/ HOW IT WORKS

Active Defense.
The first line, not the last.

A VPN encrypts your traffic. WifiThreatWatch first takes away the attacker’s target — then encrypts. Here’s exactly what happens when you tap Protect Me.

/ THE PROBLEM

What’s actually happening on that public WiFi

You connect to the coffee shop’s WiFi. So does an attacker. They send out forged ARP messages telling your laptop that they are the router, and telling the router that they are you. Now every packet you send flows through their machine first.

This is a man-in-the-middle attack, and it’s quiet. Your pages still load. Nothing looks wrong. But anything unencrypted — and the metadata of everything else — is theirs to read.

A VPN would encrypt your traffic. But the attacker still holds your device’s network identity — they can keep interfering. So we do something a VPN can’t: we take the target away first.

the direct route you assumeYOUROUTERATTACKER
ARP MITMthe route you assume vs. the one you get — every packet detours through the attacker first
/ THE PROTECT ME FLOW

Six steps, in this exact order

The order is the whole point. Disconnect → randomize → reconnect happens before the VPN connects. By the time the tunnel comes up, the attacker has been poisoning a MAC and IP that are no longer on the network.

1
Detect
2
Disconnect
3
Randomize
4
Reconnect
5
Encrypt
6
Verify
VPN TUNNEL — down · identity not reset yet
PROTECT MEsix stages in one fixed order — the encrypted tunnel comes up last, not first
01

Detect

WifiThreatWatch watches the network in real time. The moment it sees your gateway being impersonated — the signature of a man-in-the-middle — it flags the attack.

02

Disconnect

Once the attack is confirmed, the app drops the compromised WiFi connection. You’re briefly off the network the attacker controls.

03

Randomize

Your device gets a brand-new identity. WifiThreatWatch rotates your hardware address and pulls a fresh IP from the real router. The attacker’s targeting is now broken — they’re poisoning an address that no longer exists.

04

Reconnect

The app rejoins the same network with its clean new identity and a fresh IP. To the attacker, the device they were intercepting has simply vanished.

05

Encrypt

Now — and only now — the encrypted tunnel comes up. Your device connects to a private, self-hosted VPN, and your encryption keys never leave your machine — they’re held in OS-protected storage, not a plaintext file.

06

Verify

Finally, the app confirms the tunnel is real: it checks that your traffic is genuinely routing through our server — not a falsely “protected” state.

MACa4:83:e7:1c:9b:22· · : · · : · ·
IP192.168.1.87· · · . · · ·
rotating hardware address…
NEW IDENTITYthe adapter rolls a fresh MAC and pulls a new DHCP lease — the address the attacker was poisoning no longer exists
/ THE RETRY LOOP

Out-racing a persistent attacker

ATTEMPT1/ 5
re-poisoned → new identity
RETRYa new identity every attempt — up to five — until one beats the re-poison

A determined attacker can re-poison a freshly-reset MAC and IP within seconds. So we don’t try once. We retry with a brand-new identity each time — up to five attempts, each one a full fresh capture, a new random MAC, and a new DHCP lease.

Changing identity faster than the attacker can re-poison turns a coin-flip into near-certain success. If all five fail, we roll your adapter back to its original state and tell you honestly: this attacker is persistent — leave the network. They can’t follow you to another one.

/ VERIFICATION

Two signals, so we don’t cry wolf

A poisoned ARP entry can linger in the Windows cache long after the attacker has left. Without verification, that stale entry would fire a full alarm for an attack that already ended. So before we interrupt you, we confirm the attack is genuinely live — using two signals at once.

SIGNAL A — ACTIVE PROBE

We actively ask the network who’s really answering as your router right now — and read back every reply.

SIGNAL B — SNIFFER ACTIVITY

We check whether our live monitor has actually seen the attacker’s poison traffic against this gateway in the last few seconds.

A · ACTIVE PROBEIMPOSTOR REPLYwho answers as the router?
B · LIVE SNIFFERSEEN 2s AGOpoison traffic right now?
AND
REAL ATTACKALARM · 60s
ANDboth signals must agree before we interrupt you — a stale cache entry alone stays quiet

Real attack: full alarm with a 60-second countdown and Protect Me. Stale leftover from an attack that already ended: a quiet “all clear.” If we genuinely can’t tell within 30 seconds, we fail toward safety and treat it as real.

/ WHAT THIS MEANS

Even if the attacker gets back in, they can’t find you again.

They’re chasing a ghost.

See it in action.
Download WifiThreatWatch.