What Is Your WiFi Telling the World? And What Is It Telling You?
Have you ever thought about what your home WiFi is telling the world? Most people have a passing awareness that their network is… doing things. Devices checking in. Apps phoning home. Smart TVs watching back. But the more interesting question is what is it telling you?
For most of us, the honest answer is: almost nothing.
The Foundation
In 2025 I earned my CompTIA Network+ and Security+ certifications through a structured program with Innovative Systems Group. The program was instructor-led, with labs and real exam prep. It was genuinely good. I came out of it with something I hadn’t had before: a vocabulary and a conceptual framework for how networks actually work, what security means at a systems level, what the threats look like in the abstract.
But certifications teach you how things work. They don’t show you what your things are doing.
There’s a gap between knowing what a SIEM is and knowing what it looks like to sit in front of one and investigate an actual alert. Between understanding DNS filtering conceptually and watching your own DNS architecture break at 11pm because you made a routing decision that seemed fine until it wasn’t. I wanted to close that gap. So I built something.
What I Built
The ADHawk Home SOC is a functioning home security operations center. At its core is Wazuh, an open source SIEM running on a free Oracle Cloud ARM instance. Two live data pipelines feed it: one polling DNS telemetry from every device on my network, one talking directly to my UniFi gateway via its API. A device identity registry with over 200 entries maps the identifiers my network sees to real devices, real owners, and real network segments. Security alerts push to Slack in real time when something worth seeing happens.
It runs continuously. It costs me nothing in infrastructure. And it has told me things I genuinely did not expect to learn.
The Time I Blamed My Son (And Owed Him an Apology)
A while into running the SOC, I started seeing DNS queries getting blocked under a category I hadn’t seen much of before: bypass methods. Not the usual iCloud Private Relay probes that Apple devices throw constantly. These were deliberate-looking. Domains with names like ipfreely and amandahunkiss. Clear signals of attempts to tunnel traffic around DNS filtering.
My first instinct was my teenage son. He’s on a managed network segment. He knows I keep an eye on the network. It seemed plausible. So I asked him about it.
He was confused. And, understandably, a little hurt.
He had no idea what I was talking about, because it wasn’t him. The queries were coming from my own iPhone. Specifically, from a couple of third-party apps I’d installed to control some toy kits that were bought the kids for Christmas. Those apps were attempting to route around my DNS filtering, probably to reach analytics or telemetry endpoints their developers didn’t want blocked.
Without the SOC, I would never have known any of this. Without actually digging into the device attribution instead of going with my first read, I would have left the real source untouched and my kid holding the blame for something he didn’t do. The system surfaced the signal. The investigation got to the truth. The lesson about jumping to conclusions was free.
That’s what I mean when I say the homelab gave me something the certs couldn’t: not just the language for what a DNS bypass attempt is, but the experience of what it looks like to find one, follow it, and be wrong about it before you’re right.
The Firefox Vulnerability I Didn’t Find in Firefox
More recently, I was poking around in Wazuh’s Vulnerability Management module, not because anything had alerted me, but because I was in there looking. That habit is part of what the homelab has built.
What I found: two critical Firefox CVEs on my Mac, CVSS score 9.8. I was running an outdated version. I checked NVD, confirmed the exposure, and patched it.
Firefox didn’t tell me. The browser didn’t prompt an update. No notification, no warning, no red banner. Wazuh had the information sitting in its vulnerability inventory. I found it because I went looking. That distinction matters. Without the SOC, I would never have gone looking at all. But it also surfaced a gap: a 9.8 CVSS shouldn’t require manual hunting. It should have fired an alert. It didn’t, because I hadn’t built that rule yet.
That’s on my list now. But the larger realization has stuck with me: I had been operating under an assumption I’d never explicitly made — that software would tell me when something was wrong with it. It often doesn’t. The gap between “a vulnerability exists” and “you know about it” is real, and it’s yours to close if you decide to.
How I Built It
I built this with significant AI assistance, and I want to be straightforward about that.
I used Claude the way you would use a knowledgeable colleague: someone to think through problems with, pressure-test approaches against, and get unstuck with at 11pm when something isn’t working and you can’t see why. Yes, that includes leaning on it for coding: the Python ingest pipelines, the Wazuh rules, the enrichment logic. The architecture is mine. The decisions are mine. The mistakes are mine too, and there were real ones that took hours to untangle. So is the understanding of why the solutions work.
What AI made possible was moving faster through the complex parts and having a sounding board that didn’t get tired. What it couldn’t do was shortcut the understanding. The hard lessons came from doing the work: how DNS routing actually fails, why you investigate before you accuse, what a security alert is actually asking you to do. The collaboration made the doing faster. It didn’t make it easier to skip.
What I’m Still Figuring Out
The SOC is good at telling me what happened. A device queried a suspicious domain. An IDS signature fired. An unknown device appeared on the network. A critical vulnerability exists on a machine I’m responsible for.
What it’s less good at is telling me what that means and whether what I’m seeing is a real threat, a misconfiguration, a false positive, or just noise I haven’t learned to filter yet. Building that judgment is what the homelab is actually for. Real logs and real alerts force real decisions — act, ignore, or investigate. Worrying, I am learning, is almost never the right call.
I’m not sure yet what the answer looks like. But I know what the question is now, which is further than I was a year ago. Knowing what the SOC sees and knowing what’s actually on your network turn out to be more different than they sound.
ADHawk Solutions — Protecting Access. Empowering People.
If this made you wonder what your own network is telling you — that’s exactly the right question to be sitting with. If you want help thinking through what better visibility could look like for your environment, I’d be glad to talk.