Everyone's Hardening Companies Against AI. Nobody's Securing Your Home.

TL;DR

Every security conversation in 2026 is about AI finding zero-days and hitting companies fast, and nobody's really talking about what that means for your house, your photos, or your family. The same automation that scales attacks up to enterprises scales them down to you, and I run my home privacy-first and defend it in layers. Here's exactly how.

When Anthropic showed Claude Mythos finding thousands of zero-days across every major OS, including a 17-year-old bug in FreeBSD, every boardroom and conference panel I sat through asked how you get ready for AI that finds and chains exploits faster than any human team can. Then Google reported stopping an AI-driven "mass vulnerability exploitation" attempt, and the panic got louder.

Every one of those conversations was about hardening companies, but almost nobody asked what this means for you at home: your network, your kids' photos, your tax documents, your password vault. The cost of weaponizing a vulnerability is dropping toward zero, and once attacks get cheap enough to run at scale, "I'm not an interesting target" stops applying because nobody picks targets anymore, and automation doesn't get bored.

That's why I treat my home the way a company treats its perimeter: not a wall, because walls fail, but layers where each one assumes the layer before it already got breached. That's defense in depth, and below is how I actually run it.

Privacy is the default, not a feature

Before any tool, the mindset matters more. Most people treat privacy as a setting they toggle on after something goes wrong, but I treat it as the default and make exposure the exception. The practical version of that is compartmentalization: no single company, and no single breach, should ever get a complete picture of me. That's why I stopped handing out my real email and phone number anywhere I could avoid it, and why every company gets its own.

• Email aliases. I run a catch-all on a cheap domain I own, and for anything else I use a service like addy.io (formerly AnonAddy) or SimpleLogin. Every company gets a unique address that forwards to my real inbox, so when one of them leaks or starts spamming I can see exactly who did it and kill that single alias without touching anything else.
• Proxy phone numbers. Apps like MySudo hand out throwaway numbers, so the pizza app and the loyalty card never get the number my bank texts.
• Virtual cards. Services like privacy.com let me generate a card per merchant, locked to that merchant with a spending cap, so a skimmed or leaked number is dead on arrival and I can kill it without reissuing my real card.

Each of those is a small wall around a single account, and the payoff is the same in every case: one leak stays one leak, and nothing pivots from there.

Passwords, passkeys, and the master key

Use a real password manager. I use Bitwarden, and Proton Pass is an equally good choice, and pretty much everything else here gets easier once you have one. Passkeys are my first preference wherever they're supported, because they can't be phished or reused and they beat passwords outright. For everything that doesn't support them yet, I let the manager generate long random passwords I couldn't recite if my life depended on it, with a different one on every site. MFA goes on by default, and I avoid SMS wherever I can in favour of an authenticator app or a hardware key, because SMS codes fall to SIM swapping (we'll come back to that).

One account matters more than all the others, and that's your email. It's the master key for your whole digital life, because every "reset my password" link in the world eventually lands there, and if it falls, everything falls with it. Mine lives on Proton, with Tuta as a comparable privacy-respecting alternative, and it gets the strongest protection I have: a hardware key for sign-in, no SMS recovery, and a recovery path I actually control.

Back it up like you'll lose it tomorrow

You will eventually lose a device, or ransomware will find one of them, and the only thing that decides whether that's a bad day or a catastrophe is your backups. I follow 3-2-1-1: three copies of anything that matters, on two different kinds of media, with one copy offsite and one copy that's either offline or immutable so ransomware can't reach it. That last copy isn't paranoia, it's because ransomware now goes after backups first, which is exactly why the offline copy exists.

For the data I care most about I skip the big clouds entirely. Photos live in Immich or Ente instead of Google Photos, both of which can be self-hosted or end-to-end encrypted, so the memories of my kids aren't sitting in some company's training set or waiting to show up in a breach. Notes go in Standard Notes or Obsidian. Whenever possible, my devices sync directly to each other over a peer-to-peer protocol instead of through a company's server, because if there's no third party in the middle, there's no third party to breach or subpoena.

I'll write up the self-hosting details properly in a separate post, but the short version is simple: own the storage, encrypt it, and back it up like the original is already gone.

The network is the foundation

The biggest single upgrade I made was owning my own gear instead of trusting whatever the ISP shipped me. I run my own modem, firewall, and wireless access points, with pfSense as the brain of the network, so nothing in the chain is configured for the ISP's convenience instead of my security.

What that buys me is real rules. I split the network into VLANs for trusted machines, phones and laptops, IoT devices, and guests, and the IoT VLAN is the one that earns its keep. Those devices can talk to the internet only when they need to, and they can't see my laptops or my NAS at all, so when a smart bulb eventually gets popped the attacker lands in an empty room. If running pfSense feels like too much, the budget version is the guest Wi-Fi network most routers already have: put every smart device on guest, your real devices on the main one, and you've still drawn the line between a contained problem and a house-wide one.

A few more things at this layer:

• WPA3 on Wi-Fi, and drop WPA2 anywhere your devices will tolerate it.
• Quad9 for DNS, so malicious domains die at the resolver for every device on the network, even the ones that can't run any security software of their own.
• Network-wide blocklisting with pfBlockerNG on pfSense, or Pi-hole if you're not, which kills ads, trackers, and known-bad domains for the entire house including everything that phones home without asking.
• A network-level VPN if you can swing it, so your ISP and the networks in between aren't quietly logging every place your devices connect.
• Recent, patched gear, with UPnP, WPS, and remote admin turned off on everything, because UPnP in particular will happily open ports for any device that asks and defeats the whole point.

The IoT attack surface

Want to know which devices show up most in large DDoS attacks? Not servers. It's smart TVs, routers, DVRs, and the ten-dollar cameras and connected appliances sitting quietly around the house, all phoning home to servers you can't see, in firmware you can't read, on update schedules that don't exist. Most of that traffic is telemetry and ads, but Mirai and every botnet that copied it proved the same boxes can be conscripted into a swarm on command, and you'd never notice anything past slightly worse Wi-Fi. None of this is bad luck either: the companies that built this hardware never designed for security, and they shipped it fast and cheap with default passwords and firmware nobody will ever patch. They weren't malicious, they just weren't competent enough to make it secure, and there was no incentive to be.

It's genuinely cool that a microwave or a dryer can talk to the internet, but for most of these things the internet feature is the single worst thing about the product, so I turn it off and use the appliance as an appliance. Cameras are the line I won't cross at all: the ones watching my kids and the puppy live on the IoT VLAN with no internet path whatsoever, and if a camera can't be trusted to run offline, it doesn't get to stay on. The general rule is to assume every device on that VLAN is already compromised, give it the minimum access it needs to function, and never let it touch anything that matters. The doorbell doesn't get to meet the laptop.

Dev machines are a supply-chain target

My laptop isn't just my laptop anymore. It clones private repos, holds cloud credentials, can publish packages, and runs AI agents that execute code on my behalf, and that's exactly why attackers care: open-source malware in package registries jumped sharply through 2025, and the delivery point is increasingly the developer's own machine. The single biggest thing I added in the last year is Socket Firewall in front of my package managers, so every uv, pip, npm, and pnpm install gets inspected before the code lands instead of after a postinstall script has already run on my host. Around that, the basics still carry most of the weight:

• Short-lived credentials over static keys, with no long-lived cloud tokens sitting in plaintext dotfiles, and a hardware key like a YubiKey or a passkey on every account that matters (GitHub, cloud, package registries).
• Full-disk encryption, auto-lock, and a non-admin daily account, so a stolen laptop or a single misclick doesn't immediately become a takeover.
• Vet before you install, which means pinning versions, keeping your lockfiles honest, and treating curl | bash one-liners with the suspicion they deserve.
• Sandbox the risky stuff, so untrusted code and anything an AI agent runs with shell access goes in a container or VM, never on the host.
• Patch on a schedule, every machine and every phone in the house, because old firmware on a phone is exactly the same problem as old firmware on a router, just closer to your data.

The attack that calls your family

This is where the AI thread comes all the way home. Voice cloning today needs about three seconds of audio, the scam isn't theoretical anymore, and one in four Americans has already received an AI-generated voice call. Picture a panicked call in your kid's or your parent's voice asking for money right now, and you realise no amount of MFA helps when the attack is a phone call to a human who loves the person on the other end.

The two defenses I rely on are both deliberately low tech. The first is a family safe word, a phrase the real people in my life know and an AI clone doesn't, with a simple rule that no safe word means no money, no exceptions, and any urgent request gets verified on a separate channel I dialed myself. The second is locking your phone number with the carrier by setting a port-out PIN and an account lock, so nobody can SIM-swap your number out from under you and walk through every SMS code you own, which is also exactly why your important MFA shouldn't be SMS in the first place. The most advanced attacker of 2026 still loses to a word your family agreed on at the dinner table.

Reach your stuff without exposing it

My default these days is that if something holds anything sensitive, I'd rather run it myself than rent it. I'm not against SaaS on principle, just against handing sensitive data to a service that can read it, and my rule is simple: I'll only trust a SaaS product for sensitive information if it's genuinely end-to-end encrypted and audited by a credible third party, because "we take security seriously" on a marketing page isn't an audit.

Self-hosting only helps if you don't undo it by opening ports, so I don't port-forward, ever; an open port on a home IP is a permanent invitation, and automated scanners find it within minutes. The way I reach my own services from outside is Tailscale, a private encrypted network between my devices that lets my phone talk to my home NAS as if they were in the same room without anything exposed publicly. For the rare case where something truly has to be public, I put it on a cheap, disposable VPS behind a reverse proxy with TLS and its own auth layer, and that VPS never gets to touch the home network, so if it's compromised the blast radius is one rented box.

The point isn't the tools

Every tool here is replaceable. Bitwarden, Proton, pfSense, Tailscale, Immich, Socket Firewall: those are the ones I run, but the value isn't in the brand names, it's in the shape of the setup. Privacy by default, identity compartmentalized, every layer assuming the one before it already failed.

You don't have to do all of this in a weekend either. Pick the worst exposure you can think of right now (probably a reused password, an open port, or that cheap camera), close it, and then move to the next one. Security at home isn't a product you buy, it's a habit of asking "and if this one gets owned, what then?" until the answer stops being scary.

The companies on the news will be fine, because they have budgets, red teams, and now their own AI tools finding bugs before attackers do. Your house has you, and in a year when the cost of attacking anything is collapsing, the gap between a hardened company and an unguarded home is the one worth closing. Nobody else is going to close it for you.

Thoughts? Hit me up at [email protected]