Getting started in macOS security

Many people used to ask me where to start learning about macOS security or exploitation, what are the trainings or books out there that can help with this topic. Surprisingly there is great coverage for macOS internals and defense, which are even recent vs exploitation, where everything is 9+ years old. If you are interested in offensive macOS research, you are stuck with blog posts and conference talks.

I thought I will try to collect some resources that can help people to get started in this field.


There are two different classes for macOS internals and one for forensics.

One is offered by Stefan Esser, and it’s called iOS and MacOS Kernel Internals for Security Researchers, this one focuses on macOS kernel internals as the name suggests.

The other is created by Jonathan Levin / Technologeeks, and is more broadly about OSX and iOS internals and security. Although it’s not offered live anymore, an online version should come out shortly.

SANS has a Mac & IOS Forensic Analysis & Incident Response Training | SANS FOR518, which is created by Sarah Edwards.


Similarly to the trainings there are not really books about macOS exploitation. There are two, but they are rather dated. The rest are mostly programming guides, or covering macOS internals. All of them, expect Levin’s new series are dated, but it doesn’t mean there is no useful information in them.

When it comes to defense, there are two free ebooks about macOS malware, which are up-to-date! This is pretty good considering how everything else is so much old.

Here follows a list, that I think can be useful for security:



Malware & DFIR


Reverse engineering


I found the following people having awesome blog posts on macOS internals or security on a constant basis.

Conference Talks and Papers

@osxreverser maintains an awesome collection of paper and conference talks on his website: macOS · Papers, Slides and Thesis Archive

Although it’s covered in Pedro’s collection, I still want to highlight the Objective By The Sea conference, which is entirely dedicated to macOS security.


Apple’s own developer documents can be also very useful, especially the older ones. These are also dated, yet a very valuable resources. Apple Documentation Archive

Part of the XNU kernel is open sourced by Apple, which is also an invaluable resource. Apple Open Source

I hope these resources can get help people started and answer the question answered so frequently. It’s probably far from being complete, and sorry if I missed anyone. If you know of a good resource let me know, and I can update this list.