/ ANNOUNCEMENT — JUL 6, 2026

A live WiFi threat database — so you see attacks before you connect.

One person’s detection becomes everyone’s early warning. Here’s the shared database that turns a single-device tool into a community that watches WiFi together.

We’re excited to announce the live WiFi threat database: a shared pool of confirmed WiFi attacks. When one WifiThreatWatch device catches an evil twin, an ARP spoof, or a DNS attack, a guarded report of that attack is contributed to a database every other device checks — so a network where an attack was recently confirmed shows up already flagged in your list, before you ever tap connect.

Updated July 8, 2026: this post now describes the guarded collection model introduced in Terms v2026-07-08.2 — the attacker’s rogue access point is documented in full, your own network only ever leaves your device as a hash.

One person’s bad afternoon at a café becomes everyone else’s heads-up.

It’s in early access, it’s free, and — the part that matters most — it documents the attacker while hashing everything of yours. Here’s exactly how it works.

/ THE PROBLEM

You can’t vet a network from the join screen

Every public network looks the same when you’re deciding whether to trust it: a name and a few signal bars. Neither tells you who else is on it, whether it’s really the coffee shop’s router or an evil twin wearing its name, or whether someone was caught running a man-in-the-middle there an hour ago. Your device joins blind — and so does everyone else’s, over and over, each person learning the hard way in isolation.

The insight behind the live database is simple: those detections shouldn’t stay trapped on one laptop. If one device already caught the attack, the next person shouldn’t have to.

/ BEFORE YOU JOIN

The warning is already waiting in your network list

When you scan for WiFi, the app checks every network it can see against what the community has flagged. If another WifiThreatWatch device confirmed an attack on that network, the warning is already there when the list appears — not after you connect, not after you’re targeted. It’s the difference between a smoke detector and a fire report from the people who were in the building before you.

Terminal_Free_WiFino reports
Free Airport WiFichecking…
Gate_C_Guestno reports
looked up by hashed fingerprint — and warnings never say who reported them
SEE THREATS BEFORE YOU JOINevery nearby network checked against the shared database — before you tap connect
/ WHILE YOU’RE ON IT

Re-checked about every 30 seconds

Protection doesn’t stop the moment you connect. The app re-checks the network you’re currently on about every 30 seconds, so if another user’s device flags it after you joined, you’re warned on the next re-check — not the next time you happen to open the app and scan.

CoffeeShop_WiFiconnected
00:00
00:30
01:00
RE-CHECKED ~EVERY 30sflagged after you already joined? you’re warned in the app on the next re-check, not at your next scan
/ GUARDED COLLECTION

Document the attacker. Hash everything of yours.

A useful warning has to name the threat. So when a device confirms an attack run from a rogue hotspot — the attacker’s hardware, not yours — the report documents that access point in full: its real network name, hardware address, radio details (channel, band, security mode, vendor, signal), and the rough area where it was seen — a zone of 150 m to 1 km, never an exact position. That precision is what lets every other device recognize the same equipment the moment it reappears somewhere else.

Your own network never gets that treatment. Before anything about it leaves your computer, its identifiers become a one-way hash — a fingerprint that can be matched but never turned back into a name. The real WiFi name and router address never leave your device, and nearby networks seen during scans cross the same way: hashes only.

YOUR DEVICEOUR SERVERSTHE ATTACKER’S ROGUE APreported as-isFakeCafe_FreeWiFide:ad:be:ef:13:37name · MAC · radioarea ≈ 150 m – 1 kmDOCUMENTED IN FULLYOUR OWN NETWORKHome WiFia4:5e:60:2b:8f:c1ONE-WAY HASHruns on your devicea3f9··c1HASH ONLY — NEVER THE NAME
GUARDED COLLECTIONthe attacker’s rogue AP crosses documented in full — your own network only ever crosses as a hash

Reports stay linked to the reporting account for at most 90 days — used solely to keep false reports out of the database — and are then permanently anonymized, leaving only aggregate statistics. Warnings never say who reported what. And what’s never collected at all: your browsing activity, your files, your exact GPS position, or your own network’s real name. The full model is spelled out in the Privacy Policy and Terms.

/ MANY REPORTERS, ONE VERDICT

Corroboration, not spam

If ten devices catch the same evil twin, the database doesn’t hold ten screaming entries — it holds one verdict, corroborated by ten. Extra witnesses make the flag more trustworthy, not louder, and a device re-sending the same report is counted once. Alerts stay local, too: your device warns you once, from its own checks, and won’t re-nag you about the same flagged network every half-minute.

REPORTS COMING IN
PC Acounted
PC A · re-send
PC B
NANO
WHAT EVERYONE READS
⚠ EVIL TWIN · CRITICALcorroborated by 1 deviceone shared row · one warning on your screen
STRONGER, NOT LOUDERevery extra reporter raises one shared count — it never multiplies the warnings on your screen

It’s also pull-based: devices ask the database questions and it answers — that’s the entire relationship. Nothing is ever pushed to your device, there’s no device-to-device messaging, and every warning on your screen comes from your own device’s checks.

/ STRONGER WITH EVERY USER

A database that grows with the community

We’d rather be honest than oversell: this database is young. It grows with the community, and that’s the whole point — every device that joins makes the next warning likelier to already exist when someone needs it. It also fails safe: offline or signed out, lookups quietly return nothing and scanning continues normally, because reputation is advisory and never gates your connection.

SHAREDDB1 device sharing · grows with every user
IT COMPOUNDSthe database is young — every device that joins makes the next warning likelier to already be there

For the full architecture — the two channels people mix up, how a warning travels, and the boring fail-safe guarantees — see the Shared Threat Intelligence deep dive.

/ EARLY ACCESS

Free, and in your hands early

The live threat database is in private beta and free. Contributing your device’s confirmed detections is a required part of the free app — every warning in the database exists because someone’s device reported it, and yours reports the same way when it catches an attack. It warns, it doesn’t block, and it’s built to be trustworthy on its worst day, not just its best one.

FREE FOREVERCommunity WiFi warnings, free — for Windows, in early access.

Learn more: how shared intelligence works · evil-twin attacks · what a public network really looks like

/ FAQ

The live threat database: quick answers

How can I tell if a WiFi network is safe before connecting?

You can’t judge a network from the join screen — the name and the signal bars tell you nothing about who else is on it or whether an attack has happened there. The live threat database changes that: when your device scans for WiFi, it checks each visible network against a shared pool of confirmed attacks, so a network where an evil twin or spoofing attack was recently confirmed shows up already flagged, before you tap connect.

What is a shared WiFi threat database?

It’s a crowd-sourced pool of confirmed attacks. When one WifiThreatWatch device confirms an attack, it contributes a guarded report to a shared database: the attacker’s rogue access point is documented in full — real network name, hardware address, radio details, and a rough area — while the user’s own network only ever appears as a one-way hash. Every other device can then check the networks around it against that database and be warned about hardware someone else already caught attacking.

Does the database track my location or the networks I’m near?

It doesn’t track you. Reports exist only when an attack is detected, and they carry a coarse zone — roughly 150 m to 1 km around where the attacker’s rogue hotspot was seen — never your exact GPS position. Your own network’s name and router address are turned into a one-way hash on your device before anything is sent, nearby networks seen during scans are hashed the same way, and reports are permanently anonymized after at most 90 days. Warnings never say who reported what.

Does it block me from connecting to a flagged network?

No. It warns; it never blocks. A flag tells you what the community has seen so you can decide for yourself. And a flag isn’t a verdict on a place — it means an attack was confirmed on that network recently, which is a reason for caution, not proof the coffee shop is malicious.

Do I have to contribute to benefit from it?

Yes — contribution is a required part of the free app, and it cannot be turned off. When your device confirms an attack, it reports it, the same way every other user’s device reported the warnings you benefit from. What it reports is guarded: the attacker’s hardware in full, your own network only as a one-way hash, and the report is permanently anonymized after at most 90 days.

Every device makes it stronger.
See attacks before you connect.