/ ANNOUNCEMENT — JAN 15, 2026

We’re shipping real-time ARP spoofing detection.

The detector WifiThreatWatch was born around — and it watches the wire, not a cache the attacker has already rewritten.

We’re excited to announce the first detector in WifiThreatWatch: real-time ARP spoofing detection. It’s the attack we built the whole product around — the classic way an adversary on your network turns themselves into an invisible middleman — and it’s live now, on Windows, free.

A VPN hides what you send. It can’t tell you an attacker is standing between you and your router. That gap is exactly where we started.
/ WHY WE STARTED HERE

The attack a VPN can’t see

ARP spoofing is the oldest trick on a local network, and still one of the most effective. Because ARP has no authentication, an attacker can announce that your router’s IP belongs to their hardware, and your device believes them. From that moment every packet detours through the attacker on its way out — a textbook man-in-the-middle.

path you think you haveYOUyour laptopROUTERthe gatewayATTACKERone MAC, claimed as both
ARP MITMevery packet detours through the attacker before reaching your router

The reason it deserved to be our first detector is that it’s the perfect illustration of the gap we exist to close. Encryption tools protect your data’s contents; none of them tell you the attacker is on your path in the first place. Detection is a different job.

/ WHAT SHIPPED

Live capture, off the wire

Instead of periodically reading the ARP cache — a table the attacker can poison and hold — our detector runs a dedicated capture thread that sniffs ARP frames off the wire in real time via Npcap. It reasons about three signals:

  • Gateway impersonation — your router’s IP announced with a MAC that differs from the trusted baseline. Raised as critical.
  • Conflicting bindings — the same IP asserting two different MACs inside a short window.
  • Unsolicited replies — broadcast and self-targeted gratuitous ARP, treated as corroborating evidence.

Before anything interrupts you, a two-signal verification step — an active gateway probe weighed against live sniffer activity — confirms the attack is genuinely happening, so a stale poisoned cache from an attack that already ended doesn’t set off a false alarm.

/ THE DIFFERENCE

Why the wire beats the cache

This is the distinction that makes the detector worth having. A tool that reads the ARP cache every 30 seconds can be fooled indefinitely: once the poisoning settles, the cache just shows the attacker’s MAC as “the gateway,” stable and wrong. Reading the table can never witness the poisoning arrive. Sniffing the wire can.

READ THE CACHE — EVERY 30s
gateway → 3c:22:fb
PASS
A held poisoned cache reads clean forever.
SNIFF THE WIRE — LIVE
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
·
192.168.0.9 is-at 9a:04:e1
192.168.0.1 is-at 3c:22:fb
≠ baseline · CAUGHT
·
192.168.0.7 is-at 1f:88:0d
·
192.168.0.1 is-at e8:d1:1b
CACHE vs WIREreading the table can't witness the poisoning happen; sniffing the wire can
/ THE PRICE

Detection is free

Real-time ARP spoofing detection ships in the free version of WifiThreatWatch and always will. Knowing you’re under attack shouldn’t be the paywalled part. (Breaking the attacker’s hold — the Active Defense response and the encrypted tunnel — is the part a subscription covers.)

FREE FOREVERReal-time ARP spoofing detection is free, for Windows.

Read more: how ARP spoofing works · how to detect ARP spoofing yourself · the Active Defense response

See the middleman the VPN can’t.
Detection is free.