Cryptum Labs
Cryptum Labs
Attack-driven security for macOS and iOS
Approach

Attack-driven approach for macOS and iOS

Engagements take an offensive perspective: how macOS and iOS platform mechanisms can be abused under realistic attack scenarios, at the application and endpoint layers.
Philosophy

Attack-driven security evaluation

Security is evaluated through realistic attack scenarios: how platform mechanisms can be abused, not just how they are intended to function. The goal is to separate exploitable conditions from theoretical ones.

Real attacker logic, not isolated weaknesses
Validation through controlled exploitation
Prioritization based on impact and exploitability
Explicit call-out of theoretical versus exploitable findings
Depth

Internals-led analysis

Every engagement draws on ongoing research into macOS and iOS internals. This exposes vulnerabilities that conventional engagements miss — including issues that only surface through reverse engineering of native binaries, frameworks, and proprietary protocols.

Research-informed analysis of platform behavior
Reverse engineering of native binaries and frameworks in every engagement
How security mechanisms actually interact, beyond documented behavior
Identification of issues missed by checklist-driven assessments
Scope

Application and endpoint attack surfaces

Engagements operate at two scales: individual applications and system components, and post-compromise reach from a managed macOS endpoint. Both draw on the same internals knowledge but address distinct threat models.

Application and system
  • Inter-process communication surfaces — XPC, Mach services, Apple Events
  • Privileged execution paths — launchd, helper tools, system extensions
  • Application trust boundaries and entitlements
  • Installers, updates, and deployment logic
  • Local data storage and sensitive data exposure
  • Interactions with backend services and APIs
Endpoint and post-compromise
  • Post-compromise attack paths on standard corporate builds
  • TCC, entitlement, and privilege escalation opportunities available to a compromised user
  • Credential material accessible on the endpoint — Keychain, browsers, SSO components, MDM
  • Management-surface exposure through MDM profiles and integrated identity
  • Lateral movement seeds and data exfiltration paths

Assumed-breach engagements are conducted in an isolated environment representative of the standard build. The goal is attack-path coverage, not stealth or adversary emulation.

Engagement

Project-based and continuous

Engagements are delivered either as bounded projects with defined scope and timeline, or as continuous retainer engagements aligned to your release cycle. Both apply the same methodology; the difference is cadence.

Bounded engagements for individual applications, system components, or fleet postures
Continuous retainer engagements with reserved monthly capacity for reviews, regression testing, and newly introduced attack surface
Release-cycle-aligned delivery, so security review keeps pace with development rather than trailing behind it
Quarterly threat-model refresh for long-running engagements, covering platform and product changes
See retainer details
Focus

Depth over volume

The goal is not the number of findings. It is identifying the vulnerabilities that would actually be used against you.