@llimllib @b0rk This uses Apple’s Endpoint Security framework, rather than a kernel extension. It runs entirely in userspace! If you want to just poke around there’s a built-in tool called “eslogger” on newer versions of macOS that dumps the raw events as JSON.