Sharvil Shah

Security Researcher and OSquery Developer

Sharvil Shah


Building next-gen security tools (with a focus on macOS)

This is a developer point-of-view talk on the why and the how of developing security tools, with a bit of a focus on macOS. We will start with the "why" of building security tools and argue that instead of just using off-the-shelf open source/commercial tools, building one's own security tooling is a way to level up and keep pace amidst the rapidly and ever changing security and threat landscape.

Next we will deep dive on the use cases (particularly File Integrity Monitoring and process monitoring) driving these tools and look at how one might gather the building blocks and use them to build a tool in practice. We will in particular look at Apple's EndpointSecurity framework, and how it can be quickly leveraged to build the said tools. We will draw a parallel and contrast EndpointSecurity with eBPF functionality on Linux.


Sharvil is a principal of Orchard Labs, LLC. He is focused on macOS systems development and through Orchard Labs, he consults and helps organizations with developing macOS security tools, and extending open source ones. He has been an active contributor to osquery, an open source endpoint agent, since its early days in 2015 providing much of the early macOS implementation, and an osquery Foundation TSC (Technical Steering Committee) member since 2022. Previously he has held engineering roles at companies like Fleet and Trail of Bits among others.