ZeroTrace Companion
Alerts
Rule-based alerts firing in real time — known devices appearing, suspicious patterns, threshold crossings.
Alerts are the AirLeak workspace's "tell me when something happens" mechanism. You define a rule; when an event matching the rule occurs, the alert fires. Alerts surface in the workspace, accumulate in the alerts list, and optionally sound a notification.
What kinds of alerts
Companion's alert engine supports several rule families.
Presence alerts
| Rule | Fires when |
|---|---|
| Known device appears | A device on your known-list shows up |
| Known device disappears | A device that's been continuously visible for X minutes drops off |
| Tagged device appears | Any device with a specified tag appears |
| First-time device | A previously-unseen device appears |
Behaviour alerts
| Rule | Fires when |
|---|---|
| Probe for specific SSID | Any device probes for an SSID matching your pattern |
| Apple device with specific model | A specific Apple model appears (iPhone 14 Pro, AirTag, etc.) |
| AirTag detected | Any AirTag is observed |
| High RSSI | Any device's signal exceeds a threshold (close-proximity detection) |
| Channel anomaly | Traffic appears on a channel that should be quiet |
Threshold alerts
| Rule | Fires when |
|---|---|
| Event rate spike | Per-second event count exceeds a threshold |
| New device rate | First-seen rate exceeds normal baseline |
| Suspicious vendor mix | Multiple devices from a watched vendor appear in a short window |
Defining a rule
The alert-rule editor lets you compose conditions:
- Pick the trigger type (one of the families above).
- Set the threshold or pattern the trigger needs.
- Set the time window the rule evaluates over.
- Set the severity (info / low / medium / high / critical).
- Optionally set per-rule notification preferences.
Rules are saved and applied to all subsequent live captures and replays.
What happens when an alert fires
In real time:
- A toast notification appears in the workspace corner.
- The status bar updates with a flashing alert indicator.
- The alerts list gets a new row.
- For high / critical alerts, an optional OS-level notification fires (configure in Settings).
- The alert is automatically attached to the active session.
The alerts list
The alerts view shows every alert that has fired:
| Column | What it shows |
|---|---|
| Timestamp | When the alert fired |
| Severity | info / low / medium / high / critical |
| Rule | Which rule generated the alert |
| Detail | Rule-specific detail (which device, which SSID, what threshold) |
| Session | The session the alert belongs to (when in a session) |
| Status | New / acknowledged / dismissed |
Filter by severity, rule, time range, or session.
Acknowledging and dismissing
Each alert can be marked:
- Acknowledged — you've seen it and registered the implication.
- Dismissed — false positive or known-noise.
Dismissed alerts stay in the list (audit trail) but do not contribute to the alert count badge.
For long-running monitoring, dismissing the noise alerts (your own devices, expected traffic) is the discipline that keeps the alert list useful. An alert list full of dismissed entries is fine; an alert list full of unacknowledged entries you've stopped reading is a failure mode.
Per-alert pivot
Click any alert for the per-alert detail:
- The device (or devices) that triggered the alert.
- The session the alert belongs to.
- A timeline view of the events leading up to the alert.
- A button to promote the device to known (if it wasn't already).
- A button to suppress this rule for this device (false-positive workflow).
Rule library
Companion ships with a small set of curated default rules:
- AirTag detected (info)
- Known device appears (medium, requires you to populate the known list first)
- Probe for sensitive SSID (high, requires you to define which SSIDs are sensitive)
- Event rate spike (info)
Disable the defaults you don't want; enable additional rules as your investigation matures.
Custom-rule examples
A few patterns from real-world use:
| Use case | Rule |
|---|---|
| Surveillance-detection | Alert when any device with high RSSI appears that has not been seen in this location before |
| Insider-threat investigation | Alert when employee X's known phone appears outside business hours |
| AirTag sweep | Alert on every AirTag observed; combine with proximity for "close AirTag" subset |
| Wireless-perimeter monitoring | Alert when any device probes for the corporate SSID from outside the building's expected range |
Custom rules are saved per-machine and survive across sessions.
Sound and notification
Per-rule, you can configure:
- In-app toast (default for all rules).
- OS-level notification (default for high / critical only).
- Sound (off by default; configurable per rule).
For long unattended captures, consider enabling sound on the high-severity rules so you hear something change without watching the screen.
Alerts and sessions
Alerts captured during a session attach to the session. The session detail view shows the alert list as part of the session record. Useful for "what alerts fired during the engagement" reporting.
Privacy and ethics
Alert rules can be very targeted — "tell me when person X's device appears." Treat alert rules with the same authorisation hygiene as the rest of the workspace. The capability is yours; the responsibility is on you to use it within your operational scope.