se/labs

About

I work the defensive side, then turn the repetitive parts into tools.

I'm Bartosz Reślinski, a junior SOC analyst based near Poznań. Most of my time goes into blue team work: writing Sigma rules, triaging alerts, and running a self-hosted SOC lab to practice detection engineering on real telemetry instead of slides.

ShieldEye is where that work compounds. When a task keeps coming back - mapping an attack surface, grepping source for obvious bugs, checking a site's TLS and headers against a compliance baseline - I build a tool for it and open-source it. Four tools so far, each covering a different layer.

On the offensive side I keep the attacker perspective current through TryHackMe (top 1% globally, #1 in Poland as of April 2026) and bug bounty on HackerOne and Intigriti. That view feeds straight back into how the defensive tools are designed and what they prioritize catching.

How I work

Four things that shape every tool I ship.

Local-first by default

Tools run on the machine, not in someone else's cloud. NeuralScan does AI inference locally via Hugging Face Transformers; nothing leaves the host unless there is a clear reason for it to. Bug bounty work goes through mitmproxy on my own box, not third-party intercept services.

Conservative, authorized scanning

Scanners default to passive sources (crt.sh, SecurityTrails, CIRCL) and bounded active checks with SSRF guards, depth caps and rate limits. Every tool ships an authorized-use-only stance documented in the README. No 'just point it at anything' defaults.

Honest scope

Each tool says what it is not. A heuristic scanner isn't a full audit, a recon mapper isn't a DAST, a compliance check isn't certification. Overselling a security tool is how people get burned and how the industry earns its bad reputation.

Minimal dependencies

Fewer moving parts, fewer supply-chain surfaces. Native GTK4 over heavy web stacks where a desktop tool fits better. Vendored what I can, pinned what I can't. After the Atomic Arch AUR campaign in June 2026, this stopped being a preference and became a requirement.

SOC lab

A real lab, not a tutorial environment.

Everything I test runs on hardware under my desk: a KVM/QEMU virtualization host with a Wazuh SIEM all-in-one VM, Windows endpoints shipping Sysmon telemetry into the Wazuh indexer, and a Kali box for adversary emulation. Detections get written, tuned and validated here before they're worth talking about publicly.

Hypervisor
KVM / QEMU on libvirt (qemu:///system)
SIEM
Wazuh 4.11.x, all-in-one VM
Telemetry
Sysmon + Wazuh Indexer
Offensive box
Kali Linux VM for adversary emulation
Host
Arch Linux, i5-9600KF / RTX 2060 / 16 GB

Tech stack

What I build and defend with.

Languages

Python first, with Bash and TypeScript where they fit

  • Python
  • Bash
  • TypeScript
  • Node.js

Blue team / security

Day-to-day detection and analysis stack

  • Wazuh SIEM
  • Sysmon
  • Nmap
  • mitmproxy
  • Sigma

Backend & data

Services and storage behind the tools

  • FastAPI
  • PostgreSQL
  • Redis
  • MinIO
  • SQLite

Frontend

Native desktop and web

  • GTK4 / PyGObject
  • Astro
  • React / Next.js

Infra & virtualization

Where everything runs

  • Docker Compose
  • KVM / QEMU
  • libvirt
  • Arch Linux

Local LLM

On-device inference, tuned for a 6 GB GPU

  • Ollama
  • HF Transformers
  • Qwen3
  • StarCoder2
  • Mixtral