Written by an AWS-certified cloud practitioner

Field Manual · Personal Defense

Become a
hard target.

A no-nonsense guide to staying un-hacked, un-doxxed, un-leaked and un-spied-on. Everything here is defensive — how to protect you. Pick your threats, work down the tiers.

Orientation

Know your threat model

Security isn't doing everything — it's doing the right things for your risk. Answer these before anything else.

Three questions

Who might target you? A random scammer, an ex, an online mob, a stalker, a state? The answer changes everything.
What are you protecting? Accounts, your real identity and address, private photos, money, sources.
What can you live with? Every control costs convenience. Spend effort where the damage would hurt most.

If a specific, motivated person is after you (harassment, doxxing, stalking), treat every Advanced tier as required, not optional.

Unlearn

Dangerous myths

Beliefs that get people owned. Drop these now.

“SMS text-message 2FA is safe.”

SIM-swap attacks steal your number and every code sent to it. Use an authenticator app or a hardware key instead.

“Incognito / private mode makes me anonymous.”

It only stops your own browser saving history. Your ISP, network and the sites you visit still see you.

“A VPN makes me anonymous.”

It hides your IP from sites and your ISP — that's all. Not anonymity, not a cure-all (see the Toolbox note).

“I'm not important enough to be a target.”

Most attacks are automated and opportunistic. You don't get chosen — you get caught in a net.

“A strong password means I'm safe.”

A strong password reused everywhere falls with one breach. Uniqueness matters more than complexity.

Threat · Accounts

Account hacking

The most common way you lose an account — and how to make yourself a hard target.

How it happens

Credential stuffing (your leaked password tried on other sites), SIM swaps (your number stolen to grab SMS codes), and session theft (stealing a logged-in cookie, so a password doesn't even matter).

EssentialDo these first
  • Use a password manager and a unique password for every account — reuse is what turns one breach into ten.
  • Turn on app-based 2FA (TOTP) everywhere it's offered. Not SMS. Even if your password leaks, it's useless without your second factor.
  • Save your 2FA backup / recovery codes somewhere offline.
AdvancedFor real targets
  • Use a hardware security key (FIDO2) for your most important accounts — it's phishing-proof.
  • Remove SMS 2FA once app/key 2FA works, to kill SIM-swap risk. Add a carrier port-out PIN.
  • Lock down the recovery email and phone — attackers reset the weakest one. Use a dedicated, secret recovery email.
  • Review active sessions and connected apps regularly; revoke anything you don't recognize.

Threat · Deception

Phishing & social engineering

The number-one real-world path to compromise. No password survives you typing it into a fake page.

How it happens

A message creates urgency or fear (“your account will be locked”), links to a page that looks real, and harvests what you type. Or someone impersonates support, a friend, or your boss and simply asks.

EssentialHabits that stop most attacks
  • Never log in from a link in an email or DM. Navigate to the site yourself.
  • Check the real domain, not the display text. Watch for look-alikes (rn vs m, extra words, wrong ending).
  • Treat urgency and secrecy as red flags — they exist to stop you thinking.
  • Unexpected attachment? Don't open it. When unsure, verify another way first.
AdvancedHarden further
  • Callback verification: confirm any request for money, credentials, or an MFA approval through a separate, known channel — never the one that contacted you.
  • MFA fatigue: never approve a push you didn't just trigger. Repeated prompts mean someone has your password — change it.
  • Prefer FIDO2 keys: they cryptographically refuse to work on fake domains.

Threat · Identity

Doxxing

Stopping strangers from tying your online self to your real name, face and address.

How it happens

Reused usernames and avatars link your accounts together. Photos leak GPS in their metadata. Old posts, data-broker sites and public records fill in your name and address.

EssentialShrink your footprint
  • Audit yourself: search your name, usernames, email and phone. See what a stranger sees.
  • Lock down privacy settings on every account; hide friend/follower lists.
  • Strip photo metadata (EXIF/GPS) before posting images.
AdvancedCompartmentalize
  • Opt out of data brokers (or use a removal service) — this is where addresses come from.
  • Keep separate identities: never reuse usernames, avatars or bio text across personas — a reused handle lets anyone link all your accounts together with one search or leak database.
  • Use a PO box / virtual address for anything that needs a mailing address.
  • Mind the metadata you forget: posting times reveal your timezone; backgrounds reveal location.

Threat · Breaches

Data leaks

You can't stop companies getting breached — but you can make a breach worthless.

How it happens

Services get breached and their user databases end up in credential dumps. An attacker searches those dumps for your reused email or username, finds every other account tied to it — plus old passwords — and walks in. One leak becomes ten.

EssentialContain the blast radius
  • Check HaveIBeenPwned for your emails; turn on its notifications.
  • Unique credentials everywhere so one leak can't unlock the next account.
  • Hand over as little real data as a form will accept.
AdvancedMinimize what leaks
  • Use per-service email aliases — you'll know who leaked you, and can disable one address.
  • Use masked / virtual cards for online payments.
  • Give fake-but-consistent answers to “security questions” and store them in your password manager.

Resilience

Backups & ransomware

Losing your data is a security failure too — from ransomware, a wiped account, or a dead device.

EssentialThe 3-2-1 rule
  • 3 copies of anything you can't lose, on 2 kinds of media, with 1 kept offline or off-site.
  • At least one backup must be offline or immutable so malware can't reach and encrypt it.
  • Encrypt your backups — a stolen backup drive is a data breach.
AdvancedMake it real
  • Test your restores. An untested backup is a hope, not a backup.
  • Ransomware: don't pay first. Isolate the device, wipe it, restore from a clean backup, then rotate credentials.

Threat · Devices

Spying & surveillance

Keeping your devices and network yours.

How it happens

Stalkerware installed by someone with physical access, malware from a bad download, or snooping on shared and public networks.

EssentialBaseline hygiene
  • Update your OS and apps — most compromises use known, already-patched holes.
  • Set a strong screen lock and don't leave devices unlocked around others.
  • Audit app permissions; revoke camera/mic/location from apps that don't need them.
  • Watch for stalkerware signs: battery/heat spikes, unknown admin apps, someone knowing too much.
AdvancedLock it down
  • Turn on full-disk encryption (BitLocker / FileVault / Android / iOS default).
  • Move sensitive chats to Signal; use encrypted email for the rest.
  • Use private DNS and a trustworthy VPN on untrusted networks (see the Toolbox caveat).
  • Suspect compromise? Back up, factory-reset, and change passwords from a different clean device.

Threat · Physical

Physical & travel

Security that has nothing to do with the internet.

EssentialEveryday
  • Beware shoulder-surfing; a privacy screen filter helps in public.
  • Juice-jacking: don't plug into random USB ports — use your own charger or a USB data-blocker.
  • Turn on remote-wipe / Find My so a lost device isn't a data leak.
AdvancedHigher risk / travel
  • In sensitive moments, prefer a strong PIN over biometrics — a face or finger can be compelled more easily than a memorized code.
  • Travel with minimal data on the device; keep the rest in encrypted backups you restore later.
  • Treat public Wi-Fi as hostile; use your own hotspot or a VPN.

Threat · Money

Financial & identity theft

Stopping someone from spending your money or opening accounts in your name.

EssentialSet-and-forget wins
  • Freeze your credit at the bureaus — it blocks new-account fraud and is free to lift when you need it.
  • Turn on transaction and login alerts for banks and key accounts.
  • Use masked / virtual cards so one leaked number doesn't expose your real account.
AdvancedStay ahead
  • Watch for identity-theft signs: unexpected mail, credit inquiries, denied applications.
  • Know your dispute and fraud-report process before you need it (see Reporting).

Response

If you're already compromised

Move fast, in order. Always work from a device you trust.

Account hacked

From a clean device: reset the password → revoke all active sessions → re-enroll 2FA → check the recovery email/phone and any mail forwarding or filter rules the attacker may have added → review recent activity.

Being doxxed

Screenshot and document everything first. Request takedowns, lock down your accounts, and warn anyone who could be targeted through you. Escalate to the platforms and, where there's a threat, to the authorities.

Stalkerware / infected device

Back up your data, then factory-reset or replace the device. Change every important password from a different, clean device — not the infected one. Review which accounts had access.

Get help

Reporting & takedowns

You don't have to handle it alone. Where to get content removed and get help.

TL;DR

Quick-reference checklist

If you do nothing else, do these.

Pick your class

Defense loadouts

Don't know where to start? Grab a ready-made kit for your situation — every tool in it lives in the Toolbox below, where you can swap or fine-tune.

Arsenal

Toolbox

Reputable, mostly free / open-source tools. Each note says what it defends against.

Passwords & 2FA

Bitwarden

Open-source cloud password manager; syncs across devices.

Hacking · LeaksVisit
KeePassXC

Fully local password manager — your vault never leaves your machine.

Hacking · LeaksVisit
YubiKey (FIDO2)

Hardware key that makes phishing of your logins basically impossible.

Hacking · PhishingVisit
Aegis / Ente Auth

Open-source TOTP authenticator apps — use instead of SMS codes.

HackingVisit

Before you trust a VPN

A VPN hides your IP from the sites you visit and from your ISP — nothing more. It is not anonymity and not a cure-all. Avoid free VPNs — many log and sell your traffic. Pick a no-logs, independently audited provider, and only when you actually need one.

Network & DNS

Cloudflare 1.1.1.1

Fast, private DNS. The “for Families” variant also blocks malware and adult sites.

SurveillanceVisit
Quad9 (9.9.9.9)

Privacy DNS that blocks known malicious domains.

SurveillanceVisit
Mullvad VPN

No-logs, independently audited; anonymous account numbers.

SurveillanceVisit
Proton VPN

No-logs, audited, with a usable free tier.

SurveillanceVisit
NextDNS

Configurable filtering DNS with per-device rules and logs you control.

SurveillanceVisit

Browser & tracking

Firefox

Privacy-respecting browser; hardens well with a few settings.

SurveillanceVisit
Brave

Chromium browser with tracker and ad blocking on by default.

SurveillanceVisit
Mullvad Browser

Hardened, anti-fingerprinting browser for high-privacy use.

Surveillance · DoxxingVisit
uBlock Origin

Efficient ad / tracker / malware-domain blocker extension.

SurveillanceVisit
Tor Browser

Strong anonymity for genuinely high-risk browsing.

Surveillance · DoxxingVisit

Encrypted comms

Signal

Gold-standard end-to-end encrypted messaging and calls.

SurveillanceVisit
Proton Mail

Encrypted email with a free tier.

Surveillance · LeaksVisit
Tuta

Encrypted email with an open-source client.

Surveillance · LeaksVisit

Privacy & anti-dox

HaveIBeenPwned

Check if your email or passwords appear in known breaches; set alerts.

LeaksVisit
SimpleLogin

Per-service email aliases; disable one when it leaks.

Leaks · DoxxingVisit
addy.io

Open-source email aliasing.

Leaks · DoxxingVisit
ExifTool

Strip GPS/EXIF metadata from photos before sharing.

DoxxingVisit

Backups

Restic

Encrypted, deduplicated, scriptable backups.

RansomwareVisit
Duplicati

Cross-platform encrypted backup with a GUI.

RansomwareVisit
Backblaze

Cheap off-site cloud backup — your off-site copy of 3-2-1.

RansomwareVisit

Device & files

VeraCrypt

Create encrypted volumes for sensitive files.

Surveillance · PhysicalVisit
BitLocker / FileVault

Built-in full-disk encryption for Windows / macOS — turn it on.

PhysicalVisit
Malwarebytes

Scans for malware and stalkerware.

SurveillanceVisit
EFF Surveillance Self-Defense

Authoritative, free deep-dive guides to go further.

AllVisit

Reporting & help

StopNCII.org

Take down non-consensual intimate images across platforms.

DoxxingVisit
Credit freeze

Freeze your file at the major bureaus to block new-account fraud.

FinancialVisit
EFF / victim resources

Guides plus pointers to regional stalking and cybercrime help.

AllVisit