/ ANNOUNCEMENT — FEB 5, 2026

We’re shipping mesh-aware evil twin detection.

A fake access point wearing your network’s name is one of the hardest attacks to notice. Our second detector catches it — without crying wolf at your own mesh.

After ARP spoofing, we’re excited to announce the detector for the attack that lures you onto the attacker’s hardware in the first place: evil twin detection. It’s two-tier and mesh-aware — and it’s live now, on Windows, free.

The name on your screen is the one thing an attacker can copy perfectly. So we stopped trusting it.
/ WHY IT MATTERS

The lure that starts a man-in-the-middle

An evil twin is a rogue access point broadcasting a network name you trust, often with a stronger signal so nearby devices prefer it. Once you land on it, the attacker is your gateway — free to read unencrypted traffic, run a man-in-the-middle, serve fake login pages, and tamper with DNS, all while your device shows a normal connection.

CoffeeShopreal routerYOUyour deviceCoffeeShopevil twinauto-joins the stronger signal
EVIL TWINsame SSID, stronger signal — the device prefers the attacker's access point
/ WHAT SHIPPED

Two tiers: nearby, and the moment you land

The detector works on two layers. A rolling environmental scan enumerates every access point advertising your network’s name and flags any that sits outside your network’s legitimate vendor space — escalating when it out-signals your real router. And a connection-state monitor checks your current association against a saved baseline on three axes: BSSID, gateway MAC, and DNS resolver. A hard mismatch on the first two means you may now be on the fake AP.

BSSID
aa:11:e8aa:11:e8
GATEWAY MAC
e8:d1:1be8:d1:1b
DNS RESOLVER
1.1.1.11.1.1.1
BASELINE MATCH — trusted hardware
BASELINE CHECKthe current association weighed against the saved BSSID, gateway MAC and DNS
/ MESH-AWARE

It knows your eero from an impostor

The hard part isn’t spotting many radios under one name — a mesh does that on purpose. The hard part is telling your radios from a stranger’s. Detection recognizes legitimate mesh systems — eero, Orbi, Nest WiFi, Deco, AiMesh, Plume — by hardware prefix and manufacturer, so it only flags a radio that genuinely doesn’t belong. That’s the difference between a tool you keep on and one you switch off after the third false alarm.

YOUR MESH · SAME VENDOR
a4:83:e7:11eero · node 1
a4:83:e7:12eero · node 2
a4:83:e7:13eero · node 3
✓ recognized — roaming
EVIL TWIN · UNKNOWN VENDOR
f0:9e:2c:71unknown radio
✗ outside vendor space — flagged
MESH vs TWINyour mesh uses many radios on purpose — the trick is flagging only the one that doesn’t belong
/ ONE ALERT, NOT TWO

De-duplicated with ARP

An evil twin and a gateway ARP spoof can be the same attack seen by two different detectors. Rather than alarm you twice, we correlate them into a single verified alert — the same full-screen, critical-severity event, deduplicated so you act once.

EVIL-TWIN DETECTORfires on the same attackARP DETECTORfires on the same attackDE-DUPcorrelate1verified alert
ONE VERIFIED ALERTan evil twin and a gateway ARP spoof are often one attack — we de-duplicate them so you act once
/ THE PRICE

Detection is free

Mesh-aware evil-twin detection ships in the free version and always will. Knowing you’ve landed on a fake access point is exactly the kind of thing that shouldn’t be paywalled. (Breaking the attacker’s hold — the Active Defense response — is the part a subscription covers.)

FREE FOREVERMesh-aware evil-twin detection is free, for Windows.

Read more: how evil twins work · how to detect one yourself · the ARP detector before it

Stop trusting the name.
Start checking the hardware.