Threat Hunting macOS Book

Chapter 1

Chapter 2

Welcome to my latest book. Threat Hunting macOS—a book that shares the insights I wish I had when I first started threat hunting on a less commonly targeted platform.

Successful threat hunting requires a solid understanding of system internals and strong investigative skills. In this book, I aim to strike a balance between the two.

While much of the book is technical, the first two chapters are different. They walk through my personal journey and provide a history of Apple’s ecosystem—laying the foundation for why threat hunting on macOS is a different experience than on Windows. These chapters don’t rely heavily on diagrams and are more narrative in style. Because of that, I’m offering them as a free audiobook preview.

Thanks for listening—and for supporting self-published authors.

—Jaron

Option 1: Physical Book

I sell the book directly from my website or it can be purchased on amazon. The physical book holds features the following

  • Standard Edition
    • Printed in color
    • Hardcover or softcover
    • Matte Finish
    • 300+ pages

My initial print of this book was a high quality edition that I call the authors edition. I will be selling these on my website until I run out of them. They feature the following…

  • Authors edition (U.S. Only)
    • Scuff resistant hardcover 
    • High quality color and pages
    • Signed by me
    • $75 + shipping
    • Higher quality than the copy from Amazon for a better price
Order the Author's Edition
Order Standard Edition on Amazon
Option 2: The E-Book on Apple Books

If you are outside the United States or if you’re out of physical library space, the book is also available on Apple Books. This e-book includes the embedded audiobook clips for chapter 1 and 2. These are the only chapters that will be narrated as the rest get too technical. 

More e-book platforms likely to come in the future.

  • Embedded audio recordings for chapters 1 and 2
  • Apple Reflowable Layout (subject to change pending final look)
  • $70
Apple Books eBook
Additional Links for Amazon in Other Countries

If you are outside the United States and want the physical copy, you can now order off of amazon!

FAQ

  • Who is this book for?
    • This book is for is designed to help teach others how macOS works for the purposes of detection and analysis. Most chapters open with a formational section that discusses a specific topic, followed by a hands-on section that focuses on analysis related to that topic.
  • Are there any prerequisites?
    • The labs require an Apple computer
    • I find that those that have a general understanding of computer science, forensics, or security on any operating system tend to follow the content.
  • Will the whole book be in Audiobook format?
    • No. Only the first two chapters will have the audio format.
  • Will you have copies at Objective by the Sea Conference?
    • Unknown at this time, but if I do happen to be finished with the book, I don’t believe I will have “authors editions” there. (Update: I will have authors edition copies at OBTS! How many I will have is unknown at this time.)
  • Your last book had a lot of Middle Earth references? Should I expect more of the same?
    • One does not simply stop using Middle Earth references.
  • Do you offer refunds?
    • Apologies, I do not. I’m too busy doing the writing and self-publishing to put together any type of refundable/return process. 

Book Contents

  • Foreword by Patrick Wardle
  • Technical Review by Brandon Dalton
    • 20+ “From the Frontlines” short stories about real life intrusions (adjusted to 15+ stories in efforts to publish on time)
    • 9+ Hands-on sections using SpriteTree.app

    Chapters

    1. Welcome to the Niche
    2. Down Memory Lane
    3. Process Trees
    4. Endpoint Security API
    5. Users
    6. Launchd
    7. Persistence
    8. Process Creation
    9. Apps and Executables
    10. OS Specific Technology
    11. PIDS
    12. Passwords
    13. XPC
    14. Conclusion

    Foreword by Patrick Wardle

    I first met Jaron Bradley years ago at my favorite pizza restaurant in Paia, Maui. At the time, he was living on the Big Island while I was on Maui, and we were already deeply — albeit separately — immersed in the world of macOS security. Over slices of pizza and infosec banter, Jaron handed me a copy of his first book, a gesture I’ve never forgotten. I still have that copy today, now well-read and dog-eared. That meetup marked the beginning of a friendship rooted in a shared fascination with Apple’s desktop operating system and the malware, along with the wily hackers, increasingly targeting it.

    Since then, we’ve reversed malware samples, uncovered zero-days, analyzed Apple’s evolving security mechanisms, and explored the many ways attackers continue to bypass them.

    Jaron has become a leading voice in macOS security. He regularly speaks at top security conferences and holds the notable distinction of presenting at every Objective by the Sea. His talks are consistently insightful, backed by impressively designed slides that reflect both technical depth and clarity. In parallel, he offers a macOS threat hunting training that routinely sells out. He doesn’t just teach, he equips others to think critically, ask the right questions, and dig deeper.

    In addition to his research and writing, Jaron has created several tools that reflect his expertise and practical mindset. Among them is TrueTree, an indispensable utility for macOS threat hunting and incident response. These contributions have meaningfully advanced the field and continue to support analysts in real-world investigations.

    This book, like his first, is sure to become indispensable. As Macs continue to gain popularity, especially within enterprise environments, macOS malware is growing in parallel, becoming not only more prevalent but also significantly more sophisticated. In this context, the book is essential reading. It offers clear, deeply technical, and highly relevant guidance on a broad range of topics, from persistence and credential theft to inter-process communication and Apple’s Endpoint Security. Whether you are defending Apple fleets, analyzing malware, or simply seeking to understand macOS at a deeper level, this book will serve you well.

    I consider myself lucky to call Jaron not only a respected colleague, but an even closer friend. His work continues to inspire and to raise the bar for macOS security research and education. And yes, I may just try to drag him back to that same pizza restaurant — not for the pizza, but for an in-person delivery of this book too!

    Patrick Wardle

    Founder, Objective-See Foundation

    Author, The Art of Mac Malware series

    Further Questions?

    jaron@themittenmac.com