Azazel System: Tactical Delaying Action via the Cyber‑Scapegoat Gateway

Good afternoon everyone and welcome to B-Sides Las Vegas. This talk is Azul Systems Tactical Delaying Action via the Cyber Scapegoat Gateway and it'll be presented by Makoto.

And before I start, just quick announcement. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our gold sponsors, Formal and Drop Zone AI. It's their support, along with our other sponsors, donors, and volunteers, that makes this event possible. And just a quick reminder, this is being recorded. So for those watching later and also those in the room, As a courtesy to them, please remember to put your phone on silent. And with that, I will turn it over to Makoto. Hello, everyone. And thank you for being here. Is everyone drinking? I've already had some whiskey and beer. Enjoy.

My name is Makoto Sugita. Online I go by Mr. Rabbit. I'm an independent researcher with a strong interest in cyber security. I build tools and test defense ideas in my free time. I'm also involved in security education. I serve on the executive team of the InfoSec workshop in Echigo Yuzawa, one of Japan's most respected cyber security events. Today, I'd like to introduce a system I created. It's called Azazel. It doesn't block attacks. It delays them. Because in cyber defense, time is not just a resource. It can be a strategic advantage. Let's begin. Let me walk you through today's mission. We'll start with the philosophy. the thinking behind their tactics in both warfare and cyber defense.

Next, I'll give you an overview of Azazel. What it is, where the idea came from, and how it ties into that philosophy. Then we'll dive into its structure and logic, both hardware and software. After that, I'll show you a recorded demo So you can see how Azure works in the field. We then look at its key benefits and use cases, and where it can be deployed effectively. And finally, I'll close with a call to action, invitating you to explore tactical delay as a new mindset for cyber defense.

Now, let's talk philosophy. Because behind other zel, there's more than just engineering. There's intent, a tactical mindset. In the next few slides, I'll walk you through the core idea.

Why delaying the enemy matters in both war and cyber defense?

Let's look at how direct delaying action works not in theory but in real battles in World War II US forces expedited period to fall in four days it took 73 EOJIMA was planned as a one-week operation it dragged on for over a month these delays weren't accidental They were tactical. The defenders used terrain, tunnels and attrition not to win, but to stretch the fight and drain momentum. That shift in tempo tide down eluted US units. It broke their rhythm. This is power of delay, not stopping the enemy, but disrupting the plan.

And that's the mindset Azazel was built on. Not to fight harder, but to make the adversary pay in time.

Most cyber security tools are built to stop threats. To block, isolate, or shut them down. Azazel takes a different path. Instead of trying to overpower the attacker, It throws them down on purpose. Because every second the attacker is delayed, we gain something. A clearer picture of their tactics. A chance to respawn with precision. And time to warn others before the damage spreads. In this way, delay becomes liberated. Other than, doesn't claim to eliminate the threat. But it creates space, tactical space, where defenders can act on their terms. And in cyber defense, that small window of time may be all you need.

Let's begin with what Azazel really is. Not just a tool, but a tactical concept.

The first idea for Azazel did not come from a cyber security paper. It came from an anime, Ghost in the Shell. They had something called a labirinth barrier, a kind of cyber shield that takes the hit when someone tries to hack your brain. Fans often call it a dummy barrier. That idea stuck with me. Something smart, tactical, and brave young to take the fall. So I thought why not build one for real? Let's be clear. Azazel is not a deception trap. Traditional deception works by creating illusions, fake services, fake systems, to lure attackers away from real assets. Azazel doesn't do that. Instead, It performs what we call a cyber delaying action. It detects coming threats. It takes a

hit. And then, it throws the attacker using delays, reloots, and distractions. There's no sandbox here. No honey net. Just one real device placed in harm's way to intercept the enemy and buy you time. That's not deception. That's tactical resistance by design. The name comes from ancient Hebrew text. In the ritual of Yom Kippur, a god, the scapegoat, was symbolically loaded with the sins of the people and sent out into the wilderness alone. It was meant to carry away danger, misfortune and guilt. That's what does here too. It draws a threat, it takes a hit. So your real systems can stay clean, safe, untouched.

So what is other than? It's not a firewall, it's not a honeypot. It's a cyber scapegoat gateway. A system designed to be attacked so your real assets stay safe. It detects threats. It delays attackers using control latency. And sometimes it misreads them completely. It's small, portable, tactical. Built on Raspberry Pi and open source tools. Adadale is built to take the heat and buy your time. So how Adadale actually works? We've talked about the concept. We've explored the photography. Now, let's open the hood. In this section, I'll walk you through the components, the decision flow, and how everything works together, from detection to delay to diversion. This is how our Azure Dell works. It runs on Raspberry Pi 5 using only open source tools.

No server, no cloud, freely online. Inside, Surikata inspects all traffic. When it detects a threat, it triggers Python logic, which can slow the attacker divert them on send an alert. You can carry it in your back. you can deploy it anywhere. And yes, it actually works. Let me show you the software stack that powers Azazel. Everything runs locally on a Raspberry Pi, freely offline, and freely modular. Three-kater monitors traffic and fires alerts when threats match defined rules. Those alerts

go to Python scripts which respond in three ways. They delay the attacker using TC, diverge them with IP tables, and send alerts via Mattermost. After diversion, OpenCanary steps in, offering fake service to

observer attacker's behavior for enhanced Logging and future scene integration vector can be added as an optional module. Each component is replaceable. All of it is open source, and every part is designed for tactical resilience.

Azazel is designed to be safe, not just effective. First, it uses uses high precision filtering with Surikata targeting non-attack patterns like SSH brute force. Then it applies a staged response with threshold and cooldown timers to prevent false positives. Finally, it limits actions strictly to attacker IPs.

legitimate traffic is never slowed, never diverted.

All of this helps minimize the risk of false diversion or misclassification and ensures that Azazel operates with confidence, not chaos.

Let me show you what Azazel looks like in the world. Everything you see fits in a small box. It's compact, affordable, and deployable anywhere. At the center is the Azadel unit, a Raspberry Pi 5 running everything locally. You will also need power, storage, and a network interface, wired or wireless. This isn't a concept. It's a real working cyber defense tool.

freely offline and freely yours.

Now that we've covered the ideas and structure behind Azazel, it's time to see it in action. What actually happens when an attack hits Azazel? How does it respawn? How does it delay? Let's walk through a quick demo and watch

This cyber scapegoat do its job. Here's what Azazel looks like in action. This attacker is running a brute force SSH scan. Surikata detects it in real time, and Azazel kicks in. First, traffic from that IP is slowed using TC. Then it's diverted to a decoy with IP tables. Finally, a Matamos alert is sent instantly. Meanwhile, open canary keeps watching for further signs of activity. All of this happens offline, autonomously. No human intervention required.

We're starting the demo. First, this screen is the attacker's screen. The attacker will perform an SSH brute force attack. Sorry.

We're starting the demo. First, this screen is the attacker's screen. The attacker will perform an SSH brute force attack. The screen is changed and this screen is the Azazel system screen.

Let me explain the screen. First, in the red box in the top left corner, the Suricata logs are displayed. Next, in the green box in the top right corner, the open canary logs are displayed. Finally, in the blue box in the bottom half of the screen, the Azazel system logs are displayed. Although you don't necessarily need to monitor the system with this kind of screen configuration, It's arranged for the demo. We will start monitoring with the Azazel system.

We will start the attack.

Please pay attention to the Suricata logs in the top right corner. can easily see that large amount of access logs are flowing in.

Please pay attention to the Azazel system logs in the bottom half of the screen. Azazel has recognized the attack from the Suricata logs and started the delaying action, setting a delay for the attacker's communication using the TC command, and also redirecting the communication to OpenCanary using IP tables. Please pay attention to the OpenCanary logs in the top right corner. As a result of Azazel redirecting the attacker's communication to OpenCanary, you can see that a large amount of access logs are being generated.

The attacker has stopped the brute force attack on SSH. Then on the Azazel system screen, OpenCanary, which had been generating a large amount of access logs, suddenly becomes quiet. After the attack is stopped and a certain period of time has passed, Azazel will determine that the threat has subsided and release the delaying action.

This screen is the Azazel system notifying the user about the situation using Mattermost after detecting the attack. Alerts from Suricata about the detected threat Alerts from OpenCanary, which is being used as a scapegoat, and the status of Azazel systems delaying actions are notified through Azazel. This is just for reference, but Azazel also has a visualization system for monitoring. It has a mechanism to forward logs to a separate laptop. We plan to improve it so that it can be used as a security operation center or a network operation center in the future.

So now that using thing Azadel in action, let's talk about why you might want to use it. This system was built for theory. It was built for real world friction. When you need time and control. Let me show you a few situations where Azadel shines. Let's talk about where Azadel should be deployed and why. Azazel isn't just a passive defense. It's a forward deployed cyber asset, a tactical delay unit that absorbs attack by time and triggers response before harm reaches critical systems.

It fits well at VPN exit, log Wi-Fi zones, CTF labs, or network perimeters. Where risk is high, Azazel stands in the way. Where a threat is detected, Azazel can alert a SOC or blue team. That alert gives defenders time to respond. And if needed, it allows law enforcement or SARTs to coordinate countermeasures to contain or neutralize the threat. Because in active cyber defense, delay isn't the goal. It's the opening move. Azazel creates a window for action, a way to turn time into control. Even a small device can shift the balance.

I will show you the idea, the structure, the action. Now, it's your move. You don't need to build other cells exactly as I did. But I hope you take the core concept with you. In cyber defense, think beyond just detection. Think delay. Try it. Fork it. Break it, improve it. And most importantly, share the mindset. Tactical resistance by design. In cyber security, we often default to blocking, shutting things down. But what if we thought tactically instead? Azazel は ここ で 拒否 を 拒否 を し て い ます 。  ここ で 拒否 を し て 、 拒否 を し て 、 時間 を 買う 時間 を し て い ます 。  防衛 は 、 戦い で は なく 、 でも 、 攻撃 を し て 、

攻撃 を し て 、 攻撃 を し て い ます 。  サイバーオペレーション で は 、 時間 は 、 時間 は 、 それだけ の リソース で は なく 、 装備 です 。  そして 、 Buying just a few seconds is all it takes to turn defense into control. All right, that's a wrap. Thank you so much for sticking around and listening to other's story. On screen, you'll see three QR codes. One for my LinkedIn, one for my X-Handle. and one for the GitHub repository. Feel free to connect, explore, or reach out anytime. Also, I made some other stickers. Please feel free to take on with you. A huge thanks to the Increative B-Size LB crew

for making this event possible. And a special thanks

and a special thank you to my mentor Mr. Aoyama whose guidance was truly invaluable in shaping this talk

Before we finish just a quick note I'm currently serving in the Japanese Army Because of that I can certain topics here in a public setting but if you'd like to talk more I'll be happy to speak one-on-one after the session. And to all of you, thank you again.