Series

macOS syscall security

2 posts in this series. Read them in order or jump to any one.

task_for_pid: macOS's most dangerous Mach trap
How task_for_pid works, why Apple gates it the way it does, and what its entitlement model means for security tooling on macOS.
Detecting syscall abuse with macOS Endpoint Security in 2026
Endpoint Security is the modern, supported path for syscall-level detection on macOS — but its event taxonomy doesn't map 1-to-1 with syscalls. Here's the practical mapping for security work.

All posts in this series

task_for_pid: macOS's most dangerous Mach trap

How task_for_pid works, why Apple gates it the way it does, and what its entitlement model means for security tooling on macOS.

5/28/2026

machtask_for_pidsecuritycode-injection

Detecting syscall abuse with macOS Endpoint Security in 2026

Endpoint Security is the modern, supported path for syscall-level detection on macOS — but its event taxonomy doesn't map 1-to-1 with syscalls. Here's the practical mapping for security work.

5/29/2026

endpoint-securitymacosedrsecurity