macOS Agentic Red Team Operations

Build and extend an agentic macOS command platform.

This expert track starts from a working MacSec Agentic C2 codebase and teaches operators how to turn macOS red-team knowledge into a human-commanded agentic system: beacon tasking, CoreML metadata payload delivery, server-side LLM reasoning, tool routing, context window control, MITRE mapping, KPI/KRI dashboards, approval gates, denial feedback, and auditable execution.

Students extend real source code instead of only reading theory: build the beacon path, wire an LLM operator brain, add local model scoring, improve the console, validate every command with evidence, and keep execution behind human-in-the-loop approval for authorized lab operations.

DEF CON prebooking promotional offer. Full course access opens on Jul 30.

00

Agentic Operations Doctrine and Source Orientation

Orient inside the provided MacSec Agentic C2 source code, define the human-commanded operating model, and prove the approve, deny, feedback, kill-switch, and audit flow with real artifacts.

5 modules
00.1Human-Commanded Agentic Operations on macOS
Locked
00.2MacSec Agentic C2 Source Walkthrough
Locked
00.3Current Platform Capabilities and Enterprise Gaps
Locked
00.4HITL Control Model: Approve, Deny, Feedback, Kill Switches, Audit
Locked
00.5Lab: Trace One Command End to End
Locked
01

Mac-Native Beacon and Tasking Foundation

Extend the provided Objective-C beacon and tasking path: enrollment, task envelopes, command execution, result return, retry behavior, offline recovery, and proof in the operator console.

6 modules
01.1Objective-C Beacon Anatomy
Locked
01.2Task Envelope Design
Locked
01.3Command Execution and Result Return
Locked
01.4Polling, Jitter, Backoff, Offline Recovery, and Duplicate Handling
Locked
01.5Source Extension: Add a Beacon Health Field
Locked
01.6Lab: Extend Beacon Telemetry and Validate It in Console
Locked
02

macOS Reconnaissance Sensor Layer

Build structured macOS recon data from Apple-native evidence and make that host state usable by both the operator and the agentic decision layer.

6 modules
02.1IOKit Enumeration for Hardware and Driver Context
Locked
02.2Unified Log Collection Strategy
Locked
02.3Process, User, Network, Launchd, and Filesystem Posture
Locked
02.4Endpoint Security Sensor Model and Practical Limits
Locked
02.5Context Packaging for Agentic Reasoning
Locked
02.6Lab: Add Recon Profile Collection to MacSec Agentic C2
Locked
03

Technique Knowledge Base and Retrieval

Turn macOS red-team techniques into structured data the agent can retrieve, score, cite, and use before proposing operator action.

6 modules
03.1Technique Entry Schema
Locked
03.2Preconditions, Visibility, Artifacts, Fallbacks, and Proof Requirements
Locked
03.3Query Engine and Retrieval Quality
Locked
03.4Tool Registry Design
Locked
03.5Source Extension: Add Technique Lookup API
Locked
03.6Lab: Query the Technique KB from an Operator Objective
Locked
04

Context Window and Memory Engineering

Prevent stale, bloated, or misleading context from breaking agentic decisions by adding evidence references, summaries, memory layers, and denial feedback memory.

6 modules
04.1Context Window Budgeting for Long Operations
Locked
04.2Rolling Command History and Evidence References
Locked
04.3Session Memory, Campaign Memory, Host Memory, and Operator Feedback Memory
Locked
04.4Denial Memory: Learning from Rejected Proposals
Locked
04.5Source Extension: Add Context Pack Builder
Locked
04.6Lab: Compress a Long Operation Without Losing Critical Evidence
Locked
05

Planning Agent and Campaign Graphs

Move from operator objective to reviewed plan tree with decomposition, fallback graphing, risk scoring, temporal pacing, plan validation, and HITL checkpoints.

6 modules
05.1Objective Decomposition
Locked
05.2Plan Tree Construction and Apple-Architecture Fallbacks
Locked
05.3Risk-Weighted Path Selection and Temporal Planning
Locked
05.4Plan Validation Before Execution
Locked
05.5Source Extension: Add Plan Preview to Agentic Chat
Locked
05.6Lab: Generate a Campaign Plan with HITL Checkpoints
Locked
06

LangGraph and LangChain-Style Tool Routing

Build the agent workflow around explicit tools, structured outputs, routing graphs, retries, recovery paths, and human approval interrupts.

6 modules
06.1Tool Interface Design for Operator Workflows
Locked
06.2LangChain-Style Tool Calls and Structured Outputs
Locked
06.3LangGraph-Style State Machine
Locked
06.4Retry, Recovery, and HITL Interrupts
Locked
06.5Source Extension: Add Tool Router Layer
Locked
06.6Lab: Build a Tool-Picking Graph for MacSec Agentic C2
Locked
07

CoreML Metadata Payload Channel

Implement and validate the Apple-specific CoreML metadata tasking path with encoding, extraction, integrity checks, expiry, replay protection, and tamper evidence.

6 modules
07.1CoreML Model Structure: Metadata, Weights, and Runtime Behavior
Locked
07.2Metadata Payload Embedding
Locked
07.3Integrity, Expiry, Engagement ID, Nonce, and Replay Protection
Locked
07.4Agent-Side Extraction and Validation
Locked
07.5Source Extension: Improve Metadata Payload Validation
Locked
07.6Lab: Embed, Extract, Validate, Execute, and Return Result
Locked
08

Local ML and CoreML Decision Support

Add local ML decision support on top of the command platform: feature engineering, classifier training, CoreML conversion, inference, and LLM-versus-local-model comparison.

7 modules
08.1What Belongs in Local ML Versus LLM Reasoning
Locked
08.2Feature Engineering from Recon, Command History, Denials, and Outcomes
Locked
08.3Train a Small Agentic Decision Classifier
Locked
08.4Convert and Load a CoreML Model
Locked
08.5Compare Local ML Scoring Against LLM Recommendation
Locked
08.6Source Extension: Add Local Model Score to Agent Decision Context
Locked
08.7Lab: Train, Load, and Use a Local Decision Model
Locked
09

LLM Operator Brain and HITL Workflow

Build a server-side LLM operator loop with provider isolation, prompt contracts, structured proposals, approval and denial workflows, and hallucination guardrails.

7 modules
09.1DeepSeek and OpenAI-Compatible Backend Integration
Locked
09.2Server-Side LLM Isolation and Key Safety
Locked
09.3Prompt Contract: Objective, Context, Proposed Command, Risk, Evidence
Locked
09.4Approval, Denial, and Revised Proposal Loop
Locked
09.5Hallucination Guardrails and Execution Claim Validation
Locked
09.6Source Extension: Improve Denial Feedback Reasoning
Locked
09.7Lab: Ask, Deny, Revise, Approve, Execute, and Review Output
Locked
10

Observation, OPSEC, KPI, and KRI Engine

Derive operational intelligence from real task execution history: expected versus observed behavior, OPSEC health, MITRE mapping, KPI, KRI, and dashboard proof.

7 modules
10.1Expected Versus Observed Behavior
Locked
10.2Weak-Signal Correlation and OPSEC Health
Locked
10.3MITRE Mapping from Manual and AI-Approved Commands
Locked
10.4KPI Design
Locked
10.5KRI Design
Locked
10.6Source Extension: Add or Improve a KPI/KRI Panel
Locked
10.7Lab: Build the Operator Intelligence Dashboard
Locked
11

Adaptation Engine and Human Escalation

Teach the agent to adapt from real feedback and results without guessing: triggers, fallback selection, substitution logic, ambiguous output handling, and escalation.

6 modules
11.1Adaptation Triggers
Locked
11.2Fallback Selection and Substitution Logic
Locked
11.3Ambiguous Result Handling
Locked
11.4Human Escalation Rules
Locked
11.5Source Extension: Add Adaptation Trace Output
Locked
11.6Lab: Force a Bad Proposal and Recover Correctly
Locked
12

Commander Console and Enterprise Workflow

Improve the console toward enterprise-grade operator workflow: approval UX, output rendering, RBAC, case IDs, evidence retention, and auditable operator actions.

6 modules
12.1Console Information Architecture
Locked
12.2Approval Card UX and Output Rendering
Locked
12.3Multi-Operator Review and RBAC
Locked
12.4Case IDs, Evidence Retention, and Report Traceability
Locked
12.5Source Extension: Add One Enterprise Console Improvement
Locked
12.6Lab: Upgrade the Console Workflow
Locked
13

Security Hardening and Abuse Resistance

Prevent the platform itself from becoming the weak point by validating secret handling, signed requests, replay windows, engagement isolation, rate limits, and audit trails.

6 modules
13.1Secrets Handling and No Client-Side Leakage
Locked
13.2Signed Requests, HMAC, Replay Windows, and mTLS Options
Locked
13.3Engagement Isolation and Data Boundaries
Locked
13.4Rate Limits, Audit Trails, Sensitive Command Review
Locked
13.5Source Extension: Harden One Control Path
Locked
13.6Lab: Validate Platform Hardening
Locked
14

Simulation Range and Benchmarking

Measure whether the agent improves across synthetic targets, detection injection, tool-choice scoring, context degradation, memory regression, and repeated runs.

6 modules
14.1Synthetic Target Profiles
Locked
14.2Detection Injection and Failure Simulation
Locked
14.3Red-Team Versus Agent Comparison
Locked
14.4Tool-Choice Scoring and Regression Tests
Locked
14.5Context Degradation and Memory Regression
Locked
14.6Lab: Benchmark the Agent Across Repeated Runs
Locked
15

Enterprise Extension Capstone

Extend MacSec Agentic C2 with a meaningful enterprise-grade capability, validate it with real beacon activity, run a full operation, and defend the design.

6 modules
15.1Choose an Extension: Memory, Tool Routing, Model Scoring, RBAC, Policy, or Reporting
Locked
15.2Implement the Extension on Top of the Provided Source
Locked
15.3Validate the Extension with Real Beacon Activity
Locked
15.4Run a Complete Agentic Mac Operation
Locked
15.5Final Report and Design Defense
Locked
15.6Capstone: Extend MacSec Agentic C2 and Defend the Build
Locked