Skip to content
how to become a mac security researcher
Blog Recent News How to Bec...

How to Become a Mac Security Researcher

Devin Byrd Devin Byrd
Director of Threat Intelligence at Kandji
10 min read

Though macOS has often been touted as being more secure than other operating systems, it's not immune to threats. That, and the Mac’s growing market share in the enterprise, are two reasons why there’s a growing market for macOS security researchers. 

Where do such professionals come from? There’s no single career path. But if you're thinking of diving into the niche realm of macOS security research, or if you just want to learn more about Mac security on a professional level, here are some of the educational, experiential, and networking paths that could get you where you want to go.

What is a Mac Security Researcher?

For starters, though, let’s get straight about what a macOS security researcher is and what they do. 

The first part is pretty obvious: A macOS security researcher studies and analyzes threats that specifically target macOS. That person may have a variety of professional responsibilities and roles, including threat hunting, analysis of malware samples, reverse engineering, vulnerability research, threat intelligence, and tool development. While the macOS security community is still a lot smaller than its Windows counterpart, such specialists are increasingly in demand. 

The Education of a Mac Security Researcher

One of the most straightforward ways to launch a career in macOS research is through formal education. A bachelor's or master's degree in fields such as computer science, information security, or related disciplines can give you the foundational knowledge the field requires. That’s the path I started to go down, studying computer electronics and telecommunications technology. However, I dropped out of school before I finished. In hindsight, I know that made my path a lot longer and more arduous. If you’re at the beginning of your career, I recommend getting a degree first. 

After a formal degree, certifications can play a crucial role. Options like the SANS GIAC iOS and macOS Examiner (GIME) and the Offensive Security macOS Researcher (OSMR) are highly respected in the industry. Sarah Edwards (who authored GIME) and Csaba Fitzl (who created OSMR), are both seasoned researchers whose programs offer invaluable insights for anyone interested in Mac security. 

While these certifications are not required, they do validate your skills and demonstrate your commitment to staying up-to-date in a rapidly evolving field. When I’m hiring and see that someone has put in the effort to obtain these certifications, it shows me they’re genuinely passionate about the field. But note that such courses are not inexpensive. 

Hands-on with Mac Security

While formal education offers valuable theoretical knowledge, hands-on experience is equally crucial. Tinkering with the macOS operating system and dissecting its components—its file system, networking features, and security architecture—provides invaluable insights you won’t likely get in a classroom. 

This is how I learned the business. I started doing Mac security research before it was considered a viable career path. I’d always been interested in Apple products and how they differed from Windows. It started early, when I saw my first Apple II computer. Over the years, I acquired a series of Macs, either trading them in for different models or selling them to pay for the next new one. I began to dive deeper into the operating system, to find out how things ran and why applications did different things compared to Windows. 

This was all a hobby at the time, as Apple still had only 1 to 3 percent market share of computers. But that hobby soon became a vocation. In my twenties, my brother and I decided to start a computer repair and service business. We focused on fixing computers and doing home setups for users who needed assistance. 

It wasn’t feasible to focus entirely on Apple, so we split the calls, depending on which OS the customer was using. To be honest, it wasn’t a great business model. We’d get some work, but with the growing markets of things like GeekSquad and others, we were too small to make it. What it did, though, was build my knowledge. I’d show up to help a customer with an issue, only to find that it was something I had never seen before and would have to figure it out on the fly. 

A few years later, I moved to Colorado and got a job with a well-known security company. I met a gentleman in the elevator, and he saw my Macbook. He told me the company was looking to build out a Mac team and asked me to consider it. I did, and that’s how I got started.

This was very early days in the Mac security business, and thus I had no idea what I was getting into. Again, I needed to figure it out on the fly, which meant many, many Google searches and deep dives on the internet, looking for information. At the time, tools and resources focused on macOS security research were incredibly sparse. 

Mac Security Resources

Fortunately, things have changed, and there are books, training courses, and software, that can provide an in-depth understanding of macOS vulnerabilities, threat intelligence, and incident response techniques.

I highly recommend two books in particular: Patrick Wardle’s The Art of Mac Malware and Maria Markstedter’s ARM Assembly Internals and Reverse Engineering. Tools such as Hopper (a Mac and Linux disassembler), Deep Freeze, and the large assortment that Patrick Wardle offers for free are essential. 

You also learn from others in the macOS security community. That community may be relatively small, but its size makes it easier to develop a network. The smaller group enables more accessible and meaningful interactions, offering quicker access to industry knowledge, trends, and job opportunities. 

I know I’ve made some incredible connections and friends while working in this field. People like  Patrick Wardle, Christine Fossaceca, Thomas Reed, Sarah Edwards, Jaron Bradley, and Cedric Owens have been amazing resources for me and many others, with a wealth of knowledge that they love sharing. Connecting with people like this will significantly benefit your career and your ability to find help—because at some point you are going to need it.

There are many ways to connect with other macOS researchers, including:

Conferences

Events like Objective by the Sea are specialized forums where you can learn as well as meet industry leaders and fellow researchers. The talks focus on Apple platforms and allow for more intimate conversations. The OBTS conference is by far the easiest way to build these connections. It’s tiny and very personal, so you are always surrounded by experts who are just as passionate about security as you are. 

Online Connections

The MacAdmins and macOSsec Slack channels offer virtual spaces where people share knowledge, ask questions, and stay updated. These are great resources, where you can make direct connections with individuals or groups who can help you with whatever problem you're trying to solve. I started macOSsec as a way for researchers to collaborate without the noise of the internet, so if someone has questions about reverse engineering a Mac file, they can find a room full of experts who can help. 

Collaborative Projects

Partnering with other researchers on projects such as bug-bounty programs or open-source security software can enhance your skills and help you build a professional portfolio. Some sectors of the security community try to discourage such collaboration and sharing. I think this is counterproductive and causes more headaches than good. I understand why it happens: Businesses want to protect their interests. However, I believe they can still collaborate across organizational lines in a way that helps the rest of the community. I always encourage my teams to work with other researchers and expand our community fellowship. 

Publishing

As you deepen your expertise and your network, you'll find opportunities to contribute to research papers and blog posts, or even to create tools to benefit the community. Publishing your work showcases your skills and establishes you as a thought leader. Blogs, whitepapers, and zero-day reports all build your reputation and boost your career. 

Overall, I think this is a great time to embark on a career in macOS security. Increased market share for Apple means more malware authors paying attention to its platforms and new malware variants being created. It will be a great challenge for everyone involved to keep up with that. 

With the right mix of formal education, hands-on experience, and networking, you could be a part of it. As Apple increases its market share, the opportunities will only expand in ways I could never have imagined when I started my journey.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.