explains its alerts in plain English rather than raw anomaly scores.
Privacy is a first-class architectural constraint — not a feature bolted on at launch. I apply data minimisation from the first API endpoint, because retrofitting privacy is 10x harder than designing it in.
// from curiosity to production-grade security engineering
// 35+ technologies across security, backend, frontend & DevOps
// the person behind the terminal
I'm Ritik Sah — a final-year BSc (Hons) Computing Systems student in London, with a deep focus on cybersecurity. My core strengths are problem-solving, analytical thinking, and technical adaptability.
Whether it's tracing how an ICMP flood propagates through a network, designing a threat model for an API, or optimising a streaming ML pipeline for constrained hardware — I approach every challenge with structured, first-principles thinking.
I believe the best security engineers are also great communicators. Every project I build is documented to explain the "why" — so non-technical stakeholders can understand trust boundaries and make informed decisions. IoTSentinel's plain-English alert explanations are a direct expression of this belief.
Open to internships, placement years, and graduate roles in cybersecurity engineering. If you need someone who can design secure systems and explain the tradeoffs clearly, let's talk.