Man-in-the-Middle
Someone is sitting in the middle of your connection, reading as it passes.
What it is
“Man-in-the-middle” (MITM) is the umbrella term for any attack where an adversary positions themselves between you and whatever you’re trying to reach, so your traffic passes through them on the way. From there they can read it, log it, or alter it.
It isn’t a single technique — it’s a goal. ARP spoofing, evil-twin access points, and rogue DNS are all different roads to the same destination: the attacker in the middle.
Someone is sitting in the middle of your connection, reading as it passes.
How attackers do it
On a local network, the common routes to a man-in-the-middle position are:
ARP spoofing — impersonating your router at the hardware level so traffic flows through the attacker. Evil-twin access points — getting you to connect to attacker-controlled WiFi in the first place. Rogue DNS — redirecting your name lookups to servers the attacker controls.
Encryption (HTTPS, a VPN) protects the contents of your traffic, but a MITM attacker still controls your path and can see metadata, attempt downgrades, and interfere with the connection.
How we detect it
Rather than looking for “a MITM” in the abstract, WifiThreatWatch detects the concrete techniques that create one. Live ARP-frame capture catches gateway impersonation as it happens; two-tier, mesh-aware checks catch evil twins by BSSID, gateway MAC, and DNS; and resolver monitoring catches DNS redirection.
A two-signal verification step then confirms the attack is genuinely live before it ever interrupts you — an active gateway probe weighed against live sniffer activity.
How we stop it
The defining advantage of WifiThreatWatch is that it doesn’t just encrypt around a man-in-the-middle — it removes the attacker’s target. Active Defense disconnects, randomizes your MAC address and IP, reconnects with a clean identity, and only then brings up an encrypted self-hosted VPN tunnel. If the attacker re-establishes their position, it changes identity again, up to five times.
See the full Active Defense flow →
ARP Spoofing
An attacker on your network impersonates your router to silently intercept everything you send.
Read more →Evil Twin
A fake access point broadcasts your network’s name to lure your device onto attacker-controlled hardware.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →