Skip to content

ZeroTrace AirLeak

Alerts in Practice

Using the alert engine to find what matters

The alert engine is what turns "AirLeak captures everything" into "AirLeak tells you what matters." Privacy leaks, tracking patterns, security weaknesses — anything worth surfacing fires an alert.

This tutorial covers how to use alerts effectively without drowning in noise.

Severity levels

Every alert has a severity. Default rendering on the desktop:

LevelDisplayWhen
0 — InfograyInformational; not necessarily a problem
1 — LowblueMinor leak or expected behavior worth noting
2 — MediumyellowReal exposure of identifiable data
3 — HighredStrong tracking signal or active attack pattern

The Alerts page sorts by severity descending — high-severity alerts always at the top.

For a complete list of every alert and its severity, see the Alert Rules reference.

The Alerts page

In the sidebar, Alerts. Two main views:

By-rule summary card

Shows every alert rule that's fired this session, sorted by count descending:

airdrop_discoverable    23
findmy_separated        18
pii_ssid_in_probe       12
corp_ssid_in_probe       8
open_network_near        7
wps_enabled              4
...

Counts are right-aligned. Click any rule to filter the table to that rule.

Alert log table

Every alert as a row, newest at top:

ColumnWhat it shows
TimeHH:MM:SS
Severity🚨 High / ⚠️ Medium / 📘 Low / ℹ️ Info
RuleRule name
DeviceFriendly name → click to detail page
DetailRule-specific detail (e.g. SSID for pii_ssid_in_probe)

Click any row to expand it for the full payload.

Filtering alerts

Three filter mechanisms, all AND-combined:

Severity filter

Drop-down: All / ≥ Info / ≥ Low / ≥ Medium / High only

Default: ≥ Low — hides info-level noise but keeps everything genuinely interesting.

Rule filter

Multi-select of rule names. Selecting multiple rules = OR within the filter (matches any selected rule).

Search

Searches across rule name, MAC, device name, alert detail text. Substring match.

Suppressing noisy alerts

Some alerts will fire constantly in certain environments and become noise. The classic example: cafe_ssid_in_probe at a coffee shop.

Two ways to suppress:

Per-session mute

Right-click an alert → Mute for this session. The rule stops firing for the rest of the session, then re-enables automatically.

Useful for "I'm in a coffee shop today, I don't want to see café-related alerts, but I'll re-enable them tomorrow."

Persistent disable

In the Alert detail or Settings → Command tab:

airleak-alert-disable cafe_ssid_in_probe

The rule is disabled in firmware. It won't fire and won't consume cycles. Persists across reboots.

To re-enable:

airleak-alert-enable cafe_ssid_in_probe

For a list of all rules and their default states, see Settings → Alert-rule enabled state.

The alert ring buffer

The unit's firmware keeps the last 1024 alerts in a ring buffer. Older alerts get evicted when the buffer fills.

If you connect the desktop to a unit that's been running, the desktop replays the ring on connect — backfilling alerts that fired before you attached. So if you started a Monitor session this morning and the desktop went idle for hours, you'll still see the alert log when you reopen it.

Understanding common alert patterns

Multi-hour follower (severity 3)

The most important alert. A tracker has been with you for >3 hours.

What to do:

  • Check if it's a known device (yours, family, coworker)
  • If unknown, see Tracker Detection

Find My separated (severity 1)

A Find My device (AirTag or accessory) is broadcasting in separated-from-owner mode.

What to do:

  • Most are forgotten / lost trackers in public spaces — informational
  • If it stays with you, escalates to multi-hour-follower

AirDrop discoverable (severity 2)

A nearby iPhone has AirDrop set to Everyone.

What to do:

  • Mostly informational. Useful at events to gauge how many "Everyone" iPhones are around.
  • If the device is yours, change to Contacts-only.

PII SSID in probe (severity 1)

A phone probed for an SSID that looks personal (Sarah's iPhone).

What to do:

  • If the device is yours, rename the network on your home WiFi
  • If a stranger's, you've passively learned a name — don't act on it

Corp SSID in probe (severity 2)

A phone probed for a corporate-pattern SSID.

What to do:

  • If a coworker's, share with security (their device leaks employer identity)
  • If a stranger's, useful for awareness training; don't act on it

Open network near (severity 0)

An unencrypted WiFi network is in range.

What to do:

  • If it's a venue's free network, expected
  • If it's at home / office, fix it
  • If you find an open network in a private space (hotel guest, coworking), report to the venue

Deauth burst (severity 2)

5+ deauthentication frames in 10 seconds, targeting one client.

What to do:

  • Could be an attack (evil-twin trying to disconnect a client)
  • Could be a buggy router or interference (microwaves, baby monitors)
  • Walk away. If the burst follows you, suspect targeted activity.

Alerts and devices

Every alert is tied to a device. Click any alert's device link to open that device's detail page — you'll see:

  • All alerts ever fired on this device
  • The signals that triggered each alert
  • When it was first seen

This is the way to investigate "why did this device alert?" — start at the alert, jump to the device, read the rationale.

Exporting alerts

The Alerts page has an export button:

  • Current view as CSV — respects all filters
  • All alerts as JSON — full event data
  • Alert summary — Markdown report suitable for sharing

CSV format:

timestamp,severity,rule,device_mac,device_name,detail
2026-05-07T14:23:01.234Z,2,airdrop_discoverable,A1:B2:...,Sarah's iPhone,Status: Everyone

Useful for forensic captures or reports.

Common alert workflow

  1. Run Monitor mode for the duration of interest (1 hour, 1 day, 1 trip).
  2. At the end, open Alerts.
  3. Filter to ≥ Medium. Read the high-severity ones.
  4. Check multi_hour_follower specifically if it fired.
  5. For each alert that's actionable:
    • If it's about your own device → fix the leak (rename, forget network, change AirDrop setting)
    • If it's about a stranger → record but don't act unless safety-relevant
    • If it's a security issue (open network, WPS, MFP off) on a network you care about → fix it
  6. Disable rules that are noise for your environment (cafe, café, café).
  7. Save the session with a meaningful name for later reference.

What alerts are NOT

Alerts are heuristics based on observed signals. They are not:

  • Definitive proof of any attack or bad behavior
  • Real-time tracking confirmation — most are pattern matches, not certainty
  • Forensic-grade evidence without further verification

Use alerts as starting points for investigation, not conclusions.

Tune for your environment

In a busy office, expect open_network_near and iphone_in_call to fire constantly. In a quiet home, those are noteworthy. The right alert configuration depends entirely on where you operate. Disable rules that are noise; enable rules that are signal.

Command Palette

Search for a command to run...