Short List of OBTS and Related Talks

October 17, 2025

Starting Point for Newcomers to Apple Security

This post started out as a reply I sent a fellow OBTS v8.0 attendee, after he sent an extremely useful list of resources for people new to cybersecurity. The three talks included here are also in the longer Reference List, but without the additional details listed here.

This is by no means an exhaustive list, nor have I made it through anywhere near all of the talks. It's also quite hard to choose favorites, when every OBTS talk is packed with great information.

That said, here are a few I've listened to in more detail, because they've been especially helpful as my own introductory material to key components of macOS security and internals.

• Panel Discussion, Finding Your Footing in Apple Security, OFTW v3—Moderated by Patrick Wardle, founder of OBTS, OFTW, and the Objective-See Foundation, with panelists Mikey Jack (Cybersecurity Threat Researcher at Redacted), Luke Roberts (Senior Red Team Engineer at GitHub), and Kinga Kieczkowska (Security Consultant at Rada Cyber Security). Geared toward students who want to start a career in Apple security, but also a great reference for people changing careers. Additional notes are in this blog post.
• Jaron Bradley, Grafting Apple Trees, OBTS v3—Great explanation of process tree idiosyncrasies on macOS, including how to see past the ~90% of processes that list their parent PID as launchd (PID 1). Jaron has quite a few excellent talks on process trees, detections, etc. Even though he's since released SpriteTree and several other tools that help with making sense out of process tree and Endpoint Security-related data, this talk on TrueTree is both still relevant and an excellent introduction to the topic as a whole. If you get the chance to take his training, it was awesome, and both of his books are packed with great info.
• Luke Roberts and Calum Hall, The Clock is TCC’ing, OBTS v6—Concise rundown of TCC’s intended function, with a discussion of its internals. Plus a FOSS tool, Kronos, probably similar to Mints from Howard Oakley / Eclectic Light Co. (which Olivia Gallucci recommended in her OBTS v8 talk). Both of these tools show which apps are actually using TCC permissions and when, whereas Apple leaves that opaque.
• Brandon Dalton, Your Mac’s Immune System / Endpoint Security, OFTW v1—Brandon's slides show some great info on the ES API, and his explanation is phenomenal. He walks through a variant of the AMOS malware that XProtect hadn't detected yet, and how he set up detections for it.
• Patrick Wardle, linking his blog since there are too many talks to chose from—I haven't checked, but it seems like every talk Wardle has given, he's written a blog post to accompany it. This might be standard for everybody.. probably should check before I post this. Here are a few talks that come to mind—choose whatever looks most interesting and/or relevant to your current [research]—
• DLL / Dylib Hijacking in macOS—
• Original talk, DEF CON 23—
• Follow up, OBTS v8—
• Crash Reports, OFTW v [2?], plus several other versions of this talk—the OBTS one is longer, haven't watched yet
• Mastering Apple Endpoint Security for Advanced macOS Malware Detection, DEF CON 33—The newest one on the list, and I haven't listened to this as extensively yet. But Patrick Wardle's talks are always exceptional, and this one offers detailed insight into Endpoint Security, geared toward developers writing 3rd party security tools using the framework.