Flying through Pensacola? Here’s what a scan of the airport WiFi really shows.
Our second airport field report. After Denver’s chaotic 73-access-point sprawl, Pensacola was refreshingly clean — which makes the parts that weren’t more interesting.
On July 4, 2026, we ran WifiThreatWatch on “PNS Airport,” the free WiFi at Pensacola International Airport (PNS). The good news first: it’s a much tidier network than Denver — one consistently-run network name, a handful of matching access points, and a security-focused DNS resolver (Quad9). But it’s still an open, unencrypted network, it was busy (85+ unfamiliar devices flagged), and it wasn’t completely quiet.
A well-run airport network is still a public one: open, shared with everyone in the terminal, and impossible to vet from the join screen.
As with Denver, these are indicators the app flagged, not confirmed attacks — and this time one of them almost certainly wasn’t. See the methodology and caveats at the end.
Credit where it’s due: a clean setup
Denver’s busiest network was being broadcast by 73 access points, which set off a string of evil-twin and suspicious-BSSID flags. Pensacola was the opposite: a single, consistently-named network carried by a small set of matching access points, with no evil-twin indicators at all.
It also ran on Quad9 (9.9.9.9), a public DNS resolver that blocks known-malicious domains — a genuinely security-conscious choice for a public network. If you’re grading airports on WiFi hygiene, Pensacola did better than Denver. That’s worth saying plainly.
But it’s still open — and still crowded
“PNS Airport” is an open network: you join with one tap and no password, and the WiFi layer itself adds no encryption. During our scan the app flagged 85 devices it had never seen before — which, on public airport WiFi, is simply everyone else in the terminal sharing the same network as you. That’s not 85 attackers; it’s 85 strangers on the same open segment, which is exactly the exposure that makes public WiFi different from your network at home.
The practical risk isn’t that the airport is out to get you. It’s that on an open, shared network you can’t see who else is on it or what they’re running — and neither can you tell a legitimate access point from a fake one by looking.
Two ARP blips — and why we’re not sounding an alarm
The app logged two ARP anomalies a couple of minutes apart — a device’s IP-to-MAC binding changing quickly, which is the raw signature of ARP spoofing. On a busy public network, though, the honest read is that this was almost certainly benign: every address involved was a randomized (locally-administered) MAC, the kind modern phones rotate automatically, and the activity was brief and didn’t recur.
We’re including it anyway, because it’s a good lesson: a real detector will surface ambiguous signals, and the value isn’t a scary red banner — it’s the context to tell a two-minute MAC-randomization blip apart from a sustained man-in-the-middle. Panic isn’t a security strategy; knowing is.
Exposure rating (our model)
Same transparent model as Denver: start from “open/unencrypted,” then weigh evil-twin indicators, ARP-spoofing indicators, DNS anomalies, and how many devices were exposed. Pensacola lands lower than Denver’s networks — open and crowded, but clean and well-run.
For contrast, Denver’s airline lounge network rated High and its main network Elevated. Read the Denver report →
What this means if you fly through PNS
Pensacola is a good example of a public network done reasonably well — and it’s still public. The advice doesn’t change: prefer your phone’s hotspot for anything sensitive, confirm sites are HTTPS, and use a VPN to encrypt your traffic. Just remember the gap — a VPN encrypts what you send; it doesn’t tell you there’s an evil twin or a man-in-the-middle in the room. That’s the difference between privacy and security.
How we saw all of this
Everything above came from WifiThreatWatch running quietly on a Windows laptop. It watches the network you’re on in real time, surfaces every device, and flags the signatures of an attack — evil-twin indicators, ARP spoofing, DNS anomalies, rogue devices — as they happen, with enough context to tell a harmless blip from a real one. Real-time detection is free.
Related: the Denver report · how to tell if someone is on your WiFi · the threats library
Data was collected on a single Windows laptop during one visit to Pensacola International Airport on July 4, 2026, using WifiThreatWatch in passive monitoring mode. We only observed the network we were connected to; we did not attempt to intercept, attack, or access any other person’s device or traffic.
The app reports indicators, not confirmed attacks. The two ARP anomalies involved randomized (locally-administered) MAC addresses and did not persist, which is consistent with routine device MAC randomization rather than a targeted attack — we report them for completeness, not as evidence of foul play. “Unknown devices” simply means addresses new to this laptop, which is expected on any public network. We have not attributed any activity to any person or organization.