Active Defense.
The first line, not the last.
A VPN encrypts your traffic. WifiThreatWatch first takes away the attacker’s target — then encrypts. Here’s exactly what happens when you tap Protect Me.
What’s actually happening on that public WiFi
You connect to the coffee shop’s WiFi. So does an attacker. They send out forged ARP messages telling your laptop that they are the router, and telling the router that they are you. Now every packet you send flows through their machine first.
This is a man-in-the-middle attack, and it’s quiet. Your pages still load. Nothing looks wrong. But anything unencrypted — and the metadata of everything else — is theirs to read.
A VPN would encrypt your traffic. But the attacker still holds your device’s network identity — they can keep interfering. So we do something a VPN can’t: we take the target away first.
Six steps, in this exact order
The order is the whole point. Disconnect → randomize → reconnect happens before the VPN connects. By the time the tunnel comes up, the attacker has been poisoning a MAC and IP that are no longer on the network.
Detect
WifiThreatWatch watches the network in real time. The moment it sees your gateway being impersonated — the signature of a man-in-the-middle — it flags the attack.
Disconnect
Once the attack is confirmed, the app drops the compromised WiFi connection. You’re briefly off the network the attacker controls.
Randomize
Your device gets a brand-new identity. WifiThreatWatch rotates your hardware address and pulls a fresh IP from the real router. The attacker’s targeting is now broken — they’re poisoning an address that no longer exists.
Reconnect
The app rejoins the same network with its clean new identity and a fresh IP. To the attacker, the device they were intercepting has simply vanished.
Encrypt
Now — and only now — the encrypted tunnel comes up. Your device connects to a private, self-hosted VPN, and your encryption keys never leave your machine — they’re held in OS-protected storage, not a plaintext file.
Verify
Finally, the app confirms the tunnel is real: it checks that your traffic is genuinely routing through our server — not a falsely “protected” state.
Out-racing a persistent attacker
A determined attacker can re-poison a freshly-reset MAC and IP within seconds. So we don’t try once. We retry with a brand-new identity each time — up to five attempts, each one a full fresh capture, a new random MAC, and a new DHCP lease.
Changing identity faster than the attacker can re-poison turns a coin-flip into near-certain success. If all five fail, we roll your adapter back to its original state and tell you honestly: this attacker is persistent — leave the network. They can’t follow you to another one.
Two signals, so we don’t cry wolf
A poisoned ARP entry can linger in the Windows cache long after the attacker has left. Without verification, that stale entry would fire a full alarm for an attack that already ended. So before we interrupt you, we confirm the attack is genuinely live — using two signals at once.
We actively ask the network who’s really answering as your router right now — and read back every reply.
We check whether our live monitor has actually seen the attacker’s poison traffic against this gateway in the last few seconds.
Real attack: full alarm with a 60-second countdown and Protect Me. Stale leftover from an attack that already ended: a quiet “all clear.” If we genuinely can’t tell within 30 seconds, we fail toward safety and treat it as real.
Even if the attacker gets back in, they can’t find you again.
They’re chasing a ghost.