Cryptum Labs
Cryptum Labs
Attack-driven security for macOS and iOS
Services

Security engagements for macOS and iOS

Three engagement types — macOS applications, iOS applications, and post-compromise attack paths on a managed macOS endpoint.

Service

macOS Application Pentest

Pentesting of macOS applications and system components, taken beyond checklist coverage through platform internals and reverse engineering. Findings are driven by how the application actually behaves on the system, not by a generic test plan.

Application trust boundaries, entitlements, and sandbox profile
Inter-process communication surfaces — XPC, Mach services, Apple Events
Privileged execution paths — launchd, helper tools, SMJobBless and SMAppService, system extensions
Installer and update mechanisms affecting system integrity
Local attack surfaces and privilege escalation conditions
Reverse engineering of native binaries, frameworks, and proprietary protocols
Validation of exploitability and real-world impact
Service

iOS Application Pentest

Pentesting of iOS applications with depth beyond standard MASVS coverage. The engagement covers runtime behavior, native binary analysis, and the trust boundary between the application and its backend services.

Application protections and runtime behavior — jailbreak and integrity checks, anti-debug, obfuscation
Authentication flows, sessions, and trust assumptions
Local storage, Keychain usage, and sensitive data exposure
Interactions with backend APIs and server-side trust boundary testing
Deep links, URL schemes, universal links, and inter-application surfaces
Reverse engineering of Objective-C and Swift binaries and embedded frameworks
Validation of exploitability and real-world impact
Service

macOS Assumed Breach Pentest

Assumed-breach pentest against a workstation, starting from an attacker who has landed code execution as a standard user. The engagement maps reachable attack paths and answers the question: if one workstation is compromised, what can the attacker actually accomplish?

Local privilege escalation opportunities on the standard build
TCC bypass paths and access to sensitive user data
Credential extraction from Keychain, browsers, SSO components, and MDM-managed material
MDM profile abuse and exposure of the management surface
Lateral movement seeds — SSH keys, cached cloud tokens, VPN configurations, saved sessions
Data exfiltration paths under existing endpoint and network controls
Persistence opportunities available to a standard user
Retainer

Continuous Security Validation

A retainer engagement that fits into your release cycle rather than around it. Reserved capacity each month covers new features, regression testing, and evolving attack surface — so security review keeps pace with development instead of lagging behind it.

What the retainer covers
  • Targeted reviews of new features, integrations, and architectural changes
  • Regression testing to verify that previously identified issues have not reappeared
  • Validation of remediations from prior engagements
  • Quarterly threat-model refresh covering platform changes — new macOS and iOS releases, new Apple framework behaviors, new MDM capabilities
  • Priority turnaround on time-sensitive reviews aligned to your release cadence
How it works
  • Fixed monthly capacity, reserved in advance
  • Unused hours roll over one month
  • Scope is agreed at the start of each month based on your roadmap
  • Response-time SLA on new requests: two business days to confirm scope, five business days to begin work
  • Quarterly review to adjust tier if capacity consistently over- or under-runs
Tiers
Essential
20 hours / month

Suited to teams shipping monthly, with a stable product surface and occasional new features.

Standard
40 hours / month

Suited to teams on a biweekly or faster cadence, or with multiple applications under active development.

Custom
Scoped capacity

For engagements requiring dedicated capacity beyond Standard, or covering several products under one agreement.

Retainers run on a six-month minimum term and renew by agreement.