Read it. Share it. Adapt it.
Three formats, one source. Pick whichever suits your reading device. All released under CC BY-SA 4.0 — share-alike copyleft, free forever.
Read in browser
Single self-contained HTML file. Works on any device. Best for quick reference and copy-paste of code blocks.
For e-readers
Standard EPUB 3 for Kindle, Apple Books, Calibre, Kobo. Reflowable text, table of contents, syntax-highlighted code.
For print & archive
Typeset PDF. Best for printing, page-precise citation, and offline archival.
The Six-Phase Framework.
A reusable framework distilled from twenty years of structured research projects. Each phase captures something I learned the hard way, so you don’t have to. They fit together; the order matters; but the real point is that you finish with something you can stand behind.
Scope
Define what you’re investigating — and what you’re not. The most underrated phase. Good scoping is what turns a sprawling curiosity into research you can actually finish — and be proud of when you do.
Recon
Map the attack surface before writing a single line of test code. Every entry point, every trust boundary, every assumption. Recon is not investigation — it’s the map that tells you where to look.
Research Tracks
Pursue multiple bounded investigations in parallel. Each with a question, a hypothesis, a method, and an evidence standard you decide before you start. The discipline that prevents you fooling yourself.
Red-Team
Find someone willing to push back on your reasoning before you submit. The five questions every useful red-team session asks — and what good answers to them look like.
Submission
Coordinate with the vendor under the 90-day standard. Write clearly, be specific, make the reader’s job easy. Patience is part of the work; clear, generous communication is the craft.
Archive
Document what you found in a form someone else can learn from. Write the postmortem most researchers skip — the part with the highest return on investment. Make yourself a better researcher, not just a more prolific one.
What’s in the book.
Eleven chapters, plus front matter, references, and an errata invitation. Reads end-to-end as a methodology, or as standalone chapters by topic.
Why PING Matters
Mike Muuss, 1983, and the gap between specification and implementation — the place security lives.
ICMP Crafting (2001): A SANS Foundation
The 2001 SANS paper that turned reaction into methodology. How discipline gets built from a single project.
The Six-Phase Framework
Scope, Recon, Research Tracks, Red-Team, Submission, Archive. The framework in detail.
Evidence Capture & Proof of Concept
The discipline of proof. Minimal, reliable, documented, reproducible, safe, focused PoCs.
Writing for Vendors
The 90-day timeline lived through. Structuring submissions. The first-paragraph job.
The Red-Team Conversation
The five questions every red-team session asks. Handling disagreement. Defending with evidence rather than investment.
Responsible Disclosure
Why the 90-day standard exists. The harm of irresponsible disclosure. Publishing in a way that strengthens the community.
The macOS Security Landscape
Cross-referencing FreeBSD/OpenBSD CVEs with XNU. The Darwin architecture. Where the cross-reference breaks down. Vulnerability classes worth hunting.
Building Your Defence
What research builds. Defence in depth, what each control actually stops. The through-line back to PING.
Standards & Frameworks Referenced
Industry standards, ethical principles, and the legal framework (England & Wales).
Twenty-Five Years Forward
An epilogue. What twenty-five years of this work teaches you. Why it still matters.
Who this book is for.
Solo & independent security researchers
Anyone doing this work without an institutional framework around them. The book gives you the methodology that established teams teach by osmosis — how to scope, how to verify, how to red-team yourself, how to submit responsibly. The framework is reusable; macOS is the worked example.
Established researchers extending into macOS
If you already know how to research and want to start on Darwin, Chapter 8 is the macOS-specific contribution: the BSD-to-XNU CVE cross-reference technique that uses the public FreeBSD/OpenBSD security advisory history as an annotated security changelog for the shared codebase.
Security teams on the receiving end
Product security, triage teams, and security managers handling incoming reports. Read it to understand what a good submission looks like, what is reasonable to expect from a researcher, and how the 90-day standard actually plays out under pressure.
Educators & mentors
Teaches the methodology and ethics that purely technical security curricula often skip. Real disclosure outcomes, the discipline of evidence, the human side of vendor coordination — the bits a textbook on exploitation rarely covers.
Free, copyleft, forever.
Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
You are free to: share — copy and redistribute the material in any medium or format. Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Under the following terms: Attribution — you must give appropriate credit to Stuart Paul Thomas, provide a link to the licence, and indicate if changes were made. ShareAlike — if you remix, transform, or build upon the material, you must distribute your contributions under the same licence as the original.
The full licence text is available at creativecommons.org/licenses/by-sa/4.0/legalcode.en. This is a true copyleft licence — derivatives must remain free and openly licensed under the same terms.
Cite this book.
Permanently archived on Zenodo with a DOI for academic and professional citation. The DOI resolves to the latest version forever.
Thomas, S. P. ([0009-0008-4518-0064]) (2026). macOS Security Research: A Complete Framework (Version 1.0.0) [Book]. Zenodo. https://doi.org/10.5281/zenodo.19855016
@book{thomas_2026_macos_security_research,
author = {Thomas, Stuart Paul},
orcid = {0009-0008-4518-0064},
title = {{macOS Security Research: A Complete Framework}},
edition = {First Edition},
year = {2026},
month = apr,
publisher = {Zenodo},
version = {1.0.0},
doi = {10.5281/zenodo.19855016},
url = {https://doi.org/10.5281/zenodo.19855016}
}
How this book was made.
The author is neurodivergent (autism, ADHD). Claude (Anthropic) was used as assistive technology during the preparation of this book: for drafting, proofreading, structural editing, formatting of code blocks and equations, citation formatting, and discussion of clarity and pacing.
The underlying research — methodology design, technique development, empirical work, code, and interpretation — is the author's own work. Use of AI assistive technology is consistent with the principles of the Equality Act 2010: disability is a protected characteristic under Section 6; reasonable adjustments are contemplated by Sections 20–21; discrimination arising from disability is addressed by Section 15.
This acknowledgement is provided in the spirit of transparent and accessible research practice. The author thanks the security research community, the FreeBSD and OpenBSD projects (whose public CVE history is referenced extensively in Chapter 8), the apple-oss-distributions team for keeping XNU source public, and Pandoc for handling the EPUB and PDF conversions.
Stuart Paul Thomas.
Cryptographer and software engineer based in Whitby, North Yorkshire. 35+ years across NHS national cryptographic standards, TfL contactless payment architecture, and independent security research. Active in Whitby Jet provenance technology, the NTAG 424 DNA macOS SDK, and OpenBSD kernel security findings. Released this book as a personal creative project — read more.
Disclaimer. This content is provided for general information and educational purposes only and does not constitute legal, financial, or professional advice. Proof-of-concept code is published for educational and defensive security purposes only. Use only on systems you own, control, or have explicit written authorisation to test. Unauthorised use may constitute a criminal offence under the Computer Misuse Act 1990 or equivalent legislation in your jurisdiction. The author retains moral rights under the Copyright, Designs and Patents Act 1988. No warranty is given as to the accuracy, completeness or fitness for purpose of any information contained herein. Independent verification is essential before relying on any technical detail.