[ SENIOR CYBER SECURITY ENGINEER ]

Michael
Nancarrow

Enterprise-scale Cyber Security, Identity, and Network Controls practitioner. Designing and operating security programs across multi-cloud environments — implementing AI-assisted tooling for accelerated threat response, containment, and compliance. Designer of BurnerChat.

8,500
Users
9,000+
Endpoints
Multi-Cloud
Infrastructure
300+
Locations
nancarrowm LinkedIn GitLab Stack Exchange
[ ABOUT ]

About Me

Senior Cyber Security Engineer with over a decade of progressive experience across zero trust architecture, endpoint detection and response, and identity and access management. Currently securing the technology estate at Eagers Automotive (ASX: APE), one of Australia's largest automotive dealer groups — operating at scale across 8,500 users, 9,000+ endpoints, and 300+ locations.

I design and build security tooling alongside enterprise responsibilities — from sanctioned breach simulation platforms to cryptographic messaging applications — with a preference for minimal, auditable implementations over feature-rich complexity. BurnerChat is my flagship project: a single-binary, zero-infrastructure, end-to-end encrypted messaging tool engineered in Go.

Operator of hardened multi-OS environments across CachyOS, macOS, and Qubes OS. Advocate for data sovereignty, local-first AI, and privacy by design.

Location
Brisbane, Queensland, Australia
Current role
Senior Cyber Security Engineer · Eagers Automotive (APE)
Focus areas
Zero Trust · EDR/XDR · IAM · Network Security · AI Infrastructure
Featured project
BurnerChat v1.0.1 — end-to-end encrypted ephemeral messaging
Operating environments
CachyOS · macOS · Qubes OS
[ FEATURED PROJECT ]

BurnerChat E2E ENCRYPTED

v1.0.1 Go 1.22 macOS 11+ Linux Private

A self-contained cryptographic messaging platform engineered for operational environments where transport-layer trust cannot be assumed. Messages are encoded as authenticated, channel-agnostic tokens via memory-hard key derivation and AEAD encryption, then decoded exclusively on the recipient's device. The architecture eliminates all centralised infrastructure dependencies by design: no relay, no registration, no telemetry surface.

Operational Independence
Operates entirely on-device with no server registration, no centralised relay, and no analytics pipeline. The threat model makes no trust assumptions about transport infrastructure or third-party service availability.
Authenticated Encryption
Argon2id key derivation with ChaCha20-Poly1305 AEAD and ISO/IEC 7816-4 compliant padding. Ciphertext length normalisation into 256-byte boundary clusters defeats length-based traffic correlation.
Tor v3 Hidden-Service Transport
Integrated Tor v3 onion hidden-service providing peer-to-peer token delivery without a third-party relay. In-memory ring-buffer design ensures zero ciphertext persistence beyond the active session.
Secure File Transfer
Integrated CryptShare v2 pipeline: automated PII detection, metadata sanitisation, double-layered encryption (Argon2id, ChaCha20-Poly1305, AES-256-GCM). Plaintext shredded immediately post-encryption. Three delivery channels: direct download, Tor mailbox, or single-use TorShare v3 onion link.
Scriptable CLI
Exposes the full encode and decode pipeline via burnerchatcli for integration into scripted security workflows and automation pipelines. Identical key derivation and wire format as the GUI — no interactive dependencies.
Authenticated Local Interface
Embedded HTML/CSS UI served on a randomly bound loopback port with mandatory per-session authentication tokens. Unauthenticated local callers rejected at the HTTP layer. Native system tray integration via CGO on Linux and macOS.
Go 1.22 Argon2id ChaCha20-Poly1305 AES-256-GCM bbolt Tor v3 Python / CryptShare BLAKE3 CGO / GTK3 Ayatana AppIndicator
[ FEATURED PROJECT ]

Platform Hardening Suite

macOS 11+ CachyOS / Arch Bash Python Private

Automated security baseline enforcement and privacy hardening across macOS and CachyOS/Arch Linux. A dual-platform suite applying OS-level controls, kernel parameter tuning, application firewall policy, and continuous compliance drift detection — engineered for high-assurance workstation environments where configuration integrity is operationally critical.

macOS System Controls
Applies native macOS security primitives (csrutil, spctl, socketfilterfw, defaults) for System Integrity Protection management, Gatekeeper policy enforcement, kernel extension control, and application firewall configuration.
Telemetry Suppression
Targeted suppression of OS-level telemetry, diagnostic reporting, and phone-home behaviour on macOS. Per-application privacy permission hardening, analytics opt-out enforcement, and managed preference deployment.
CachyOS Hardening Daemon
Persistent systemd service providing kernel parameter hardening via sysctl, service attack surface reduction, filesystem permission enforcement, and mount option hardening across CachyOS and Arch Linux installations.
Network and Firewall Controls
Outbound connection filtering and application-layer firewall policy management across both platforms. macOS socketfilterfw integration and Linux nftables/netfilter rule authoring with structured policy auditing.
Firewall Leak Testing
Structured validation suite for macOS firewall efficacy, DNS leak posture, and outbound traffic containment under standard and adversarial conditions. Provides regression coverage for applied firewall controls.
Drift Detection and Remediation
Continuous enforcement mode with automated configuration drift detection. System-level changes trigger re-evaluation and re-application of the hardening baseline without manual operator intervention.
Bash Python systemd csrutil spctl socketfilterfw sysctl nftables macOS Primitives CachyOS / Arch
[ SKILLS ]

Tech Stack

Zero Trust / Networking
Zscaler ZIAZscaler ZPAZCC Cloudflare ZTUniFiControlD DNS
Endpoint / EDR / XDR
SentinelOneCrowdStrike Microsoft Defender XDRFortiSaaS Palo AltoMicrosoft Intune
Identity / IAM
Microsoft Entra IDConditional Access MFARBAC
DevSecOps
GitLab CI/CDPythonGo BashMCPClaude Code
AI Infrastructure
OllamaLocal LLMLiteLLM AWS BedrockVertex AI
Systems / OS
CachyOS / ArchQubes OS macOSFedoraUbuntu
[ EXPERIENCE ]

Work History

Senior Cyber Security Engineer
Current
Eagers Automotive Limited (ASX: APE) · Brisbane, QLD
Enterprise cyber security engineering across one of Australia's largest automotive dealer groups. Responsible for zero trust network architecture (Zscaler ZIA/ZPA/ZCC), endpoint detection and response (SentinelOne), and identity governance (Microsoft Entra ID and Intune) at scale across 8,500 users, 9,000+ endpoints, and 300+ locations. Developing AI-assisted tooling for accelerated threat response and compliance. Leading threat detection, incident response, and security control validation programs.
Zscaler ZIAZscaler ZPAZCC SentinelOneCrowdStrike Palo AltoMicrosoft Defender XDR FortiSaaSEntra ID IntuneGitLab CI/CDPython
IT Security Solutions Engineer
Past Role
AP Eagers Limited · Brisbane, QLD
Security solutions architecture and implementation across the Eagers automotive group. Progressed through senior IT functions including System Administrator, Network Administrator, and Manager of Information Technology before transitioning into a dedicated security engineering role. Designed enterprise security controls, managed IT security vendors, and developed policies governing the organisation's security posture.
Palo AltoFirewall Management Security ArchitectureNetwork Administration IT ManagementVendor Management System Administration
Owner / IT Consultant
Past Role
Nancarrow Consulting · Brisbane, QLD
Independent IT consultancy serving small business and home user environments. Scope covered designing, building, optimising, and troubleshooting technology stacks across networking, systems, procurement, and ongoing operational support.
IT ConsultingSMB NetworkingTechnical Support
Bachelor of Networking
2016
Aurora Training Institute · Brisbane, QLD
Bachelor's degree in Networking. Ongoing professional development across cybersecurity engineering and cloud security — see Latest Education section.
[ LATEST EDUCATION ]

Ongoing Learning

Actively pursuing formal education aligned to current enterprise threat landscapes. Recent completions span practical cybersecurity engineering methodology (Team Blue, 2024) and Google's professional-level security program (2025). Currently working toward CISSP certification — ISC²'s gold-standard for senior security practitioners.

ISC²
CISSP — Certified Information Systems Security Professional
Eight-domain advanced security certification spanning security and risk management, asset security, security engineering, network security, IAM, security assessment, operations, and software development security.
In Progress — 2026
Google
Cybersecurity Professional Certificate
Covers network security, SIEM operations, threat detection and analysis, vulnerability management, incident response frameworks, and Python automation for security workflows. Part of Google's professional certification track.
Issued: 2025
Team Blue
Cybersecurity Engineer
Structured program covering blue team operations, threat detection methodologies, defensive security control design, and incident response within enterprise environments. Practical focus on applied cyber defence.
Issued: 2024
[ OTHER PROJECTS ]

Ongoing Developments

● Classified
breach-and-pwn
breach-and-pwn
Private
Sanctioned breach simulation and security control validation tooling for enterprise environments. BAS-style testing with auditable outputs.
PythonBASControl Validation
● Classified
konoha
konoha
Private
Hardened local AI workflow templates and Claude Skills architecture. Privacy-first, local-first AI infrastructure with MCP tooling integration.
Claude CodeMCPOllamaLocal AI
● Classified
control-dns-orchestration
control-dns-orchestration
Private
DNS control plane orchestration. Encrypted DNS management, custom blocklist automation, and family/IoT/C2 filtering via ControlD and UniFi.
ControlDDNSPythonUniFi
● Classified
ai-architectural-controls
ai-architectural-controls
Private
AI safety and architectural security control framework. Governs how AI tooling interacts with enterprise and personal security boundaries.
AI SafetyPolicyClaude
● Classified
ai-zscaler-support
ai-zscaler-support
Private
AI-assisted Zscaler (ZIA/ZPA) operations and support tooling. Accelerates policy troubleshooting and configuration review workflows.
ZscalerZIAZPAClaude
● Classified
ai-network-engineer
ai-network-engineer
Private
AI-powered network engineering assistant. Supports design, troubleshooting, and documentation across enterprise and home network infrastructure.
NetworkingUniFiClaudePython
● Classified
ai-local-environment-orchestrator
ai-local-environment-orchestrator
Private
Local AI environment setup and orchestration. Manages model selection, GPU routing, and toolchain configuration for Ollama-based local inference.
OllamaCUDAPythonAutomation
● Classified
ai-regression-controls
ai-regression-controls
Private
Regression testing and control validation for AI systems. Ensures AI tooling behaviour stays within defined security and operational boundaries across deployments.
TestingCI/CDGitLabPython