The Baseline
Lvl 1 · EveryoneIf you do nothing else, run this kit.
- Primary
Bitwarden- Browser
Firefox + uBlock Origin- Network
Cloudflare 1.1.1.1- Comms
Signal
▲ Field upgradeTurn on breach alerts with HaveIBeenPwned.
Field Manual · Personal Defense
A no-nonsense guide to staying un-hacked, un-doxxed, un-leaked and un-spied-on. Everything here is defensive — how to protect you. Pick your threats, work down the tiers.
Orientation
Security isn't doing everything — it's doing the right things for your risk. Answer these before anything else.
Who might target you? A random scammer, an ex, an online mob, a stalker, a state? The answer changes everything.
What are you protecting? Accounts, your real identity and address, private photos, money, sources.
What can you live with? Every control costs convenience. Spend effort where the damage would hurt most.
If a specific, motivated person is after you (harassment, doxxing, stalking), treat every Advanced tier as required, not optional.
Unlearn
Beliefs that get people owned. Drop these now.
“SMS text-message 2FA is safe.”
SIM-swap attacks steal your number and every code sent to it. Use an authenticator app or a hardware key instead.
“Incognito / private mode makes me anonymous.”
It only stops your own browser saving history. Your ISP, network and the sites you visit still see you.
“A VPN makes me anonymous.”
It hides your IP from sites and your ISP — that's all. Not anonymity, not a cure-all (see the Toolbox note).
“I'm not important enough to be a target.”
Most attacks are automated and opportunistic. You don't get chosen — you get caught in a net.
“A strong password means I'm safe.”
A strong password reused everywhere falls with one breach. Uniqueness matters more than complexity.
Threat · Accounts
The most common way you lose an account — and how to make yourself a hard target.
How it happens
Credential stuffing (your leaked password tried on other sites), SIM swaps (your number stolen to grab SMS codes), and session theft (stealing a logged-in cookie, so a password doesn't even matter).
Threat · Deception
The number-one real-world path to compromise. No password survives you typing it into a fake page.
How it happens
A message creates urgency or fear (“your account will be locked”), links to a page that looks real, and harvests what you type. Or someone impersonates support, a friend, or your boss and simply asks.
Threat · Identity
Stopping strangers from tying your online self to your real name, face and address.
How it happens
Reused usernames and avatars link your accounts together. Photos leak GPS in their metadata. Old posts, data-broker sites and public records fill in your name and address.
Threat · Breaches
You can't stop companies getting breached — but you can make a breach worthless.
How it happens
Services get breached and their user databases end up in credential dumps. An attacker searches those dumps for your reused email or username, finds every other account tied to it — plus old passwords — and walks in. One leak becomes ten.
Resilience
Losing your data is a security failure too — from ransomware, a wiped account, or a dead device.
Threat · Devices
Keeping your devices and network yours.
How it happens
Stalkerware installed by someone with physical access, malware from a bad download, or snooping on shared and public networks.
Threat · Physical
Security that has nothing to do with the internet.
Threat · Money
Stopping someone from spending your money or opening accounts in your name.
Response
Move fast, in order. Always work from a device you trust.
From a clean device: reset the password → revoke all active sessions → re-enroll 2FA → check the recovery email/phone and any mail forwarding or filter rules the attacker may have added → review recent activity.
Screenshot and document everything first. Request takedowns, lock down your accounts, and warn anyone who could be targeted through you. Escalate to the platforms and, where there's a threat, to the authorities.
Back up your data, then factory-reset or replace the device. Change every important password from a different, clean device — not the infected one. Review which accounts had access.
Get help
You don't have to handle it alone. Where to get content removed and get help.
TL;DR
If you do nothing else, do these.
Pick your class
Don't know where to start? Grab a ready-made kit for your situation — every tool in it lives in the Toolbox below, where you can swap or fine-tune.
If you do nothing else, run this kit.
Bitwarden
Firefox + uBlock Origin
Cloudflare 1.1.1.1
Signal▲ Field upgradeTurn on breach alerts with HaveIBeenPwned.
You're done being the product.
Bitwarden
Brave + uBlock Origin
Mullvad VPN
Signal + Proton Mail▲ Field upgradePer-service email aliases with SimpleLogin.
Someone specific is after you.
KeePassXC
Mullvad Browser / Tor
Mullvad VPN
Signal▲ Field upgradeData-broker removal + compartmentalized identities.
Your name is your target.
Bitwarden
Firefox + uBlock Origin
NextDNS
Proton Mail▲ Field upgradeFreeze your credit + hardware keys on every account.
Arsenal
Reputable, mostly free / open-source tools. Each note says what it defends against.
Passwords & 2FA
YubiKey (FIDO2)Hardware key that makes phishing of your logins basically impossible.
Hacking · PhishingVisitA VPN hides your IP from the sites you visit and from your ISP — nothing more. It is not anonymity and not a cure-all. Avoid free VPNs — many log and sell your traffic. Pick a no-logs, independently audited provider, and only when you actually need one.
Network & DNS
Cloudflare 1.1.1.1Fast, private DNS. The “for Families” variant also blocks malware and adult sites.
SurveillanceVisitBrowser & tracking
Mullvad BrowserHardened, anti-fingerprinting browser for high-privacy use.
Surveillance · DoxxingVisitEncrypted comms
Privacy & anti-dox
Backups
Device & files