Capabilities

We run our FARP and FALE pipelines across a lot of binary surface on macOS and iOS, tracking IPC changes, syscall behavior, and logic gaps that a scanner won't flag. It's turned up real IPC permission regressions, and every one ships with a proof of concept that runs.

• > Instrumenting XNU IPC handlers
• > Mapping memory-management state transitions
• > Reproducing every finding with a working proof of concept
• > Tracking entitlement regressions across releases

We diff kernel binaries from one OS release to the next and keep the results as machine-readable OS Atlases. Comparing versions that way catches silent patches and logic regressions that were never documented, often before they're public.

• > Version-to-version interface tracing on macOS and iOS
• > Catching silently patched regressions
• > Mapping undocumented syscall behavior
• > Flagging changes that never appeared in release notes

The offensive work feeds the defensive work. We build hardened tooling and infrastructure on as few external dependencies as we can manage, aimed at the exact failure classes our research turns up: IPC permission bugs, symlink races, authentication bypasses. We package detection and mitigation for them into something you can actually deploy.

• > Coordinated disclosure with Apple, HackerOne, and enterprise vendors
• > Product security audits of macOS and enterprise software