Build defensible macOS detections from telemetry to validation.
This course teaches macOS detection engineering from the ground up: where endpoint evidence comes from, how Endpoint Security sensors model process and file behavior, how Unified Logging and forensic artifacts strengthen investigations, and how to turn raw telemetry into rules that survive real operational noise.
Students build a practical workflow for writing Sigma rules, testing them against controlled local activity, tuning false positives, documenting visibility gaps, and packaging detections with evidence that a security team can review, maintain, and improve over time.
Detection Engineering Foundations
Build the defender mental model for macOS telemetry, evidence quality, rule naming, and local validation.
Endpoint Security Sensor Engineering
Move from telemetry concepts into sensor implementation, event modeling, drop accounting, validation, and failure handling.
Persistence Detection
Detect launchd, login items, plugins, profiles, schedulers, shell startup paths, and persistence rule tuning.
Detection as Code
Turn macOS telemetry knowledge into versioned Sigma rules, test fixtures, regression checks, and release workflow.
Execution and Process Behavior Detection
Detect suspicious process creation, interpreter chains, temporary execution, app bundle anomalies, and ancestry patterns.
Code Loading and Supply Chain Detection
Detect Mach-O loading behavior, dylib abuse, build plugins, package scripts, and dependency execution signals.
Credential, Identity, and Trust Boundary Detection
Detect credential access, TCC manipulation, authorization abuse, sandbox boundary issues, and privilege escalation indicators.
Discovery, Collection, and Staging Detection
Detect host profiling, sensitive file discovery, collection workflows, staging paths, and metadata changes.
Network, C2, and Lateral Movement Detection
Detect macOS network behavior, callbacks, localhost relays, remote admin abuse, discovery, and lateral movement indicators.
Advanced Evasion Visibility Detection
Measure visibility around Endpoint Security pressure, exception signaling, accelerator boundaries, XPC trust issues, and advanced evasion claims.
Forensics and Artifact Based Detection
Map macOS forensic artifacts, preserve logs, build timelines, and package evidence for detection programs.
Threat Hunting and Validation
Build baselines, write hypothesis-driven hunts, validate detections against controlled tradecraft, and create handoff reports.
Capstone Detection Program
Assemble the reference environment, telemetry collector, rule packs, tuning notes, evidence package, and final report.