Introducing Beacon by Jamf Threat Labs
Beacon by Jamf Threat Labs is a threat hunting service for macOS environments. Get the full expertise of Jamf Threat Labs protecting your Mac fleet.
Threat hunting uses cyber intelligence to proactively detect active or previous compromises on a system. It’s a key tenant of cyber defense and requires specific skill sets and personnel, tools and knowledge to implement. As adversaries continue to evolve their tactics, techniques, and procedures (TTPs) to exploit the nuances of each platform, security teams need resources, visibility, and intelligence dedicated to each platform.
Without platform expertise, those endpoints are left under-monitored.
As Mac adoption continues to grow, so does interest from threat actors. Mac-specific TTPs, malware variants and delivery methods continue to mature alongside macOS security frameworks. The unique nature of macOS creates a paradox – more employees want to use Mac, but not all organizations have the internal expertise to meaningfully hunt for threats specific to this system.
Even with the correct endpoint security tools and policies in place, blue teaming can be under resourced. As a result, organizations struggle to start, scale, repeat, and measure effective Mac threat-hunting programs.
Beacon by Jamf Threat Labs solves this challenge
Beacon by Jamf Threat Labs is a threat hunting service designed to help organizations detect, analyze and respond to threats impacting their macOS environment. Delivered by Jamf Threat Labs, it allows security teams to stay ahead of the threat landscape and better understand their macOS security posture.
Why threat hunting on Mac is different
At Jamf, we understand Mac is different and we love it because of that. The operating system, user experience, system integrity models, and more are unlike other platforms.
But that is also true for the threats targeted at the Mac.
Attacker behaviors and TTPs used against macOS differ substantially from those targeting other environments. For example, attackers abuse Apple native mechanisms — like AppleScript — to establish persistence, escalate privileges and evade detection.
Dive deep into how threat actors target macOS. Get Report Jamf 360.
Threat hunting is not knowing just what looks suspicious but understanding why a specific macOS behavior is anomalous. Along with attacker TTPs, effective threat hunting also requires telemetry built on Apple's Endpoint Security API. It is this framework that gives security tools deep, reliable, real-time visibility into events. Threat intelligence and hunting rules not built for Mac environments can miss these threats entirely.
Beacon by Jamf Threat Labs explained
Beacon by Jamf Threat Labs is a threat hunting service that provides visibility and actionable threat hunting tailored to macOS.
The team behind the service
The Jamf Threat Labs Mac team is comprised of security researchers, analysts and detection engineers. The team lives and breathes Apple — they author books on threat hunting, are contributors of the macOS Security Compliance Project and give talks at security conferences. By being entirely focused on Mac, they can home in its specific threats and unique threat hunting needs, TTPs of threat actors and attacker behaviors.
Examples include:
- Supply chain attacks containing trojanized packages.
- Malicious code execution in VSCode or Xcode projects.
- ClickFix social engineering campaigns targeting macOS users.
- DPRK backdoors distributed through fake job postings.
- And much more across the evolving macOS threat landscape.
Jamf Threat Labs research is implemented at Jamf in different ways:
- It is the fuel that drives Jamf’s security engines. For example, Jamf Threat Labs added over 26 thousand malware samples in our database and over 230 YARA rules in 2025.
- Research articles and papers documenting findings, like a new ClickFix technique, uses Script Editor instead of Terminal on macOS and an in-depth analysis of a new macOS Infostealer called DigitStealer
With Beacon, that same Jamf Threat Labs team can now directly secure your macOS environment.
Continuous and retro hunting
The team hunts emerging Apple-specific attack techniques, Indicators of Compromise (IOCs) and hidden malware. All hunting is powered by Jamf Threat Labs-authored hunting rules, refined to improve detection of novel malware, suspicious behaviors and evolving TTPs. These rules reflect the research and hands-on expertise of a team dedicated exclusively to Mac security.
But the service goes further (and into the past): retro hunting searches your telemetry up to one year back, surfacing threat indicators that weren't known at the time of initial ingestion.
Operational control that empowers your team
A common concern with security services is loss of control. You understand your business; we understand Mac. When threats are identified, your team receives step-by-step remediation guidance to fit your organizational requirements and operating environment. You collaborate with Jamf Threat Labs to implement the right response for your context. You stay in control. You implement the policy. Jamf Threat Labs’ analysis and counsel back your decision.
Customized monthly security reports
Every month, you receive a tailored security report covering your organizational security posture, blocked Mac malware, emerging threats relevant to your environment, and more. This security report is a curated briefing that keeps your leadership informed, supports conversations about your security posture and provides a documented record of discoveries for your security program. The report includes:
- Threat hunting case results: an easy-to-understand view of what Jamf Threat Labs found – malicious or non-malicious cases. Each case is manually triaged and analyzed by our threat hunting team, using custom-built detection rules designed to surface real macOS threats.
- Overview of endpoints that have the most alerts to help prioritize remediation and identify devices that may require deeper forensic analysis.
- Overview of behavioral detections (suspicious patterns, anomalous process activity and potential indicators of compromise). Jamf-authored rules that blocked malicious behaviors and known malware signatures detected and blocked.
Visibility built on Apple's Endpoint Security API
To understand what is happening on endpoints, Jamf Threat Labs leverages Jamf's Mac telemetry, built natively on Apple's Endpoint Security API. Being sourced from Apple APIs, it delivers deeper, more accurate and more comprehensive visibility into macOS. With insights into system, user, network, and application activity, it provides the macOS-specific threat intelligence needed to uncover anomalous activity and behaviors stemming from adversaries. When attackers attempt to abuse Mac or when an anomaly occurs, telemetry captures it.
Implementing Beacon by Jamf Threat Labs
Jamf’s Professional Services team sets up your telemetry configuration. This ensures the right visibility is in place from day one, data is sent to the right place and immediately enables Jamf Threat Labs to start hunting for active threats.
Get started with Beacon by Jamf Threat Labs
Whether you're building your Mac security program from the ground up or looking to elevate an existing one, Beacon delivers the expertise, visibility and operational support to make it happen.
Beacon by Jamf Threat Labs is currently available to all Jamf customers with Jamf for Mac or Jamf for Mac Hi-Ed. To learn more, contact us or reach out to your Jamf.
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.