A live WiFi threat database — so you see attacks before you connect.
One person’s detection becomes everyone’s early warning. Here’s the shared database that turns a single-device tool into a community that watches WiFi together.
We’re excited to announce the live WiFi threat database: a shared pool of confirmed WiFi attacks. When one WifiThreatWatch device catches an evil twin, an ARP spoof, or a DNS attack, a guarded report of that attack is contributed to a database every other device checks — so a network where an attack was recently confirmed shows up already flagged in your list, before you ever tap connect.
Updated July 8, 2026: this post now describes the guarded collection model introduced in Terms v2026-07-08.2 — the attacker’s rogue access point is documented in full, your own network only ever leaves your device as a hash.
One person’s bad afternoon at a café becomes everyone else’s heads-up.
It’s in early access, it’s free, and — the part that matters most — it documents the attacker while hashing everything of yours. Here’s exactly how it works.
You can’t vet a network from the join screen
Every public network looks the same when you’re deciding whether to trust it: a name and a few signal bars. Neither tells you who else is on it, whether it’s really the coffee shop’s router or an evil twin wearing its name, or whether someone was caught running a man-in-the-middle there an hour ago. Your device joins blind — and so does everyone else’s, over and over, each person learning the hard way in isolation.
The insight behind the live database is simple: those detections shouldn’t stay trapped on one laptop. If one device already caught the attack, the next person shouldn’t have to.
The warning is already waiting in your network list
When you scan for WiFi, the app checks every network it can see against what the community has flagged. If another WifiThreatWatch device confirmed an attack on that network, the warning is already there when the list appears — not after you connect, not after you’re targeted. It’s the difference between a smoke detector and a fire report from the people who were in the building before you.
Re-checked about every 30 seconds
Protection doesn’t stop the moment you connect. The app re-checks the network you’re currently on about every 30 seconds, so if another user’s device flags it after you joined, you’re warned on the next re-check — not the next time you happen to open the app and scan.
Document the attacker. Hash everything of yours.
A useful warning has to name the threat. So when a device confirms an attack run from a rogue hotspot — the attacker’s hardware, not yours — the report documents that access point in full: its real network name, hardware address, radio details (channel, band, security mode, vendor, signal), and the rough area where it was seen — a zone of 150 m to 1 km, never an exact position. That precision is what lets every other device recognize the same equipment the moment it reappears somewhere else.
Your own network never gets that treatment. Before anything about it leaves your computer, its identifiers become a one-way hash — a fingerprint that can be matched but never turned back into a name. The real WiFi name and router address never leave your device, and nearby networks seen during scans cross the same way: hashes only.
Reports stay linked to the reporting account for at most 90 days — used solely to keep false reports out of the database — and are then permanently anonymized, leaving only aggregate statistics. Warnings never say who reported what. And what’s never collected at all: your browsing activity, your files, your exact GPS position, or your own network’s real name. The full model is spelled out in the Privacy Policy and Terms.
Corroboration, not spam
If ten devices catch the same evil twin, the database doesn’t hold ten screaming entries — it holds one verdict, corroborated by ten. Extra witnesses make the flag more trustworthy, not louder, and a device re-sending the same report is counted once. Alerts stay local, too: your device warns you once, from its own checks, and won’t re-nag you about the same flagged network every half-minute.
It’s also pull-based: devices ask the database questions and it answers — that’s the entire relationship. Nothing is ever pushed to your device, there’s no device-to-device messaging, and every warning on your screen comes from your own device’s checks.
A database that grows with the community
We’d rather be honest than oversell: this database is young. It grows with the community, and that’s the whole point — every device that joins makes the next warning likelier to already exist when someone needs it. It also fails safe: offline or signed out, lookups quietly return nothing and scanning continues normally, because reputation is advisory and never gates your connection.
For the full architecture — the two channels people mix up, how a warning travels, and the boring fail-safe guarantees — see the Shared Threat Intelligence deep dive.
Free, and in your hands early
The live threat database is in private beta and free. Contributing your device’s confirmed detections is a required part of the free app — every warning in the database exists because someone’s device reported it, and yours reports the same way when it catches an attack. It warns, it doesn’t block, and it’s built to be trustworthy on its worst day, not just its best one.
Learn more: how shared intelligence works · evil-twin attacks · what a public network really looks like
The live threat database: quick answers
How can I tell if a WiFi network is safe before connecting?
You can’t judge a network from the join screen — the name and the signal bars tell you nothing about who else is on it or whether an attack has happened there. The live threat database changes that: when your device scans for WiFi, it checks each visible network against a shared pool of confirmed attacks, so a network where an evil twin or spoofing attack was recently confirmed shows up already flagged, before you tap connect.
What is a shared WiFi threat database?
It’s a crowd-sourced pool of confirmed attacks. When one WifiThreatWatch device confirms an attack, it contributes a guarded report to a shared database: the attacker’s rogue access point is documented in full — real network name, hardware address, radio details, and a rough area — while the user’s own network only ever appears as a one-way hash. Every other device can then check the networks around it against that database and be warned about hardware someone else already caught attacking.
Does the database track my location or the networks I’m near?
It doesn’t track you. Reports exist only when an attack is detected, and they carry a coarse zone — roughly 150 m to 1 km around where the attacker’s rogue hotspot was seen — never your exact GPS position. Your own network’s name and router address are turned into a one-way hash on your device before anything is sent, nearby networks seen during scans are hashed the same way, and reports are permanently anonymized after at most 90 days. Warnings never say who reported what.
Does it block me from connecting to a flagged network?
No. It warns; it never blocks. A flag tells you what the community has seen so you can decide for yourself. And a flag isn’t a verdict on a place — it means an attack was confirmed on that network recently, which is a reason for caution, not proof the coffee shop is malicious.
Do I have to contribute to benefit from it?
Yes — contribution is a required part of the free app, and it cannot be turned off. When your device confirms an attack, it reports it, the same way every other user’s device reported the warnings you benefit from. What it reports is guarded: the attacker’s hardware in full, your own network only as a one-way hash, and the report is permanently anonymized after at most 90 days.