Organizations can now add managed threat hunting to their Mac security with Jamf Beacon, a service designed to uncover attacks that traditional cross-platform security tools may miss.
Macs have become increasingly common across enterprise environments. Security researchers have also documented a growing number of malware families, social engineering campaigns, and persistence techniques built specifically for macOS.
Many macOS attacks rely on techniques that differ from those commonly used against Windows systems. The growing gap between Windows and macOS attack techniques has made specialized macOS security expertise more valuable for enterprise security teams.
Beacon is specifically tailored for unique-to-Mac situations and threats
Beacon looks for suspicious activity that may already be present inside an organization's environment instead of focusing only on known malware. Jamf Threat Labs analysts continuously analyze customer telemetry for attacker techniques, indicators of compromise, and unusual behavior.
The service uses detection rules developed specifically for macOS instead of generic cross-platform signatures. Jamf says the approach helps analysts identify threats that conventional security tools may overlook.
Beacon can revisit telemetry collected over the previous year to search for indicators that weren't recognized when the data was first gathered. The retrospective analysis helps analysts uncover older activity after researchers identify new malware families or attacker techniques.
Beacon targets threats including trojanized software packages, malicious Visual Studio Code and Xcode projects, ClickFix campaigns, and malware spread through fake job offers. Jamf Threat Labs also develops malware signatures and YARA detection rules for the company's commercial security products, and Beacon draws on the same research pipeline.
Apple's Endpoint Security API provides the foundation
Beacon relies on telemetry collected through Apple's Endpoint Security API to monitor process execution, file activity, network events, and other system behavior. Apple says the native framework gives security tools the visibility needed to distinguish legitimate macOS activity from behavior associated with attackers.
Many modern Mac attacks abuse legitimate Apple tools instead of relying solely on conventional malware. Jamf pointed to AppleScript as one example attackers have used to establish persistence, elevate privileges, and evade detection.
Beacon isn't a fully managed security service that responds to incidents on a customer's behalf. Jamf Threat Labs provides analysis and remediation guidance while organizations decide how to respond according to their own security policies.
The service also includes monthly reports summarizing threat hunting results, behavioral detections, blocked malware, and endpoints that may require deeper investigation.
Beacon is available as an add-on service in Jamf for Mac and Jamf for Mac Hi-Ed customers through a Professional Services engagement. Jamf didn't disclose pricing.








