Nikola Borovina — Full-Stack Engineer Portfolio

SCAFU

Security testing platform

Started with a simple idea: bug bounty recon takes too long. Most hunters spend hours on setup before they get anywhere near a vulnerability. SCAFU turns that into seconds. You point it at a program, it spins up 75+ scanner modules across separate workers, chains their outputs together, and surfaces findings with severity scoring. The tricky part was building the orchestration layer that decides which scanners to run based on what earlier scanners found, so a subdomain discovery result triggers port scanning, which triggers service fingerprinting, which triggers vulnerability-specific checks. Each scan mode (quick recon, deep, red team, autonomous) runs a different subset of the chain.

Scan orchestration flow

Program
Target

Input

Scan Mode
Selection

Quick / Deep / Red Team

Phase 1
Recon

Subdomain

DNS

Port Scan

Phase 2
Analysis

XSS

SQLi

SSRF

IDOR

+70

Dedup &
Triage

Severity scoring

Findings
Report

Output

What I built

Scanner orchestration engine with phased execution and dynamic module injection
Job queue with priority scheduling, retry logic, and scan state recovery
Real-time scan progress streamed over WebSockets
Finding deduplication across scanner outputs with severity scoring
WASM-compiled scanner tooling for edge execution on Cloudflare Workers
Integration with HackerOne and Bugcrowd program APIs

Hard parts

75+ scanners running in parallel without blowing rate limits or memory caps
Normalizing output formats across tools that all report findings differently
Compiling security tools to WASM to run at the edge instead of on a fat server
Keeping scan state consistent when individual scanner jobs fail mid-chain
Honeypot detection so scans don't waste time on decoy targets

Stack

Node.js Python WASM Cloudflare Workers Durable Objects D1 WebSockets Docker

AdWatchr

Competitor ad monitoring

I watched a marketing team spend two hours every Monday screenshotting competitor ads from the Facebook Ad Library. That seemed like something a computer should do. AdWatchr scrapes both the Facebook Ad Library and Google Ads Transparency Center on a schedule, detects new creatives and copy changes using SHA-256 content hashing, and pushes alerts through email, browser push, and Slack. The hardest engineering problem was the scraping itself: both platforms actively fight automation, so the system uses network request interception as a primary strategy with DOM extraction as a fallback, plus a Chrome extension that collects data client-side when server-side scraping gets blocked.

Data collection pipeline

Facebook
Ad Library

Google Ads
Transparency

Sources

Playwright
Scraper

Chrome
Extension

Collection

SHA-256
Change Detect

Diff engine

PostgreSQL
+ Prisma

Storage

Push

Slack

Alerts

What I built

Playwright scrapers for both Facebook Ad Library and Google Ads Transparency Center with network interception + DOM fallback
Chrome extension that syncs every 30-60 min, intercepting GraphQL requests client-side
Pinterest-style masonry grid for browsing thousands of competitor creatives
Collections system for organizing ads into swipe files
Multi-channel notification engine (email via Resend, web push, Slack webhooks)
Scout Agent for competitor discovery using Claude, GPT, or local Ollama models
Competitive timeline with activity heatmaps and day-of-week pattern analysis
Team collaboration with role-based access (owner/admin/member)

Hard parts

Both ad platforms are hostile to scraping: had to build network interception and DOM fallback strategies that degrade gracefully
Deduplicating ads that look slightly different depending on whether they came from the API, DOM, or the extension
Keeping the masonry layout performant when a competitor has thousands of active creatives
Scheduling scrapes across many users without hitting platform rate limits
Change detection that catches headline tweaks without false-flagging identical ads

Stack

Next.js 14 TypeScript Playwright Prisma PostgreSQL Supabase Auth Tailwind Radix UI Resend Web Push API Chrome Extension Vercel AI SDK

Nuculair

Digital footprint scanner

Most people have no idea how much of their personal data is floating around the internet. Nuculair lets you search a name or email and within 30 seconds get back a full picture: leaked passwords, data breach history, social media accounts, forum posts, and a privacy score based on how exposed you are. Under the hood it's stitching together results from 300+ data sources including Sherlock for username enumeration, Dehashed and LeakCheck for breach data, and custom scrapers for everything else. The backend runs a local Ollama model that plans the investigation strategy, deciding which sources to query in what order based on what's already been found. I built the API aggregation layer and the frontend that turns raw OSINT data into something a normal person can actually understand.

Investigation pipeline

Query
(name/email)

Input

AI Search
Planner

Ollama / qwen2.5

Sherlock
300+ sites

Breach
DBs

Social
Scrapers

Data sources

Correlation
Engine

Identity matching

Privacy
Score

Network
Graph

Output

What I built

API aggregation layer that normalizes data from 300+ OSINT sources into a unified schema
Privacy scoring algorithm weighing breach count, data sensitivity, recency, and spread
Force-directed network graph visualization using vis.js showing entity relationships
Results UI that groups and explains findings for non-technical users
Edge caching layer so repeat lookups resolve in under 200ms
Rate limiting and abuse prevention for the public-facing scanner

Hard parts

Every OSINT source returns data in a different format, so normalizing everything into one coherent profile required a lot of mapping work
Keeping end-to-end response time under 30 seconds while querying dozens of external APIs in parallel
Handling sensitive data responsibly: nothing persisted, everything ephemeral, with field-level encryption in transit
Making breach data legible to regular people who don't know what a "credential dump" is

Stack

Python / FastAPI Next.js 14 PostgreSQL Redis Neo4j Ollama vis.js Docker Sherlock Cloudflare

Mios Map

GitHub repo visualizer

Looking at a list of repositories tells you almost nothing about how an organization's codebase actually fits together. Mios Map turns GitHub repos into a 3D galaxy you can fly through. Every repo becomes a node sized by activity, connected to other repos by shared dependencies, and colored by tech stack. You can switch between force-directed, radial, grid, and sphere layouts depending on what you're trying to see. The visualization engine uses Three.js with instanced rendering and a level-of-detail system for labels so it stays smooth even with hundreds of repos loaded. I built the 3D rendering pipeline, the dependency graph analysis, and the tech stack detection that reads package manifests and file extensions to auto-classify everything.

Visualization pipeline

GitHub
Org / User

Input

Octokit
API Client

Parallel fetch

Tech Stack
Detection

Dependency
Graph

Health
Scoring

Analysis

D3 Force
Layout

Graph positioning

Three.js
Renderer

Instanced / LOD

3D Galaxy
View

Interactive

What I built

Three.js rendering pipeline with instanced meshes for 20k+ nodes and energy pulse animations
Label LOD system that swaps detail levels based on camera distance
Force-directed graph layout using D3 with fast convergence tuning
Tech stack detector that reads package.json, requirements.txt, go.mod, and file extensions
Health scoring based on commit frequency, open issues, dependency freshness, and staleness
Four layout modes: force-directed, radial, grid, and 3D sphere
Demo mode with pre-loaded data for unauthenticated exploration

Hard parts

Rendering hundreds of 3D nodes with labels and connection lines without dropping below 60fps
GitHub API rate limits when scanning large organizations with many repos
Getting the force-directed layout to converge quickly into something that looks good without manual tuning
Making 3D camera navigation feel natural for users who've never used a 3D tool
Parallel API fetching without waterfall patterns for fast initial loads

Stack

Three.js WebGL D3.js Octokit Express TypeScript Cloudflare Pages WebSockets