/ THREATS — ROGUE DEVICE · LOW → INVESTIGATE

Rogue Device

Something is on your network that you didn’t put there.

/ WHAT IT IS

What it is

A rogue device is any device on your network that you didn’t put there — a neighbor who guessed your WiFi password, a guest who never left, or, in the worst case, an attacker who has gained a foothold on your LAN.

Not every new device is malicious — a friend’s phone is usually harmless. But you can’t make that call if you can’t even see what’s connected. Most people have no idea.

KNOWN BASELINE
Gateway · Netgear
a0:04:60:1c:…
KNOWN
iPhone · Apple
f0:18:98:7b:…
KNOWN
Smart TV · Samsung
8c:79:f5:22:…
KNOWN
unknown · unrecognized OUI
9c:8e:cd:41:…
NEW
DEVICE ROSTERa MAC the baseline has never seen is surfaced as new

Something is on your network that you didn’t put there.

/ THE ATTACK

How attackers do it

An attacker who gets onto your network — through a weak password, a compromised IoT gadget, or physical access to an Ethernet port — becomes just another host on your LAN. From there they can scan for other devices, attempt ARP spoofing, or pivot to anything else on the network.

The challenge is visibility: your router’s admin page often shows an incomplete or stale list, and a device that stays quiet can sit unnoticed for a long time.

/ DETECTION

How we detect it

WifiThreatWatch ping-sweeps your entire subnet concurrently — dozens of pings at once, a full sweep in seconds — to force every device to reveal itself, even ones your PC hasn’t talked to. That’s what makes all devices visible, not just the handful in your local cache.

.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.15
.16
.17
.18
.19
.20
.21
.22
.23
.24
pinging 254 hosts concurrently…
SUBNET SWEEPevery host pinged at once — one MAC answers that shouldn't

It keeps a map of every IP-to-MAC pairing and a set of known devices. A MAC address that has never been seen before is flagged as a rogue device. On the very first run it quietly seeds the baseline so it doesn’t flood you by labeling every existing device as new.

The same loop powers live device tracking — manufacturer lookup, and an online/offline status verified by live pings each cycle.

FREE FOREVERFree in every WifiThreatWatch install.
[ detector.py + scanner.py — concurrent subnet ping-sweep ]
/ RESPONSE

How we stop it

A new device is informational by design — you decide whether it belongs. WifiThreatWatch surfaces it immediately with its IP, manufacturer, and the time it first joined, so you can recognize it or investigate.

If that rogue device starts behaving like an attacker — poisoning ARP, impersonating the gateway — the detection escalates to a critical alert, and Active Defense is one tap away.

a4:83:e7:2c:1f:90Espressif Inc. · 192.168.0.57 · first seen 14:22
INFO
new MAC on the subnet — you decide whether it belongs
ESCALATIONa new device is informational — until it acts like an attacker, and the same detection turns critical
WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.