The Question That Started Everything
In 1983, Mike Muuss was debugging a network problem at the University of Delaware. A gateway was silently dropping data — no error messages, no obvious cause. So he wrote a small programme: send an ICMP Echo Request, wait for a reply. A simple question: Are you there?
He called it PING. Forty years later, every serious security researcher knows that PING reveals things it was never designed to reveal.
When you send a malformed PING, you're testing an assumption. The system receives it and has to make a choice: reject it, try to parse it, or something in between. That choice — replicated millions of times — becomes a fingerprint. And sometimes, if you're paying attention, it becomes a vulnerability.
Security research isn't fundamentally about attack or defence. The engine underneath both is curiosity — the need to know what the system is actually doing, rather than what it's supposed to be doing.
— Stuart Paul Thomas, macOS Security Research: A Complete Framework
My professional career started in 1994 at University College Scarborough — doing everything: helpdesk, training, tech support, web development. In 2001, seven years in, I wrote a SANS paper on ICMP crafting that forced me to be explicit about methodology for the first time. That discipline became the framework in this book. Behind the professional career was a longer obsession: a retired teacher's Commodore PET I'd fixed for £5 in 1987, when I was eleven. Curiosity predated everything else.
The Six-Phase Framework
Effective security research isn't a single investigation — it's a structured process. The six phases below give you a repeatable methodology that produces findings you can defend, submit, and see fixed.
Define what you're researching before you start. The most expensive mistake is six months of correct findings about the wrong thing.
Build the map before you investigate. Recon is not looking for vulnerabilities — it's understanding where they might live.
Run multiple bounded investigations in parallel, each with a specific question, hypothesis, and evidence standard.
Stress-test your own findings before anyone else does. The gap between believing you have a vulnerability and proving it is everything.
Coordinate with vendors through the 90-day responsible disclosure timeline. Your research stops being yours at submission — make it count.
Document as if someone else will use your notes to continue the research. Because they will. Archive is how knowledge survives.
What the Methodology Teaches
Specifications are aspirations. Code is reality. Security lives in the gap between what a specification says and what an implementation does. PING has had the same specification since 1981. Implementations have diverged ever since.
Verify everything. Static analysis lies. A code review can show you something might be vulnerable. Only a working proof of concept shows you it is. Never submit a finding you can't reproduce on a real system.
Responsible disclosure isn't a limitation. It's the point. Vendors work with researchers they trust. The security community respects work that's rigorous and responsible. Report findings in a way that gets them fixed, not exploited.
The BSD cross-reference is your most underused tool on macOS. Darwin's networking and VFS code traces back to FreeBSD and OpenBSD. A vulnerability patched in FreeBSD is worth immediately checking in XNU. The CVE history is public — use it.
Defence in depth buys time, not immunity. Code signing, SIP, ASLR, and Pointer Authentication each raise the cost of exploitation. None of them stops a determined attacker alone. Understanding what each control stops — and what it doesn't — is the researcher's contribution to defence.
The quality of your research reflects the quality of your questions. Not the tools you use. Not the CVEs you've found. The questions. Are you asking the right things? Are you listening to what the answers actually say, rather than what you hoped they'd say?
What the Complete Framework Covers
This summary gives you the spine. The full book gives you the muscle:
Why PING Matters — The history of ICMP, what a 40-year-old tool still reveals about modern operating systems, and why methodology is the through-line.
ICMP Crafting (2001) — The SANS Foundation research that built the framework. Fourteen years from a Commodore PET to a formal research methodology.
The Six-Phase Framework — The complete methodology in detail. Scope documents, recon maps, research track templates, red-team protocols, vendor submission, and archive standards.
Evidence Capture & Proof of Concept — The gap between believing you have a vulnerability and proving you have one. PoC development, reproduction standards, and evidence quality.
Writing for Vendors — The Day 1/45/90 timeline. How to write a disclosure that vendors actually act on. The craft of the first contact, the follow-up, and the deadline.
The Red-Team Conversation — How to stress-test your own findings before submission. The two failure modes: findings that don't survive scrutiny, and findings that are real but can't be explained clearly.
Responsible Disclosure — The legal framework (Computer Misuse Act 1990, England & Wales). CVE assignment. Coordinated disclosure timelines. What happens when vendors go quiet.
The macOS Security Landscape — XNU, Darwin, SIP, MACF, code signing, and notarisation. The BSD cross-reference technique. Where macOS research diverges from standard Unix research.
Building Your Defence — What security research teaches about defence. Why the researcher who understands vulnerabilities builds better defences. Curiosity as the through-line from 1987 to now.
Download the Full Book — Free
The complete framework: nine chapters, worked examples, macOS-specific techniques, vendor communication templates, and the full legal framework for England & Wales. Completely free.
PDF is print-ready on A4. EPUB works on Kindle, Apple Books, and all e-readers. No account required.
Are you there?
Still the most important question in security research. Ask it precisely. Listen carefully. Report honestly. — macOS Security Research: A Complete Framework
Copyright © 2026 Stuart Paul Thomas. All rights reserved.
This document is provided free of charge for educational purposes. You may share a link to this page freely. You may not reproduce, copy, redistribute, republish, display, sell, or create derivative works from this content without the express written permission of the author.
Brief quotation (fewer than 50 words) for the purpose of review or academic commentary is permitted, provided attribution is given as: Stuart Paul Thomas, macOS Security Research: A Complete Framework, 2026.
AI-assisted drafting: this work was produced with assistance from Claude (Anthropic), Gemini (Google), and Grok (xAI) for drafting, review, and editorial purposes. This constitutes a reasonable adjustment under the Equality Act 2010, s.20 (the author is neurodivergent: autistic, ADHD). All content has been authored, reviewed, and is the intellectual property of Stuart Paul Thomas.
This document contains no unpatched vulnerability details. Research methodology described is for lawful, authorised security research only. The author accepts no liability for misuse.
Section 20 EA2010 imposes a positive duty to take reasonable steps to avoid substantial disadvantage to disabled persons arising from any provision, criterion, or practice. A blanket policy prohibiting AI use — applied without reasonable adjustments for disabled individuals — may constitute indirect discrimination under Section 19 EA2010 and breach the Section 20 duty.
All substantive content, methodology, findings, and opinions are the original intellectual work of Stuart Paul Thomas. AI tools were used for drafting assistance, review, and red-teaming — analogous to an editorial aide or assistant reader. The author is solely responsible for all content.