VigilWatch doesn't just detect — it analyzes. Here's how the detection engine works, from raw radio signals to court-ready evidence.
Sophisticated adversaries favor $30 consumer trackers and rogue access points because they blend into the wireless background. Understanding their evasion tactics is the first step to defeating them.
Devices like Apple AirTags and Samsung SmartTags rotate their MAC addresses every 15 minutes to defeat persistent tracking. A naive scanner sees a "new" device each time. VigilWatch looks past the ephemeral MAC and identifies unique hardware fingerprints instead — Bluetooth Service UUIDs, Manufacturer IDs, and signal behavior patterns.
Every tracker family has a fixed hardware signature. VigilWatch identifies Apple Find My devices via UUID 0x4C00, Samsung SmartTags via 0xFD5A, and Tile devices via Manufacturer ID 0x00CC. These fingerprints survive MAC rotation and positively identify the tracker type even without a brand name in the packet.
Urban environments produce hundreds of simultaneous BLE and WiFi signals. Attackers rely on this noise to hide a tracker in plain sight. VigilWatch's behavioral scoring engine separates ambient background devices (your neighbor's TV, the office printer) from persistent followers using a multi-dimensional analysis that pure signal strength cannot achieve.
Rogue access points mimic legitimate network names ("Starbucks_WiFi", hotel SSIDs) and automatically capture credentials from devices that auto-connect. The attacker doesn't need physical access to the target's device — just proximity and a $50 WiFi Pineapple. VigilWatch detects open, duplicate-SSID, and deauthentication-attack networks in real time.
RSSI (Received Signal Strength Indicator), measured in dBm, is the primary proxy for physical distance. Every VigilWatch alert is anchored to an RSSI reading that tells you how close the threat actually is.
| Signal Tier | RSSI Range | Physical Distance | Tactical Meaning |
|---|---|---|---|
| 🔴 Strong / Breach | ≥ −40 dBm | Within 1–2 meters | Immediate physical breach. The device is on the subject's person, in the same vehicle, or in the same room. Initiate a tactical sweep before changing location. |
| 🟠 Strong | ≥ −55 dBm | Within ~3 meters | Device is in the immediate inner perimeter — likely attached to a vehicle, bag, or jacket. High confidence of intentional placement. |
| 🟡 Good | −55 to −70 dBm | 3–10 meters | Device is within the secondary perimeter — adjacent room, nearby parked vehicle, or a following car. Warrants monitoring and cross-location correlation. |
| ⚪ Weak / Ambient | < −70 dBm | 10+ meters | Likely background noise or distant passing traffic. Included in behavioral scoring but not independently actionable without persistence data. |
* RSSI values are approximate and vary by environment, obstacles, and device hardware. VigilWatch calibrates thresholds based on scan history.
A single detection means nothing. The Follow Score (0–100) is a multi-dimensional metric that transitions detection from reactive alerts to a probabilistic model of active surveillance — designed to eliminate false positives and surface real threats.
Fixed infrastructure — office printers, neighbor WiFi routers, static smart TVs — automatically receive a stationary penalty that de-prioritizes them in the score, even if they appear "persistent." A High Confidence badge is only applied when a device achieves a high score across a 2+ km span or appears in 4+ distinct locations.
Mapping "Route Contamination" transforms disconnected scans into a coherent tactical timeline — proving that a device is moving in tandem with you across disparate environments.
VigilWatch uses Haversine clustering — a spherical distance calculation — to group signal detections into discrete "Locations." A 50m base parameter is used for urban environments, adjustable up to 500m for rural or high-speed transit. This algorithm determines whether an "Unknown" device is appearing at your home, office, and intermediary stops.
On the Route Contamination map, each detection is plotted as a Sighting Dot. The device's path across locations is connected by Polylines — creating a visual trail of the tracker's movement relative to yours. Analysts can filter the view to show all tracked devices, Suspects only, or confirmed Stalker Tags.
The standard threshold for escalating a device from "Unknown" to "Suspect" is appearance in 3 or more separate clustered locations. When this threshold is crossed, VigilWatch triggers an immediate alert. The contamination score assigned to each device reflects its threat level based on location count, distance, and temporal overlap with your movements.
VigilWatch employs a 24-hour radial clock and 4-day frequency trend calculated via linear regression to identify escalating surveillance patterns. Signals are categorized into: COMMUTE, OFFICE, NIGHTTIME, and REST/SOCIAL. A device with an "Escalating" trend during your commute window is the highest-weight indicator of a targeted physical tail.
VigilWatch's detection parameters are fully configurable. Tighten them in crowded urban environments; widen them in open spaces. You control the sensitivity.
Minimum distance at which a persistent unknown device triggers an immediate alert.
Geographic radius used by Haversine clustering to group nearby detections into a single "Location." Adjustable from 25m to 500m.
Every detected device is assigned a classification level. This ensures proportional response and keeps your Watchlist actionable — not flooded with noise.
Detection is only the midpoint. The end goal is documentation that withstands legal scrutiny — in a stalking case, a restraining order hearing, or an industrial espionage investigation.
Stalker tags hidden in wheel wells. Rogue WiFi on commercial flights. BLE beacons sewn into gift bouquets. 21 documented incidents — VigilWatch was built to detect every threat in this library.
VigilWatch applies the same analytical methodology used in executive protection and TSCM engagements — distilled into an app that works on any iPhone or Android. Signal fingerprinting, behavioral scoring, geospatial intelligence, and court-ready evidence export. No specialized hardware required.
TSCM sweeps, principal movement monitoring, threat escalation and UWB precision ranging for high-value targets.
Shelter intake BLE scanning, evidence collection for protective orders, safe route monitoring for at-risk clients.
Device documentation, chain-of-custody evidence exports, location pattern analysis for stalking investigations.
Counter-surveillance, client device audits, rogue WiFi detection, and documented intelligence reporting.
Modern trackers like Apple AirTags and Samsung SmartTags rotate their MAC addresses every 15 minutes to defeat persistent tracking. Naive scanners lose the thread. VigilWatch maintains identity continuity by detecting hardware-level fingerprints that survive MAC rotation:
Signal Received Strength Indicator (RSSI) is the primary proxy for physical distance. VigilWatch applies a four-tier framework to transform raw dBm readings into tactical decisions:
| Tier | RSSI | Distance |
|---|---|---|
| ⚠ Breach | ≥ −40 dBm | 1–2 meters — inner perimeter |
| Strong | ≥ −55 dBm | ~3 meters — immediate room |
| Good | −55 to −70 | 3–10 meters — adjacent space |
| Ambient | < −70 dBm | Background — distal traffic |
A Breach-tier unknown device triggers immediate UWB precision sweep protocol.
The Follow Score transitions operations from reactive alerts to a probabilistic model of active surveillance — preventing alert fatigue and prioritizing genuine threats. Each dimension is independently scored and weighted to produce a composite score.
Route Contamination analysis transforms disconnected scan events into a coherent surveillance timeline — proving that a device is moving in tandem with the subject across disparate environments.
The algorithm groups signal detections into discrete "Locations" using Haversine spherical distance calculations. This removes GPS error noise and groups proximate sightings into single location events.
Location Buffer Zones define the radius within which sightings are clustered into a single location event. Four quick-select options cover the primary operational environments:
Custom 25m increment adjustments available for precision environments.
Temporal pattern analysis identifies escalating surveillance trends before physical contact is made. The system applies linear regression across a 4-day frequency window displayed on a 24-hour radial clock.
| Level | Classification | Description | Tactical Response |
|---|---|---|---|
| Own | Authorized Hardware | Subject's personal devices — phones, earbuds, wearables, vehicle systems. Confirmed and whitelisted. | Whitelist immediately. Clears analytics baseline for high-fidelity threat detection. |
| Friend | Known-Good Environmental | Confirmed devices of security detail, family members, or trusted colleagues in the immediate environment. | Label and whitelist. Monitor for unexpected appearances outside normal context. |
| Unknown | Unclassified — Monitor | New or unclassified signals requiring evaluation. Not yet flagged but not cleared. | Begin Follow Score accumulation. Do not dismiss — classify during first operational hour. |
| Concern | Persistent / Suspicious | Devices with elevated Follow Scores, rogue network signatures (e.g., "Free_Public_WiFi"), or inconsistent environmental behavior. | Escalate monitoring. Cross-reference against Route Contamination map. Prepare evidence log. |
| Threat | Confirmed Tracker / High Score | Known tracker fingerprint confirmed, or Follow Score meets High Confidence threshold across multiple dimensions. | Alert Immediately. Per-device strobe and haptic alert. Engage UWB Precision Proximity Ranging (12m sweep limit) to physically locate device before location change. |
The following SOP applies to professional engagements — executive protection details, DV intake scans, law enforcement surveillance documentation, and PI counter-surveillance operations.
Establish "Home" and "Office" geofence zones (50–500m radius) immediately at the start of any engagement. These zones provide geospatial context for all device history and are required for the Follow-Me algorithm to correctly classify location events.
During the first hour of any mission or intake scan, identify and classify all "Own" and "Friend" devices. This clears the Watchlist of known-good devices and ensures every remaining Unknown signal receives full analytical attention.
Activate Interval Mode for all-day passive scanning. The Follow-Me algorithm requires a complete temporal dataset to function at full confidence. For vehicle-based operations, keep the app active throughout transit.
Review the 4-day frequency trend and 24-hour radial clock daily. Flag any device showing an Escalating trend pattern, especially if combined with Commute or Nighttime classification — the leading indicator of a tightening physical surveillance operation.
Any unknown device registering ≥ −40 dBm (Breach threshold) represents an immediate inner-perimeter violation. Engage UWB Precision Proximity Ranging immediately — the 12-meter radar sweep limit and sub-centimeter precision allows physical location of concealed devices before any movement from the current position.
Generate a PDF evidence export immediately upon detecting a High Confidence follow event or confirmed tracker fingerprint. Chain-of-custody integrity requires that evidence is captured contemporaneously — after-the-fact reconstructions are more easily challenged in legal proceedings.
Detection is the midpoint — not the endpoint — of a professional security engagement. Every VigilWatch evidence export is structured for legal admissibility in stalking prosecutions, protective order proceedings, and corporate espionage litigation.
Auto-generated per event for chain-of-custody tracking across multiple incidents and legal proceedings.
Timestamped proximity readings showing the duration, intensity, and consistency of device presence.
Clustered sighting maps with geographic coordinates proving follow behavior across distinct locations.
5-Dimension Follow Score breakdown with confidence levels and pattern classification rationale.
Hardware UUID, Manufacturer ID, MAC history, and signal profile for tracker identification in court.
Mandatory disclosure regarding the intended use of data in judicial proceedings — required for admissibility.
Professional-grade protection against tech-facilitated stalking and surveillance. A full breakdown of VigilWatch's multi-layer detection architecture — threat landscape, detection science, market position, and privacy design.
4-Layer Intelligence System
VigilWatch operates a coordinated four-layer detection stack — from passive scanning to legal-grade evidence export — creating a seamless loop from signal acquisition to judicial documentation.
Simultaneous BLE stalking detection and WiFi surveillance detection across all three operational modes: Manual Scan, Interval Mode (background), and Live Monitor. Identifies tracker manufacturers via hardware-level UUIDs that survive MAC address rotation.
The 5-Dimension Follow Score (0–100) analyzes Persistence, Frequency, Location Span, Signal Consistency, and Hardware Type. Haversine Clustering groups sightings into discrete location events — a device appearing in 3+ distinct locations triggers follower classification.
Universal UWB Simulation provides sub-centimeter precision ranging within a 12-meter sweep radius — enabling physical location of concealed devices. Configurable perimeter zones from 1m to 8m trigger immediate alerts on Breach-tier signals (≥ −40 dBm).
Every detection event generates a structured PDF export with a unique case number, GPS-timestamped sightings, RSSI logs, device fingerprint records, and behavioral scoring summaries — built for admissibility in stalking prosecutions and protective order proceedings.
5-Level Classification Funnel
VigilWatch converts raw signal noise into actionable intelligence through a five-tier classification system — preventing alert fatigue while surfacing genuine threats for immediate response.
Defense Gap: Market Comparison
Existing tools each solve a single piece of the surveillance puzzle. VigilWatch is the only solution that closes all five defense gaps in a single private, offline application.
| Solution | BLE / AirTag | WiFi Rogue AP | Route Mapping | UWB Precision | Evidence Export |
|---|---|---|---|---|---|
| VigilWatch | ✔ Full | ✔ Full | ✔ Full | ✔ Full | ✔ Full |
| Apple / Google OS | ~ Partial | ✗ None | ✗ None | ~ Apple UWB only | ✗ None |
| AirGuard | ✔ BLE only | ✗ None | ✗ None | ✗ None | ✗ None |
| Kaspersky | ~ Limited | ~ Basic | ✗ None | ✗ None | ✗ None |
| Generic Scanners | ~ Scan only | ~ Scan only | ✗ None | ✗ None | ✗ None |
The VigilWatch Defense Loop
Detection is the start of an active cycle — not a one-time event. VigilWatch continuously iterates through four phases to maintain a hardened, adaptive security posture.
Absolute Local Privacy
VigilWatch collects nothing and transmits nothing. Every byte of intelligence stays on your device — by design, not policy.
All scan data, device history, location logs, and evidence files are stored exclusively on-device. No servers. No accounts. No sync.
VigilWatch only listens — it never broadcasts. Your scan activity is invisible to every device in the vicinity, including the one you're tracking.
Home, Work, and Transit geofence zones adapt detection sensitivity to your environment — suppressing false positives without sending location data anywhere.
Research Spotlight
The academic and security research community continues to surface new BLE threats that validate VigilWatch's detection approach.
Researchers at UC San Diego demonstrated that radio-frequency manufacturing defects in Bluetooth chipsets create a unique, stable "hardware fingerprint" — detectable from the physical-layer signal alone. This fingerprint bypasses all software privacy features, including MAC address randomization.
Why this matters for VigilWatch users: A 2024 follow-up from the same team confirmed most consumer devices still lack the firmware patches needed to hide the fingerprint. Any nearby attacker with cheap off-the-shelf hardware can silently map your movements across locations — no planted AirTag required. VigilWatch's passive BLE scanning, Follow-Me detection, and Location Zones catch exactly this pattern: a persistent unknown signal appearing at home, work, and every location in between.
VigilWatch puts this entire analytical framework in your pocket. Free. No account. No cloud.