Codename:
SENTINEL
Azazel-Edge is the AZ-01 core platform of the Azazel system, a Raspberry Pi-oriented deterministic edge SOC/NOC gateway and Cyber Scapegoat Gateway for constrained, temporary, and high-risk networks.
It observes local network evidence, evaluates NOC/SOC state deterministically, selects bounded actions (observe, notify, throttle, redirect, isolate), and records operator-visible explanations and audit traces.
Optional local AI assist may summarize or explain events, but it does not replace the deterministic decision loop.
Azazel-Edge is not a production SIEM replacement, not an autonomous AI defender, and not a promise of complete attack prevention.
Who this is for: security operators, field defenders, incident responders, training teams, and researchers working with constrained local networks.
2025 -> 2026 evolution line:
Deployablefocus (rapid portable edge setup) ->Auditablefocus (explainable deterministic decisions, rejected alternatives, and reviewable trace evidence)
| Requirement | Detail |
|---|---|
| Hardware | Raspberry Pi-oriented; tested/developed for constrained edge deployment |
| OS | Raspberry Pi OS / Linux |
| Runtime | Python 3.10+, Rust core components |
| Network | Local edge segment with optional Suricata/OpenCanary integration |
| Optional | Ollama, Mattermost, Wazuh, Vector, Aggregator |
cd /home/azazel/Azazel-Edge
sudo ENABLE_INTERNAL_NETWORK=1 \
ENABLE_APP_STACK=1 \
ENABLE_AI_RUNTIME=1 \
ENABLE_DEV_REMOTE_ACCESS=0 \
bash installer/internal/install_all.shMinimal verification:
sudo systemctl status azazel-edge-web azazel-edge-control-daemon azazel-edge-core --no-pagerDetailed install/deploy guidance:
flowchart LR
E[Event Inputs] --> P[Evidence Plane]
P --> N[NOC Evaluator]
P --> S[SOC Evaluator]
N --> A[Action Arbiter]
S --> A
A --> X[Decision Explanation]
X --> O[Operator Plane]
X --> G[AI Assist Governance]
G --> L[Local LLM Optional]
A --> U[Audit Logger]
Full architecture:
- runs a local edge gateway and operations surface
- ingests local telemetry such as Suricata EVE
- evaluates NOC and SOC state through deterministic evaluators
- selects bounded actions through an Action Arbiter
- records explanations, alternatives, and audit traces
- supports replay-safe demos and operator workflows
- optionally uses local AI assist for summaries and triage hints
Azazel-Edge claims:
- local-first deterministic decision support
- explicit bounded actions
- operator-visible explanation and audit traces
- optional AI assist that remains secondary to deterministic control
Azazel-Edge does not claim:
- complete attack prevention
- full SIEM replacement
- autonomous AI defense
- legal or regulatory compliance by itself
- safe deployment without operator understanding
Azazel-Edge is maintained as a single core platform. Different operational profiles are documented as concept profiles, not forks.
- Evolution Map
- Offline Edge-AI SOC/NOC
- Deterministic Edge Decision Support
- Auditable Emergency SOC/NOC
- Auditable Edge SOC/NOC
- Field-Deployable Scapegoat Gateway
Candidate CFP and planning material:
Only accepted and public Black Hat Arsenal appearances are recorded here.
See Arsenal Demonstration History.
Primary entry points:
- Documentation Index
- Core Runtime Architecture (P0)
- API Reference
- Configuration Reference
- Deployment Profiles
- Arsenal Demo Profile
- Operator Guide
- AI Operation Guide
- Privacy and Legal Notes
- Changelog
| Path | Role |
|---|---|
py/azazel_edge/ |
Evidence Plane, evaluators, arbiter, explanations, audit |
py/azazel_edge_control/ |
Control daemon and action handlers |
py/azazel_edge_ai/ |
AI agent integration and M.I.O. assist path |
azazel_edge_web/ |
Flask backend, dashboard, ops-comm UI |
rust/azazel-edge-core/ |
Rust defense core |
runbooks/ |
Runbook registry |
concept_profiles/ |
Concept-to-configuration mapping layer |
demos/concepts/ |
Concept-oriented deterministic demo grouping |
docs/ |
Architecture, concept, operations, and reference documentation |
MIT. See LICENSE.