/ THREATS — MAN-IN-THE-MIDDLE · UMBRELLA

Man-in-the-Middle

Someone is sitting in the middle of your connection, reading as it passes.

/ WHAT IT IS

What it is

“Man-in-the-middle” (MITM) is the umbrella term for any attack where an adversary positions themselves between you and whatever you’re trying to reach, so your traffic passes through them on the way. From there they can read it, log it, or alter it.

It isn’t a single technique — it’s a goal. ARP spoofing, evil-twin access points, and rogue DNS are all different roads to the same destination: the attacker in the middle.

YOUINTERNETdirectADVERSARYreading as it passes
MAN IN THE MIDDLEthe same connection, re-routed so your traffic passes through the adversary

Someone is sitting in the middle of your connection, reading as it passes.

/ THE ATTACK

How attackers do it

On a local network, the common routes to a man-in-the-middle position are:

ARP spoofing — impersonating your router at the hardware level so traffic flows through the attacker. Evil-twin access points — getting you to connect to attacker-controlled WiFi in the first place. Rogue DNS — redirecting your name lookups to servers the attacker controls.

Encryption (HTTPS, a VPN) protects the contents of your traffic, but a MITM attacker still controls your path and can see metadata, attempt downgrades, and interfere with the connection.

/ DETECTION

How we detect it

Rather than looking for “a MITM” in the abstract, WifiThreatWatch detects the concrete techniques that create one. Live ARP-frame capture catches gateway impersonation as it happens; two-tier, mesh-aware checks catch evil twins by BSSID, gateway MAC, and DNS; and resolver monitoring catches DNS redirection.

A two-signal verification step then confirms the attack is genuinely live before it ever interrupts you — an active gateway probe weighed against live sniffer activity.

FREE FOREVERFree in every WifiThreatWatch install.
/ RESPONSE

How we stop it

The defining advantage of WifiThreatWatch is that it doesn’t just encrypt around a man-in-the-middle — it removes the attacker’s target. Active Defense disconnects, randomizes your MAC address and IP, reconnects with a clean identity, and only then brings up an encrypted self-hosted VPN tunnel. If the attacker re-establishes their position, it changes identity again, up to five times.

ATTACKER TARGETLOCKED
MACde:ad:be:ef
IP192.168.0.42
IDENTITY RESETa fresh MAC and IP break the attacker's lock before the tunnel comes up

See the full Active Defense flow →

WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.