Farhan Rashid

Full-Stack Engineer & Security Specialist

Sydney, NSW, Australia

0423 016 859 f.rashid6997@gmail.com LinkedIn GitHub

My first day with a breadboard, ATmega32P and LCD screen, July 2016

I started on breadboards in high school, tracing how highs and lows flow through copper and turn into something meaningful. Sophomore year of uni I hand-built a line-following robot from scratch. ATmega32P, 8-sensor analog array, dynamic smooth-turn algorithms, 14 days straight, no kits. Took it to the semi-finals of a robotics competition. From there I went to the floor of AWS datacenters where rack-down incidents and 30-minute SLAs taught me what production really means. Then into cybersecurity, authoring enterprise-wide security policy and running quantitative risk assessments solo. Now I'm founding the security function at an NDIS SaaS company while shipping production TypeScript on the core platform. I don't audit the code. I write it.

33 Repositories

16 PRs in 4 Days

21 Audited PRs

10+ Languages

32 Tests from Zero

30m SLA at AWS

Experience

Top contributor on the platform. 134 commits, 74,986 lines added. I own security end-to-end and ship production backend code on the core NDIS product.

Security

Built cloud and application security foundations on AWS, including access control, encryption at rest and in transit, monitoring baselines, and security configuration standards across all environments
Embedded secure SDLC into engineering workflows with automated SAST/DAST scanning, threat modelling sessions, and pre-merge security gates
Reduced critical vulnerabilities on the public-facing attack surface to zero through systematic vulnerability management and continuous monitoring
Led SOC 2 and ISO 27001 readiness. Authored security policies, trust centre materials, and handled enterprise customer security questionnaires
Built incident response plans and runbooks, then ran tabletop exercises to validate recovery procedures

Engineering (16 PRs in 4 days)

Resolved 3 critical SCHADS Award payroll defects: rewrote the midnight boundary calculation so overnight shifts split correctly on UTC servers, replaced broken public holiday detection with timezone-safe date-range queries, and fixed overtime logic that was double-billing at 275% instead of the correct 150% rate
Hardened the NDIS invoicing pipeline by surfacing missing-rate shift IDs that were previously causing silent data loss, replacing per-shift database lookups with batched queries, and adding proper validation for invalid NDIS item codes
Removed 251 lines of dead code from duplicate endpoint handlers and consolidated everything into a single canonical endpoint with schema validation, database transactions, and AI incident detection
Created a paginated, filtered, role-gated audit events endpoint that enforces immutability by design. You cannot delete an audit record. The API returns 405.
Bootstrapped the entire testing framework from zero coverage. Installed Vitest, configured coverage tooling, and wrote 32 unit tests for invoicing helpers and haversine distance calculations
Authored "Constitution" end-to-end tests that verify system invariants: financial values stored as whole numbers, timestamps always server-generated, audit logs permanently immutable

Infrastructure operations on the physical layer that runs AWS. Rack-down incidents, 30-minute SLA response windows, hands on the hardware. The job I woke up genuinely excited for.

Responded to rack-down and server failure incidents under 30-minute SLA targets, diagnosing and resolving Linux server and networking equipment failures across live datacenter infrastructure
Performed firmware upgrades and configuration updates on production routers, switches, and operating systems under strict change-control processes with zero tolerance for unplanned downtime
Executed secure sanitization and decommissioning of storage media and network devices including HDDs, SSDs, and switches, meeting AWS compliance and data destruction requirements
Managed trouble tickets prioritised by severity and impact, maintaining high availability across datacenter operations
Assisted the security team in physical penetration testing exercises against datacenter access controls and perimeter security

Authored the enterprise-wide cybersecurity policy from scratch, covering access control, data classification, incident response protocols, and acceptable use across the entire organisation
Sole owner of the FAIR-U quantitative risk assessment. Identified threat scenarios, modelled loss event frequencies and magnitudes, and delivered dollar-denominated risk reports that drove remediation prioritisation across the business

Core Competencies

Languages

TypeScript Python JavaScript Java SQL PHP MQL5 C++ Shell

Backend & API

Hono Express Next.js Flask Streamlit Prisma Zod

Frontend & Mobile

React Next.js React Native Expo

Data & ORM

PostgreSQL Neon SQLite MongoDB Prisma

Auth & Security

Clerk / JWT / RBAC Auth0 AES / PBKDF2 SAST / DAST FAIR-U

Testing

Vitest JUnit E2E Constitution coverage-v8

AI & Agents

IBM Granite OCR MCP / FastMCP Multi-Agent Systems

DevOps & Cloud

AWS Railway Vercel Netlify Docker GitHub Actions

Compliance

SOC 2 ISO 27001 SCHADS Award NDIS

Architecture

Multi-Tenant SaaS RBAC Event-Sourced Audit DDD Offline-First Mobile

Projects

nexis365-v2 16 PRs

TypeScript · Hono · Next.js · Prisma · Neon PostgreSQL · Clerk · Zod · Vitest

Full-stack NDIS management platform handling shift scheduling, SCHADS Award payroll, NDIS invoicing, participant management, AI incident detection, audit trails, and travel logging. Multi-tenant SaaS with tenant isolation on every query, four-tier role-based access control, and constitutional invariants verified by end-to-end tests. 1.7 MB of TypeScript deployed on Railway and Vercel with database branching per pull request.

Nexis365 Command Centre dashboard. Click to expand.

nexis365-v2 contributor graph: gUBII #1 with 134 commits, 74,986 lines added

Top contributors: gUBII #1, claude #2, genesisprime01 #3

chartgen v3.9

TypeScript · Next.js · Prisma · Neon PostgreSQL · Netlify

Governance-first clinical documentation audit platform. Models 8 chart families including meals, medication, sleep, BGL, bowel, hygiene, community access, and repositioning. Every record goes through generate, review, approve, and commit with provenance hash verification and audit-event chaining. QA anomaly detection catches ghost shifts, constipation gaps, and restraint breaches. 365-day preview window with XLSX export for auditors.

ChartGen v3.9 dashboard showing MAR, Restoration, Admin Console, Audit Engine, Audit Explorer, and Blue Team QA modules. Click to expand.

importcsv / TurnpointPurger

Python · Selenium · Tkinter · PyInstaller

Built to break a vendor lock-in. The previous software held all client data hostage with no export functionality, so I wrote a Selenium script that logs in, crawls every client profile, extracts every artefact and linked document, and repackages it all under sequential NexisID archives ready for Nexis365 import. Ships with a neon Tkinter GUI showing live extraction logs and purge history counters. Batch processing with configurable cooldown to avoid getting locked out, duplicate detection, and a full data pipeline across 260+ clients. Cross-platform builds for macOS and Windows via PyInstaller.

TurnpointPurger v2.0.2 Client Purging interface with Directive Console and stealth Chrome mode

TurnpointPurger Rate Extractor with real-time conflict detection and multi-source rate resolution

mobile

TypeScript · Expo SDK 54 · React Native · TanStack Query · Zustand · SQLite

Offline-first workforce app. SQLite schema for shifts, attendance, and a mutation queue that syncs when connectivity returns. GPS tracking with haversine distance calculations. Designed for support workers in the field where internet isn't guaranteed.

Nexis_app · app · ndisai

JavaScript · React Native (CLI + Expo) · Firebase Messaging

Field management apps with real-time location tracking and photo capture, plus a voice-first AI NDIS assistant under active construction.

hexstrike-ai Fork

Python · FastMCP · Selenium

AI-powered MCP cybersecurity automation platform with 150+ security tools and 12+ autonomous AI agents. Multi-agent architecture for penetration testing, bug bounty automation, CTF solving, and vulnerability intelligence. Integrates with Claude, GPT, and Copilot via the Model Context Protocol.

FileEncryptor 4 PRs

Java · JCE (PBKDF2, AES-CBC, PKCS#5)

File encryption utility with password-based key derivation, AES encryption in CBC mode, randomized salt persistence, and proper IV handling. Full JUnit test suite.

COMP3850-PACE-XtremeCompute

C++ · GamingAnywhere

Macquarie University capstone project. Cloud gaming system built on the GamingAnywhere platform, cross-platform for Windows and Linux.

Finmg

Python · Streamlit · SQLite · Plotly · IBM Granite

Private finance dashboard that ingests ANZ bank statement PDFs, categorises transactions using IBM Granite OCR, and produces audit-ready Excel workbooks. Duplicate detection via SHA-256 hashing, rolling 120-day deduplication, multi-account merge, interactive dashboard with KPI cards and trend charts. Zero external API dependencies at runtime. Built overnight. Passed the audit.

Forex-BOT

MQL5

Automated forex trading system with scalping expert advisors, moving average strategies, and a 9-MA expert advisor for position management.

Forex-BOT running in MetaTrader Pro on EUR/CAD with 9 moving average indicators and volume analysis. Click to expand.

clcod

Python · SQLite · SSE · tmux · PM2

Local control plane for a shared multi-agent room. Event-sourced architecture where the database is the durable source of truth, with startup recovery via event replay. Real-time updates over HTTP/SSE, tmux mirrors for session management.

udown

Python · yt-dlp · Flask · FFmpeg

YouTube playlist archiver with a Flask web UI. Originally built to archive multiple Qur'an playlist series for a client who needed USB-friendly sequential naming for a living-room audio system.

1Stop

JavaScript · Node.js · MongoDB · Auth0 · Stripe · NodeMailer

B2B/B2C e-commerce platform built with a 4-person team. Auth0 authentication, Stripe payment integration with webhook-triggered confirmation emails, admin and regular user JWT-protected endpoints.

gwclms

Node.js · Express · mammoth

Goodwill Academy LMS. Facilitator packs are parsed on server start using mammoth, question banks extracted automatically and surfaced via API. Interactive learning modules with progress tracking.

cohs · energyn

PHP · PHPMailer · Bootstrap

Aged care management system with admin dashboard, database backup utilities, and email automation. Plus a biotech marketing site with PHP form handling and responsive design.

rirvalentine Personal

JavaScript · CSS · Netlify · Live Site

I built this for my girl. A Pinterest-style masonry photo grid with personal captions, custom animations, and visual storytelling. Deployed on Netlify. Not everything I build has to be enterprise software.

rirvalentine.netlify.app showing a Pinterest-style masonry photo grid with personal captions

rirvalentine.netlify.app continued, showing more memories and photo cards

Line-Following Robot Semi-finalist

ATmega32P · 8-Sensor Analog Array · NVR Motor Controller

Hand-built from scratch sophomore year. No kits, no pre-built modules. Cocksheet chassis, toy wheels, hot-wired connections. 8-element sensor array with analog readings and dynamic calculation for smooth turns instead of sharp directional changes. Built over 14 consecutive days. Reached the semi-finals of a university robotics competition, knocked out on obstacle avoidance because I had the sonar sensor but ran out of time to code it. I didn't expect to make it that far.

Chassis template and build planning with MIST Robotics Club

Completed robot, front view with sonar sensor and Arduino

Robot side view showing wheels and wiring

Underside showing the 8-sensor analog array and motor controller

PandemicSimulatorBETA · HRSoftware · EduTechLMS · flappyrir · fbt-repo · ICT502-A1

Java

Epidemic simulation with visual modelling, HR management system, LMS coursework, a Flappy Bird clone, fractal animation engine, and a banking calculator. A mix of university assignments and personal projects from the early days.

How I Build Things

Tenant isolation is the foundation, not a feature

Every database query in the platform starts with tenant isolation. There is no code path that can accidentally surface one organisation's data to another. This wasn't bolted on after launch. It's the first thing written into the data layer and it touches every query that runs in production.

Permissions are checked everywhere, not just the sensitive routes

Four role levels with granular, operation-level access control on every single API route. Not some of them. All of them. When I found a compliance endpoint that was accidentally blocking administrators because it only checked for one permission level, I fixed the permission model instead of building a workaround.

Audit trails are permanent by design

Every mutation creates a permanent record with before and after snapshots. You cannot delete an audit entry because the API will not let you. In NDIS-regulated systems where records can be subpoenaed, this isn't a nice-to-have. It's a legal requirement, and the architecture enforces it.

Constitutional invariants that break the build

Certain things must never change: financial values stored as whole numbers to prevent rounding errors, timestamps always generated server-side to prevent client manipulation, audit logs that are permanently immutable. These rules are documented and enforced by automated end-to-end tests. Break one, and the build fails before it ships.

Business logic lives in testable isolation

Payroll calculations, billing rules, invoicing logic, all extracted into independent modules that can be tested without spinning up the full application. 32 tests were written specifically targeting these critical business paths, bootstrapped from zero coverage when the codebase had none.

Domain boundaries without distributed overhead

The codebase is organised as a monorepo with clear domain boundaries. Each feature area owns its bounded context. You get the architectural clarity of microservices without needing to manage distributed networking, service discovery, or cascading failures. Separation at the code level, simplicity at the infrastructure level.

Education

Victorian University

Master's, Software Technology & Information Systems

Jul 2024 – Jul 2026

Macquarie University

Bachelor's, Cyber Security

Feb 2020 – Nov 2022 Graduation day at Macquarie University

BRAC University

B.Eng, Computer Science

Jan 2018 – Jan 2020

Certifications

CCNA: Enterprise Networking, Security, and Automation Cisco Networking Academy · Credly Verified

Beyond the Code

The 325i Bought it rough. Made it a sleeper. Plate says it all.

DJ sets Techno, EDM, folk, alt-rock. Everything except trash metal.

German + Japanese Both got worked on by hand. Both earned their keep.

The E46 From granny spec to something worth looking at twice.

Reset You can't build well if you don't rest well.

The Honda First car. Lowered, stickered, loved.

Under the hood You learn a car by its gauges.

Australia Sydney based. Coastline explored.

This is a single HTML file. Zero JavaScript. Zero dependencies. Zero build tools.
CSS @layer, :has(), clamp(), logical properties, backdrop-filter, text-wrap balance, prefers-reduced-motion, prefers-color-scheme, semantic HTML5, ARIA, print stylesheet.
The page is the portfolio piece.

Summary

Key Metrics