Man-in-the-middle, covered end to end.
You can’t detect “a MITM” directly — it’s a goal, not a technique. So we shipped the detectors for every road that leads to it, and tied them together.
With ARP, evil-twin, and DNS detection all shipped, WifiThreatWatch now covers the man-in-the-middle attack end to end — not as a single magic “MITM detector,” but by catching the concrete techniques that create one, verifying they’re live, and breaking the attacker’s targeting.
A man-in-the-middle isn’t one attack. It’s a destination — with three roads leading in.
Detect the technique, not the abstraction
“Man-in-the-middle” is the umbrella term for any attack that puts an adversary between you and the internet. ARP spoofing, evil twins, and rogue DNS are different roads to the same place. So rather than looking for a MITM in the abstract, we detect the fingerprints each road leaves.
Why a VPN alone leaves the door open
Encryption protects the contents of your traffic, but a man-in-the-middle still owns your path — they see metadata and destinations, can attempt downgrades, and can interfere. That’s the exact gap WifiThreatWatch exists to close: not hiding your data around an attacker, but telling you the attacker is there.
Remove the target, then encrypt
Detection is half the story. When an attack is confirmed, Active Defense removes what the attacker is targeting: it disconnects, randomizes your MAC and IP, reconnects with a clean identity, and only then brings up the encrypted tunnel — re-changing identity up to five times if the attacker keeps coming. The order is the point.
Detection is free
Detecting the techniques behind a man-in-the-middle ships in the free version. The Active Defense response — removing the target and bringing up the tunnel — is the part a subscription covers.
Read more: the MITM threat page · how to detect a MITM · the Active Defense flow