Introducing Beacon by Jamf Threat Labs

Threat hunting uses intelligence to proactively detect active or previous compromises on a system. It’s a key tenant of cyber defense and requires specific skill sets and personnel, tools, and knowledge to implement. As adversaries continue to evolve their tactics, techniques, and procedures (TTPs) to exploit platform nuances, security teams need resources, visibility, and intelligence for each platform. Without those platform distinctions, endpoints are left under-monitored.

As Mac adoption continues to grow, so does its interest from threat actors. Mac-specific TTPs, malware variants and delivery methods continue to mature alongside macOS security frameworks. The unique nature of macOS means organizations struggle to start, scale, repeat and measure effective Mac threat-hunting programs.

Beacon by Jamf Threat Labs solves this challenge.

Beacon by Jamf Threat Labs is a Mac-only threat hunting service designed to help organizations detect, analyze and respond to threats impacting their macOS environment. Delivered by Jamf Threat Labs, it allows security teams to stay ahead of the macOS threat landscape and better understand their macOS security posture.

Why threating hunting on Mac is different

At Jamf, we understand Mac is different. We love Mac because of that. The operating system, user experience, system integrity models and more are unlike other platforms. But that is also true for the threats Mac faces. Attacker behaviors and TTPs used against macOS differ substantially from those targeting other environments. For example, attackers abuse Apple native mechanisms — like AppleScript — to establish persistence, escalate privileges and evade detection.

Threat hunting is not knowing just what looks suspicious but understanding why a specific macOS behavior is anomalous. Along with attacker TTPs, effective macOS threat hunting also requires telemetry built on Apple's Endpoint Security API. It is this framework that gives security tools deep, reliable, real-time visibility into events. Threat intelligence and hunting rules not built for Mac environments can miss these threats entirely.

Beacon by Jamf Threat Labs explained

Beacon by Jamf Threat Labs is a threat hunting service that provides visibility and actionable threat hunting tailored to macOS.

The team behind the service

The Jamf Threat Labs Mac team is comprised of security researchers, analysts and engineers. The team lives and breathes Apple — they author books on Mac threat hunting, are contributors of the macOS Security Compliance Project and give talks at Mac security conferences. By being entirely focused on Mac, they can hone in on Mac-specific threats and its unique threat hunting needs: macOS internals, TTPs of threat actors and attacker behaviors. Examples include:

• Supply chain attacks containing trojanized packages

• Malicious code execution in VSCode or Xcode projects

• ClickFix social engineering campaigns targeting macOS users

• DPRK backdoors distributed through fake job postings

• And much more across the evolving macOS threat landscape

Jamf Threat Labs research is implemented at Jamf in different ways:

• It is the fuel that drives Jamf’s security engines. For example, Jamf Threat Labs added over 26 thousand malware samples in our database and over 230 YARA rules in 2025.

• Research articles and papers documenting an in-depth analysis of a new macOS Infostealer called DigitStealer and how threat actors expand abuse of Microsoft Visual Studio Code

With Beacon, Jamf Threat Labs can now directly secure your macOS environment.

Visibility built on Apple's Endpoint Security API

To understand what is happening on endpoints, Jamf Threat Labs leverages Jamf's Mac telemetry, built natively on Apple's Endpoint Security API. Being sourced from Apple APIs, it delivers deeper, more accurate and more comprehensive visibility into macOS. With insights into system, user, network and application activity, it provides the macOS-specific threat intelligence needed to uncover anomalous activity and behaviors stemming from adversaries. When attackers attempt to abuse Mac or when an anomaly occurs, telemetry captures it.

Continuous and retro hunting

The team hunts emerging Apple-specific attack techniques, Indicators of Compromise (IOCs) and hidden malware. All hunting is powered by Jamf Threat Labs-authored hunting rules, refined to improve detection of novel malware, suspicious behaviors and evolving TTPs. These rules reflect the research and hands-on expertise of a team dedicated exclusively to Mac security.

But the service goes further (and into the past): retro hunting searches your telemetry up to one year back, surfacing threat indicators that weren't known at the time of initial ingestion.

Operational control that empowers your team

A common concern with security services is loss of control. You understand your business; we understand Mac. When threats are identified, your team receives step-by-step remediation guidance to fit your organizational requirements and operating environment. You collaborate with Jamf Threat Labs to implement the right response for your context. You stay in control. You implement the policy. Jamf Threat Labs analysis and counsel backs your decision.

Customized monthly security reports

Every month, you receive a tailored security report covering your organizational security posture, blocked Mac malware, emerging threats relevant to your environment and more. This security report is a curated briefing that keeps your leadership informed, supports conversations about Mac security posture and provides a documented record of discoveries for your Mac security program.

Implementing Beacon by Jamf Threat Labs

Working with our Professional Services team, they set up your telemetry configuration. This ensures the right visibility is in place on day one and immediately enables Jamf Threat Labs to start hunting for active threats.

Get started with Beacon by Jamf Threat Labs

Whether you're building your Mac security program from the ground up or looking to elevate an existing one, Beacon delivers the expertise, visibility and operational support to make it happen.

Beacon by Jamf Threat Labs is currently available to limited customers in Private Beta with Jamf for Mac or Jamf for Mac Hi-Ed. To learn more, contact us or reach out to your Jamf representative.