Azazel-Gadget: A Pocket “Cyber Scapegoat Gateway” for Delay-to-Win on Untrusted Wi-Fi

blue

azazel_gadget · idea

Azazel-Gadget is an ultra-compact gateway designed to be inserted in front of user devices when connecting to networks whose security cannot be fully verified in advance—such as free public Wi-Fi while traveling, event venue networks, or guest Wi-Fi at visited locations. The core problem is straightforward: in WPA2/3 Personal environments, users cannot reliably verify the authenticity of an access point. As a result, attacks originating from the same local segment—such as Evil Twin attacks and lateral movement—are difficult to detect immediately after connection. Even with VPNs or EDR solutions in place, if a device is designed to join a potentially hostile network directly, there remains a critical window in which initial compromise can occur. Azazel-Gadget addresses this “you lose the moment you connect” problem through lightweight risk assessment and a control strategy that wins by delaying. Inserted between the user device (laptop or tethered smartphone) and the upstream access point, it performs immediate, baseline-free checks right after connection and classifies the network as Safe, Caution, or Danger. The assessment is based only on observations that can be collected in a short time frame, such as wireless information (BSSID, channel), outbound reachability, DNS behavior, HTTPS consistency, and captive portal behavior. The results are stored as DecisionExplanation records (JSONL), enabling post-hoc auditing, reproducibility, and clear explanation during demonstrations. When dangerous indicators are detected, Azazel-Gadget does not assume compromise and wait defensively. Instead, it automatically applies protective tactics—such as traffic blocking, intentional delays, bandwidth throttling, destination-specific restrictions, or redirection to a guidance portal—using deterministic rules defined by a Tactics Engine. The goal is not comprehensive prevention, but to deny attackers early control, buy time, and provide users with the information needed to make informed decisions. Designed to run on lightweight hardware, Azazel-Gadget prioritizes simplicity and on-site usability—plug it in and use it.

Azazel Series

blue

azazel_series · published

This tool introduces a new branch of the “Azazel System,” a concept I previously presented at Black Hat and BSides. Unlike traditional cybersecurity tools that focus on blocking or isolating threats, Azazel embraces a military-inspired defensive philosophy called delaying action. Instead of repelling attackers, the system absorbs and holds them, wasting their time and resources while buying critical moments for analysis or active countermeasures. The goal is to provide a lawful, civilian-usable framework for active cyber defense—without needing military or law enforcement powers. In doing so, it addresses a gap in Japan’s current cybersecurity legal landscape, offering individuals and small organizations a way to contribute meaningfully to national-level cyber resilience.

Babbly

red

babbly · developed

"Babbly" is a penetration testing support tool featuring Artificial Incompetence. Instead of relying on AI, it achieves intuitive dialogue-based operation through natural language processing and voice recognition. Supporting eyes-free and hands-free operation, security tests can be efficiently performed alongside other tasks since they can be executed through voice commands alone without checking the screen. With its human-like conversational interface, it's easy for beginners to use and offers high flexibility. In an era dominated by AI, Babbly deliberately adopts Artificial Incompetence to propose a new approach that balances approachability with practicality.

Binary Timeline Viewer powered by DBI

blue

binary_timeline_viewer · developed

This tool utilizes Dynamic Binary Instrumentation (DBI) to capture events that occur during the execution of a binary, and presents them as a timeline.

bivvy

red

bivvy · developed

A C2 framework with the following features:
The client operates based on Python, allowing it to evade detection by antivirus and EDR solutions.
While Windows does not come with Python installed by default, the client has a feature for silent installation of Python.
The C2 server is set up on Google Colab, ensuring a high reputation for the communication endpoint, making it less likely to be detected by network security products. Additionally, the communication endpoint URL changes frequently, providing strong resistance to blacklisting.

BOCCHI -Bot Operating Chat Communication Hacking Interface-

red

bocchi · developed

This tool leverages chat platforms like Mattermost. Users can converse with (or give instructions to) a bot to conduct reconnaissance activities for penetration testing, vulnerability assessments, and authentication attempts. For instance, if one wishes to scan a target, they can instruct by saying, 'Scan [IP address].' Upon receiving this command, BOCCHI will execute an nmap scan and then import the results into Faraday.
Actual operations are conducted through interactions with the bot (BOCCHI) on the chat platform, making it user-friendly for those who may not be comfortable with keyboard commands or command-line inputs. Moreover, with the current generation predominantly using flick input on smartphones, installing Mattermost on a smartphone allows for operations via flick input.
Using Mattermost facilitates effective communication with BOCCHI amidst conversations with other team members. This bridges the gap between those proficient in command operations and those who aren't, enhancing team collaboration.
BOCCHI stands out as a novel form of penetration testing tool.

CHACK: A Hardened Autonomous Agent for Hybrid (Whitebox/Blackbox) Security Analysis

red

chack · developed

The Problem: Traditional security scanning often exists in silos: Static Analysis (SAST) identifies theoretical vulnerabilities but lacks validation, while Dynamic Analysis (DAST) lacks the context of the underlying code. Furthermore, using LLMs to generate and execute exploits is inherently dangerous, as AI-generated code can be unpredictable or destructive to the host environment. The Solution: CHACK is an autonomous offensive security agent designed to bridge this gap. Built using the Google Generative AI SDK, CHACK performs hybrid analysis by correlating source code insights with active probing. When a potential vulnerability is identified in the code, the agent enters an iterative loop: it generates a proof-of-concept exploit, executes it within "The Cage" (a custom, hardened, and ephemeral Docker sandbox), and uses the resulting stack traces or execution errors to refine its next attempt. Key Features: Agentic Feedback Loop: Automates the transition from "vulnerability discovery" to "exploit verification." The Cage: A secure, isolated execution environment designed specifically to contain and monitor AI-generated offensive scripts. Observability: Integrated tracing of LLM tool calls and performance metrics to ensure reasoning consistency and prevent "hallucination drift."

DynaDbg

blue

dynadbg · presented

DynaDbg is a remote analysis suite for iOS and Android applications with an independent debugging engine that doesn't rely on lldb or gdb. It provides assembly-level debugging capabilities, hardware watchpoint support, and comprehensive runtime inspection over network connections. This standalone architecture enables security researchers to perform deep dynamic analysis of mobile applications, solving the challenge of remote debugging in constrained mobile environments.

Eye-frame

blue

eye-frame · idea

We already have great encryption technology but everyone is worried about messaging apps that store message contents and share the data with law enforcement. I want to create a way to make any unsecure messaging app secure using privately managed keys and OCR.

Prevent Gamer Attacked

blue

idea_prevent_gamer_attacked · idea

Discussion of what is needed and feasible to prevent people playing online games from being involved in cyber-attacks.

Techniques to Combat Bias

blue

idea_tech_to_combat_bias · idea

Even with the implementation of EDR (Endpoint Detection and Response) solutions like CrowdStrike, there are methods of attack that remain undetected, leading to a grand misconception among corporate security personnel. They assume that by deploying asset management software (such as LanScopeCAT or Skysea), endpoint security is sufficiently covered. This often results in a complacent attitude towards security measures, with the mistaken belief that 'it's being handled, it's done.'

When it comes to cyber-attack incidents, it's important to understand why asset management software fails to capture comprehensive logs and why it doesn't detect certain activities. In contrast, we need to evaluate how effectively EDR solutions can log activities and trigger alerts. Even the most reliable EDRs that can detect significant security risks might not alert on certain tactics. In such cases, it becomes necessary to analyze logs from on-premises Active Directory or to use IDR (Intrusion Detection and Response) products.

Moreover, even with EDR and IDR solutions in place, there is a reality that files transmitted externally cannot be specifically identified, and when it comes to explaining to external stakeholders what the leaked information was, these systems do not provide conclusive evidence.

This situation, which can be observed across various tactics, tools, and environments, will be exemplified using detections by M365 Defender. The first step is to explain in detail how asset management software fails to capture sufficient logs for security incident assessment. This will help structure an understanding that current endpoint security measures are not as robust as presumed. The limitations of detection with EDR will also be addressed.

Identflare

blue

identflare · idea

In recent years, abuse of Cloudflare services by attackers has been increasing. In particular, Cloudflare Workers—being free and deployable anonymously—are frequently used for phishing and redirect attacks. However, due to the structure of Cloudflare Workers, it is difficult to directly identify which account is serving specific content. Additionally, since domain ownership information is unified under Cloudflare, traditional WHOIS or DNS-based tracking methods cannot effectively trace actors, making it challenging for analysts to correlate related attack campaigns. This tool analyzes infrastructures deployed on Cloudflare's serverless environment and infers attacker relationships based on the structural characteristics of the Workers platform. It extracts account-level correlations and automatically generates and verifies possible email address candidates derived from specific cloud configurations, enabling new perspectives on linking attack infrastructures beyond conventional methods. As a result, CTI analysts can perform higher-precision pivot analysis and more efficiently uncover the overall landscape of attack campaigns abusing Cloudflare and identify related threat actors.

IKESU / CHOKA

blue

ikesu_choka · idea

IKESU and CHOKA are extended tools of the phishing-hunter support suite TOAMI, which was presented at last year’s CyberTAMAGO. IKESU visualizes phishing site hunting logs output from TOAMI, while CHOKA generates email templates for abuse reporting based on selected phishing sites displayed in IKESU. By combining these two tools with TOAMI, phishing hunters can visualize detected phishing sites, streamline the abuse reporting process, and accelerate takedowns—ultimately helping reduce the growing damage caused by phishing attacks.

KaliPAKU

red

kalipaku · developed

When conducting penetration testing, the OS called Kali Linux is often used. This OS contains a plethora of useful tools, and penetration testers utilize these tools extensively during their tests. However, for beginners in penetration testing, those who are not adept at computer operations, or those who are interested but find it challenging to handle the tools, this can pose a significant barrier.
To address these challenges and make penetration testing more accessible, allowing users to understand the flow and facilitate smoother onboarding and training, we created KaliPAKU. This tool is equipped with a mechanism called the 'Tenkey Numbering System,' which allows users to operate commonly used tools in Kali Linux, such as 'Kali-tools-top10,' using just numeric combinations. As a result, users can perform basic operations through numeric input from the tenkey without having to become proficient in handling the tools. Furthermore, since it operates via tenkey input, even those who find keyboard operations challenging due to injuries or disabilities, as well as older individuals unfamiliar with computers or even children, can conduct penetration tests and learn the process.

By introducing this tool, it's possible to train individuals to conduct basic penetration tests in an extremely short period.

katayude

blue

katayude · idea

A benchmarker for hardening competition.

MachStealer :Chrome InfoStealer

red

machstealer · presented

MachStealer is an educational reference implementation of a Google Chrome infostealer designed to run on macOS systems powered by Apple Silicon (M1 and later). With the user’s explicit consent, it is implemented as a CLI tool that extracts and decrypts data stored in the Chrome browser, including session cookies, passwords, credit card information, browsing history, and installed extensions. The first problem it addresses is the knowledge gap within the security industry. Infostealers are one of the most common initial access techniques in modern cyberattacks, yet only a limited number of security engineers understand their actual implementation mechanisms. In many cases, understanding remains superficial—such as “stealing cookies” or “dumping passwords”—while the following technical details are often overlooked: The process of retrieving Chrome’s encryption keys from the macOS Keychain The exact parameters used for AES key derivation via PBKDF2 Implementation details of Chromium’s AES-128-CBC and AES-GCM encryption schemes Techniques for bypassing SQLite database locks The second problem MachStealer addresses is defensive effectiveness. Without understanding attack techniques at the implementation level, it is difficult to build effective detection rules or defensive measures. By making the attacker’s concrete techniques visible, MachStealer helps defensive engineers clearly identify what to monitor and which behaviors should be detected. At the conference venue, in addition to a live demonstration of MachStealer, a technical self-published booklet will be distributed covering the following topics: The macOS Keychain architecture and its integration with Chrome A detailed explanation of Chromium’s encryption implementation Comparative analysis with real-world infostealers Key monitoring points for detection and defense This publication was also distributed at Technical Book Festival 19 (技術書典19).

Matrix Prompt Injection Tool (MPIT)

red

matrix_prompt_injection_tool · developed

A systematic prompt injection pentesting tool capable of prompt leaking, SQLi, RCE, and more.

MobS

blue

mobs · developed

MobS is an open-source tool that securely manages dependencies extracted from SBOMs and allows users to verify the authenticity of those dependencies even after distribution. Without disclosing dependency details, it uses Zero-Knowledge Proofs (ZKP) to verify only whether a specific dependency exists.

Pocket Search

blue

pocket_search · idea

When it comes to quickly analyzing log data in restricted environments (secure or isolated environments), or when there aren't enough resources or time to set up platforms like Elasticsearch/Kibana or Splunk, command-line tools can do a lot. However, I wanted a tool that allows even non-experts to analyze logs quickly and easily. This tool (concept) is a log analysis viewer application that requires no installation and is easy to use in a browser. Users can load log files on the spot and search, filter, and visualize log data in real time. It requires no complex setup and operates within restricted environments, making it suitable for use in secure settings. As it's immediately usable even in resource-limited environments, users without technical knowledge can intuitively perform log analysis.

Prompt Hardener

blue

prompt_hardener · published

In RAG (Retrieval-Augmented Generation) systems that utilize LLMs, there is an increased risk of prompt injection due to incorporating user inputs from external information sources into system prompts. One countermeasure against such prompt injection is strengthening the robustness of system prompts. Existing tools allow for automated testing of prompt injections to evaluate safety; however, there is a lack of methods to assess whether robust measures have been properly implemented in system prompts and to suggest improvements for those prompts. Prompt Hardener is a tool that evaluates whether measures like tagging user input and securely wrapping system instructions are correctly implemented in system prompts for RAG systems, using LLM-based evaluation. Additionally, this tool provides suggestions for improving system prompts based on these robustness measures, helping RAG system developers to build safer and more robust prompts.

PromptMap

red

promptmap · idea

PromptMap is a Prompt Injection attacks testing tool.
This tool performs fully automated Prompt Injection attack tests against them to assess the robustness of generative AI and generative AI-integrated apps. This tool is intended to be used by developers for security testing.

PromptMap supports the following attack tests.

* Direct Prompt Injection/Jailbreak
PromptMap injects malicious prompts into a generative AI and evaluates whether the generative AI generates malicious contents or leaks generative AI's training data.

* Prompt Leaking
PromptMap injects malicious prompts into generative AI-integrated applications and evaluates whether the generative AI-integrated applications leak the prompt templates implemented by the apps.

* P2SQL Injection
PromptMap injects malicious prompts into generative AI-integrated applications and evaluates to steal, modify, or delete information from the database connected to the generative AI-integrated applications.

Prompt Injection attacks have different principles from those used in existing attack methods, and it is difficult to evaluate their robustness using existing security testing methods.

Therefore, PromptMap supports a wide variety of Prompt Injection attacks and enables fully automated execution, contributing to security testing for developers of generative AI and generative AI-integrated applications.

Ransom Victim Analyzer

blue

ransom_victim_analyzer · developed

This tool automatically analyzes the external public assets of companies that have been listed on ransomware leak sites to determine what assets are present and whether there are assets that are particularly vulnerable to attack.

Reverse RDAP Tool (for IP)

red

reverse_rdap · developed

"The Reverse RDAP Tool (for IP)" is a tool designed to store and enable reverse lookup of RDAP (Registration Data Access Protocol) information, which contains registration data for internet resources like IP addresses and domains. This tool specializes in IP addresses, allowing users to quickly identify which organization is utilizing a specific network range.

sasanka

blue

sasanka · published

Sasanka is a security-enhancing plugin for the widely-used OSS API gateway, Kong API Gateway, as open-source software under the Apache 2.0 license. Developed in Lua, this plugin inspects request content during communication relay and can block attack requests, log events, and more based on its functions. Some functionalities were developed using the OWASP API Security Top 10 2019 as benchmarks.

SecAd

blue

secad · idea

With the recent advancements in communication technology, the encryption of communication content has become commonplace. As a result, it's becoming more challenging for ISPs and research institutions to detect malicious traffic.
This tool proposes a new approach, applying the information obtained from the advertising industry's ad networks and analysis techniques to network security.
Based on the advertising data, which analyzes user behavior and interests in detail, we predict the usual network usage patterns of users and detect abnormal access and malicious traffic in real-time.

Siminari

blue

siminari · idea

Organizations often rely on traditional cybersecurity training methods such as lectures or e-learning modules, which struggle to keep participants engaged and rarely prepare them for real-world attacks. Siminari addresses this problem by offering a gamified cybersecurity training simulator where learners are placed in immersive, high-fidelity environments that replicate realistic cyber incidents. Participants make decisions under pressure and experience the consequences of their actions, which leads to stronger knowledge retention and practical resilience. After each session, Siminari’s AI Mentor provides analysis and feedback, helping organizations identify weaknesses and adapt training to their specific needs.

sisakulint

blue

sisakulint · published

CI-Friendly static linter with SAST, semantic analysis for GitHub Actions written in Go

Threat Thinker

blue

threat_thinker · open_source

Threat Thinker is an automated threat modeling tool designed for real-world engineering teams: you provide an architecture diagram, and it returns a prioritized list of threats. In many product organizations, applications and infrastructure change rapidly, making manual threat modeling difficult to keep up with. Threat Thinker analyzes architecture diagrams written in formats such as Mermaid, combining syntactic parsing with LLM-based inference to extract components, data flows, and trust boundaries. Based on the extracted structure, the tool automatically identifies potential threats and scores them according to their impact and likelihood. While existing automated threat modeling solutions tend to be powerful yet noisy, often requiring complex configuration and producing results that non-specialists find difficult to use, Threat Thinker focuses on a simple workflow that analyzes diagrams as-is and a hybrid parsing + LLM approach that achieves high accuracy and low noise in threat extraction. In this talk, we present a PoC demonstration of "diagram in → threat list out → incremental update," along with key design and validation insights for applying this approach in real engineering environments.

TOAMI

blue

toami · idea

In the field of cybersecurity, the quick detection and response to phishing attacks is a critical challenge. This tool is a browser extension developed to support phishing hunters. It automatically detects potential threats by comparing accessed websites with a pre-prepared list of Indicators of Compromise (IoC) and detection rules. This allows users to quickly identify if a site was created using a reported phishing kit or determine if it was developed by a specific threat actor.The main features include support for IoCs in IoK, Yara, and Sigma formats, and the ability to match specific keywords and favicon hashes. If there's a match with an IoC, a notification is shown in the browser, and a detection log is automatically generated. Additionally, it supports automatic screenshot capture of the accessed site, improving the accuracy of phishing site detection and enabling rapid response. Through this tool, we aim to provide a convenient tool that helps streamline phishing hunting activities.

ZANSIN: Zero-based Automated New SecurIty traiNing

blue

zansin · published

ZANSIN is envisioned as a GROUNDBREAKING cybersecurity training tool designed to equip users against the ever-escalating complexity of cyber threats. It achieves this by providing learners with a platform to engage in simulated cyberattack scenarios, supervised and designed by experienced pentesters. This comprehensive approach allows learners to actively apply security measures, perform system modifications, and handle incident responses to counteract the attacks. Engaging in this hands-on practice within realistic environments enhances their server security skills and provides practical experience in identifying and mitigating cybersecurity risks. ZANSIN's flexible design accommodates diverse skill levels and learning styles, making it a comprehensive and evolving platform for cybersecurity education.