macOS Endpoint Security
IronMac
Kernel-level process hardening for macOS. Protect your application's high-value processes against attackers who already own user space.
The Problem
User space is hostile territory
Your application handles intellectual property, credentials, and personal data. A single compromised process can read your memory, inject code, and exfiltrate everything — and user-space monitoring can't stop it, because the attacker controls user space too.
Code Injection
Malicious code injected into your running process hijacks execution flow and steals data in-memory.
Memory Tampering
Unauthorized mmap and mprotect calls bypass security checks and extract secrets.
Task Port Hijacking
Acquiring your process's task port grants full read/write access to memory, registers, and thread state.
The Solution
Below the attacker, above the noise
IronMac uses Apple's Endpoint Security framework — the only supported mechanism for tamper-resistant, kernel-level visibility into system events. An attacker who owns user space cannot observe, evade, or disable it.
Endpoint Security Framework
Kernel LevelTamper-resistant event stream that cannot be intercepted or disabled by user-space code. IronMac subscribes to notify events for protected processes only.
User-Space APIs
CompromisedObservable, evadable, and disableable by any attacker who controls user space.
Detection
Real-time attack detection
IronMac subscribes to kernel-level notify events to identify attacks against your protected processes in real time.
Process Lifecycle
Catch unauthorized spawning and injection attempts through process creation and termination monitoring.
exec fork exit Memory Operations
Detect unauthorized memory mapping and protection changes that indicate injection or exfiltration.
mmap mprotect Inter-Process Access
Catch task port acquisition that would grant full control over your process's memory and state.
task_for_pid Privacy by Design
Your users' data stays on their machine
IronMac is built around a strict privacy model. All event analysis happens on-device. Only high-confidence attack indicators reach the backend — no general activity, no raw events, no unrelated data.
Explicit Consent
Both vendor and end user must opt in. No silent monitoring, no hidden scopes.
On-Device Analysis
All event processing runs locally. Raw event streams never leave the machine.
Minimal Transmission
Only high-confidence attack indicators reach the hardened backend the user accepted.
Protect your processes
Available for software vendors who need to defend their macOS applications against post-compromise threats.
Get in touch