Security Audit Scans
Finds local risks, configuration issues, suspicious files, persistence, users, processes, ports, and security posture concerns.
macOS Security Audit Agent
MSAA · Open Source · Local First · macOS Security · No Telemetry by Default
Turn a Mac into a security visibility workstation.
Local-first macOS security auditing, intrusion detection, monitoring, investigation workflow, Apple security awareness, and evidence preservation without sending data off-device.
macOS Security Audit Agent helps users, analysts, schools, families, and organizations understand what changed on a Mac, identify suspicious activity, preserve evidence, and take action before small warning signs become major incidents.
The visibility gap
macOS security visibility should not be locked behind enterprise pricing.
Many users, students, researchers, schools, small businesses, and community organizations need better macOS visibility but cannot afford large enterprise EDR platforms. MSAA is designed to provide local-first insight into system changes, suspicious activity, persistence, devices, network changes, and Apple security posture.
What it does
Audit, monitor, investigate, and preserve evidence.
Background Monitoring
Watches for important events like USB changes, Bluetooth changes, lid/session activity, remote access changes, daemon changes, and admin changes.
Investigation Workflow
Prioritizes findings, explains why they matter, tracks review state, supports notes, and helps analysts understand what to investigate first.
Evidence Preservation
Creates snapshots and reports before cleanup or remediation so important forensic evidence is not destroyed.
Apple Security Forecast
Tracks Mac-relevant Apple security updates and advisories so users know when updates may be critical.
Family & Safety Center
Helps parents, schools, and caregivers review child safety, Screen Time, privacy, content restrictions, and safer settings.
Why it is different
Not just another scanner.
MSAA is built around local evidence, understandable review, and practical visibility for people who need more than a one-time checklist.
- Local-first by design
- No telemetry by default
- Evidence-focused instead of fear-based
- Built for analysts and non-technical users
- Explains what changed and why it matters
- Designed for schools, families, researchers, small businesses, and public-interest security work
- Uses baseline comparison instead of only one-time scanning
- Separates local security events from Apple security advisories
Who it is for
Built for practical defensive security work.
Security Researchers
Incident Responders
Schools and Libraries
Families and Caregivers
Small Businesses
Government and Public Sector Evaluation
macOS Enthusiasts
Students Learning Defensive Security
Core capabilities
Local visibility across system changes and investigation state.
Safe Scan
Aggressive Review
Local network discovery
Persistence review
LaunchAgent and LaunchDaemon monitoring
USB and Bluetooth monitoring
Session and display activity
Security event timeline
Review queue
Trust scoring
Apple Security Forecast
Report export to JSON/HTML
Investigation notes
Evidence snapshots
Optional system-level monitor
PyPI installation
Privacy model
Your Mac. Your data. Your control.
MSAA is designed to keep collected data local. It does not upload telemetry by default and does not inspect private browsing history, cookies, passwords, keychains, messages, or personal content.
- Local SQLite storage
- Local reports
- Optional redaction
- No telemetry by default
- No cloud dependency required
- User-controlled exports
Install
Install MSAA
pip install macos-security-audit-agent
Run
macos-security-audit-agent
Alternative install
python3 -m pip install macos-security-audit-agent
Some advanced monitoring features may require macOS permissions or administrator approval.
Screenshots
Screenshot gallery for core MSAA workflows.
Dashboard
Intrusion Detection
Investigation Priorities
Investigation Notes
Flight Recorder
System Recovery
Logs
Settings
Apple Security Forecast
Family & Safety Center
Reports
FAQ
Common questions about MSAA.
What is MSAA?
MSAA is macOS Security Audit Agent, an open-source local-first platform for macOS security audit, monitoring, intrusion detection, investigation workflow, and evidence preservation.
Is it open source?
Yes. MSAA is distributed through a public GitHub repository and PyPI package for review, installation, and community evaluation.
Does it collect telemetry?
No telemetry is uploaded by default. MSAA is designed around local SQLite storage, local reports, optional redaction, and user-controlled exports.
How is it different from EDR?
MSAA is not a full enterprise EDR replacement. It focuses on local-first visibility, baseline comparison, explainable findings, and evidence-focused investigation.
Can schools use it?
Schools, libraries, and training programs can evaluate MSAA for defensive macOS visibility, Apple security awareness, and student security education.
Can government organizations evaluate it?
Government and public sector teams can evaluate MSAA as an open-source macOS security audit and monitoring tool without cloud telemetry by default.
Safety disclaimer
Defensive audit tooling requires careful review.
MSAA is a defensive security and audit tool. Findings are not proof of compromise. Users should review evidence, preserve logs during suspected incidents, and only monitor systems they own or are authorized to assess.
Company and support
Built by Liquidsky Security
MSAA is part of a larger mission to make practical macOS security visibility more accessible to researchers, families, schools, and organizations.
Visit Liquidsky Security