MacCrab is a local-first macOS threat detection engine. It uses Apple's Endpoint Security framework, 420+ Sigma-compatible detection rules, behavioral scoring, and campaign correlation to surface suspicious activity on your Mac — entirely on-device, with no cloud console or account.

v1.6.19 Alpha

Exoskeleton
for your Mac.

Threat detection built on Apple's Endpoint Security framework. 420+ Sigma-compatible rules, behavioral scoring, and campaign correlation — running entirely on your Mac.

Iterating fast — expect false positives and frequent updates. Changelog · Report an issue

Install with Homebrew View on GitHub

$ brew tap peterhanily/maccrab https://github.com/peterhanily/maccrab && brew install --cask maccrab

MacCrab dashboard Overview tab — a green banner reads 'All clear — no critical alerts' above tiles showing 0 Alerts, 353 Rules, 48 events per second, Connected: Yes, and Security grade A-. A left sidebar lists Monitor, Protection, Intelligence, and System navigation groups.

Detection

See what's happening, as it happens.

macOS ships Endpoint Security — a kernel-level telemetry API that exposes 90+ event types to authorised clients. MacCrab turns that firehose into readable alerts, correlates them across process lineage, and surfaces them on your machine.

⚙︎

AI coding tool guardrails

Claude Code, Codex, Cursor, and Copilot are powerful — and sometimes they wander. MacCrab watches for credential reads, project-boundary escapes, prompt injection, and MCP server drift. Agent Data Lineage (new in v1.6.6) weaves each AI tool's LLM calls, subprocess spawns, file I/O, and network activity into one timeline — so you can see what your agent actually did, not just what it said to the model.

ai_guardagent_lineagemcp_serverprompt_injection

⏿

Persistence & malware

LaunchAgents, dylib hijacks, quarantine-stripped payloads, kernel extensions, TCC bypasses, quick-look plugins, folder actions. 420+ Sigma-compatible rules covering 17 tactic categories.

sigmamitre_att&ck420+ rules

❋

Credential theft

Keychain dumps, browser password-store reads, SSH-key exfiltration, AWS credential access, browser-extension over-permissioning. Honeyfile tripwires deploy at standard credential paths to catch what rules can't.

keychainhoneyfilesbrowser_ext

⌘

Attack campaigns

Multi-step kill chains correlated across process lineage and time windows. When a browser spawns a shell that strips quarantine and installs a LaunchAgent, you get one campaign view with the full graph — not four disconnected alerts to stitch together by hand.

kill_chainuebalineage_dag

Dashboard

Native Mac. Keyboard first.

A SwiftUI menubar app with 15 views — overview, alerts, campaigns, events, rules, prevention, AI Guard, browser extensions, threat intel, integrations, permissions, ES health. Or skip the GUI entirely and drive it from the CLI.

MacCrab AI Guard tab — Status tiles read Active, Clean credential fence, 2 injections blocked, Clean boundary. A 'What AI Guard Monitors' grid lists shell spawning, credential access, project boundary, package installs, privilege escalation, network activity, prompt injection and persistence. A 'Supported AI Coding Tools' row shows Claude Code, Codes, OpenClaw, Cursor, Aider, Copilot, Continue and Windsurf. A Credential Fence panel lists protected paths like .ssh, .aws/credentials, and .env. — **AI Guard** Watches Claude Code, Cursor, Copilot, and friends for credential reads, boundary escapes, and prompt injection.

MacCrab ES Health tab — Endpoint Security Health grid showing Detection Engine running, Full Disk Access granted, Event Rate 263 events per second (7.88 million events stored), Database 14.22 GB, 353 rules loaded, eslogger available. Below is an Active Collectors list including Endpoint Security, Unified Log, Clipboard Monitor, Browser Extension Monitor, Ultrasonic Monitor, USB Monitor, Rootkit Detector, Network + DNS, MCP Monitor and Git Security Monitor. — **Endpoint Security health** Detection engine, event rate, database, and every active collector surfaced in one place.

MacCrab Docs tab showing the How It Works page — describes four event sources (Endpoint Security, Unified Log, TCC Monitor, Network Collector), a three-stage enrichment pipeline (process lineage, code signing, YARA scanning), three detection layers (single-event Sigma rules, sequence rules, baseline anomaly), and an ASCII data-flow diagram from Events to Enrichment to Rule Engine to Alert Store to Dashboard. — **Built-in docs** Event sources, enrichment pipeline, and the three detection layers — all explained inside the app.

MacCrab Threat Intelligence tab — four counter tiles for Malicious Hashes, Malicious IPs, Malicious Domains and Malicious URLs. A Status row shows threat intel feeds active, refreshed every 4 hours from abuse.ch. A Detection Coverage list enumerates binary hash matching, IP reputation, domain reputation, package freshness and notarization status. — **Threat intelligence** Hashes, IPs, domains, packages, and notarization — checked against abuse.ch feeds out of the box.

Or from the CLI

maccrabctl status

~ ❯ maccrabctl status

┌─ MacCrab v1.6.19 ─────────────────────────────────────┐
│  Detection     ● running     (pid 842, uptime 3d 14h)    │
│  Endpoint Sec  ● native client  (sysext, 90+ event types) │
│  Full Disk     ● granted                                   │
│  Rules         420+ loaded       (17 tactic categories)     │
│  AI Guard      ● armed           (8 tools monitored)         │
│  Honeyfiles    ● deployed        (8 canaries)                │
│  Analysis      ● local            (Ollama default)            │
└───────────────────────────────────────────────────────────┘

  last 24h · 2 critical · 7 high · 14 medium · 0 dismissed (rate: 0%)

~ ❯

Current release

What ships in v1.6.19.

420+

Detection rules

Sequence rules

Tactic categories

LLM backends

807

Tests passing

Privacy

Your data. Your device.

Detection data is a full picture of what's happening on your machine — it should stay there. MacCrab keeps events in a local SQLite database, runs analysis on-device by default, and ships no telemetry unless you turn it on.

✓

On-device by defaultFleet telemetry, threat-intel feeds, and cloud LLM backends are opt-in switches, not defaults.

✓

No account requiredNo signup or license server. Install, approve the system extension, done.

✓

Local LLM firstOllama is the recommended backend for AI analysis. If you choose a cloud backend, the sanitiser strips usernames, private IPv4 and IPv6 ranges, Mac ComputerName strings, Bearer tokens, and every known API-key shape (Anthropic, OpenAI, Google, AWS, GitHub, Slack) before anything leaves your Mac.

✓

Audit the sourceMacCrabCore is Apache 2.0. Every collector, rule, and sanitiser is on GitHub for you to read.

Install

Up and running in a few minutes.

macOS 13 Ventura or later. On first launch you'll approve the system extension in System Settings → Login Items & Extensions, and grant Full Disk Access for complete event coverage.

Homebrew Recommended

Cask install with auto-update. Drops the signed app in /Applications and the CLI in your path.

brew tap peterhanily/maccrab \
  https://github.com/peterhanily/maccrab
brew install --cask maccrab

Direct DMG

Grab the signed DMG from GitHub Releases. Drag MacCrab.app to /Applications, then approve the system extension on first launch.

open https://github.com/\
  peterhanily/maccrab/releases/latest

From source

Swift 5.9 + Xcode 15. Builds the seven SPM targets (core, agent kit, sysext, legacy daemon, CLI, MCP server, app) with ad-hoc signing for development.

git clone https://github.com/peterhanily/\
  maccrab.git && cd maccrab
make dev

Frequently asked

Common questions.

Short answers to what people ask most. For the long-form versions, see the README, privacy policy, and security policy.

What is MacCrab?

MacCrab is a local-first macOS threat detection engine. It uses Apple's Endpoint Security framework, 420+ Sigma-compatible detection rules, behavioural scoring, and campaign correlation to surface suspicious activity on your Mac — entirely on-device, with no cloud console or account.

Does MacCrab replace my antivirus?

No. MacCrab complements macOS's built-in defences (Gatekeeper, XProtect, MRT) and existing antivirus products. It focuses on behavioural detection and Sigma-rule threat hunting rather than signature-based scanning, so the two are additive.

Is any of my data sent to a cloud service?

Not by default. MacCrab stores events in a local SQLite database and runs analysis on-device. Fleet telemetry, threat-intelligence feeds, and cloud LLM backends are opt-in. When a cloud backend is enabled, usernames, private IPs, and hostnames are automatically redacted before any request leaves your Mac.

Which macOS versions does MacCrab support?

macOS 13.0 Ventura or later. On first launch you approve the System Extension in System Settings → General → Login Items & Extensions → Endpoint Security Extensions, then grant Full Disk Access for complete event coverage.

How does MacCrab compare to Santa or osquery?

They solve different problems. Google's Santa is a binary allow/deny authorisation policy engine. osquery is a scheduled SQL query engine with a large ecosystem. MacCrab is real-time, Sigma-rule-based threat detection with behavioural scoring and campaign correlation. All three can run alongside each other.

Is MacCrab open source?

Yes. MacCrabCore is Apache 2.0 licensed and hosted at github.com/peterhanily/maccrab. Every collector, detection rule, sanitiser, and the daemon entry-point is readable.

How do I report a security vulnerability?

Email maccrab@peterhanily.com rather than opening a public GitHub issue. MacCrab follows responsible-disclosure practices documented in SECURITY.md.

Exoskeletonfor your Mac.