Portable Cyber Scapegoat Gateway for hostile networks.
A hacker who learned to attack — and chose to defend.
Move the target. Keep your endpoint invisible.
The network thinks it's talking to you. It's talking to Azazel.
NOT a VPN. NOT a travel router. NOT a promise of complete protection.
Public Wi-Fi exposes your endpoint to the local segment the moment you connect. Azazel-Gadget puts itself between you and the threat — and becomes the target instead.
Azazel-Gadget connects to the untrusted network. Your laptop connects to Azazel over USB. Probes, scanners, and recon tools hit the gadget — not you.
No "smart" black-box AI. Three operator-selected modes with explicit, auditable behavior. You always know what Azazel is doing and why.
In scapegoat mode, isolated honeypot services (OpenCanary) draw attackers in. The decoy takes the hit. Your endpoint stays dark.
Web UI, TUI, E-paper display, and ntfy notifications give you live situational awareness — what's happening on the wire, in real time.
Every environment is different. Azazel-Gadget gives you explicit control over your exposure surface.
Standard NAT/gateway behavior. Your protected endpoint (usb0) reaches the internet through Azazel's upstream (wlan0). Deception services are disabled — clean throughput mode for when you need raw connectivity.
All inbound traffic from the upstream (wlan0) is dropped at the gateway level. Your endpoint's outbound path is preserved — you can reach out, but the hostile segment cannot reach in. This is the recommended default.
Allowlisted OpenCanary decoy services are exposed on isolated ports. Canary runs in a dedicated network namespace (az_canary) — completely separated from your protected client side. Attackers probe the honeypot. You watch the logs.
Flask-based local dashboard with live state stream (SSE). Switch modes, monitor events, manage Wi-Fi — from any browser on your protected device.
Waveshare e-ink panel shows current mode, status, and warning states. Persistent even when power flickers. Zero-UI visibility.
Terminal-native monitor and menu panel. No browser needed. Built for operators who live in the terminal.
Local ntfy server for push alerts. Suricata and OpenCanary events reach your phone over the protected link — instant threat awareness.
Optional network IDS on the upstream interface. Azazel watches the wire so you don't have to manually inspect traffic.
Every mode change and state transition is recorded. Operator-reviewable logs for post-incident analysis or compliance evidence.
noVNC + Chromium stack for safely viewing captive portals in an isolated browser — without exposing your main environment.
Caddy reverse proxy with a locally-signed CA. Your Web UI is served over HTTPS — token-authenticated, not cleartext.
Azazel-Gadget sits between your endpoint and the hostile network. The threat never crosses the gateway.
Flash Raspberry Pi OS, clone the repo, and run the installer. Azazel handles the rest.
Pocket-sized or bench-ready. Same software stack, different deployment scenarios.
Raspberry Pi Zero 2 W. Pocket-sized, bus-powered. Fits in a keychain case. The field operator's choice for covert defensive carry.
Raspberry Pi 3 / 4 / 4B. Higher throughput and memory headroom. Preferred for research environments and full IDS integration.