macOS 26+ · SWIFT 6 · OPEN SOURCE · ON-DEVICE AI · FREE · v1.0
One app.
Six layers of protection.
Nick is a free, open-source macOS security suite that replaces six separate tools — with behavioral AI threat scoring that runs entirely on your Mac. No cloud. No subscription. Read every line of code.
Requires macOS 26+ · Apple Silicon or Intel · Free · AGPL-3.0
Six Detection Layers
Everything macOS built-ins miss
System Integrity Audit
Continuously verifies your Mac’s security posture: SIP, FileVault, Gatekeeper, Application Firewall, XProtect definition freshness, TCC database integrity, and sudo configuration — with actionable fix recommendations.
Persistence Monitor
FSEvents watcher on every known macOS persistence location — LaunchAgents, LaunchDaemons, Login Items, cron, periodic scripts, and browser extensions. Parses each plist, validates code signatures, and diffs against a first-run baseline.
Network Watchdog
Maps every active connection to its owning process. Detects reverse shells (shell process with outbound TCP), SSH tunnels via argument inspection, unexpected listening ports, and connections to known malicious domains.
Process Auditor
Polls running processes via sysctl every 5 seconds. Flags unsigned or ad-hoc signed binaries, execution from /tmp or hidden directories, LOLBin abuse patterns (curl | bash, obfuscated osascript), and suspicious parent-child chains.
YARA Scanner
Embedded libyara engine with curated macOS-specific rules. Supports quick, full, targeted, and real-time scan modes. Heuristic analysis includes entropy scoring, Mach-O header inspection, and embedded URL/IP extraction.
Camera & Mic Sentinel
Detects unauthorised activation of CoreMediaIO video devices and CoreAudio input devices in real time. Attributes each activation to the responsible process and escalates to high severity when an unsigned binary is found accessing media hardware.
How Nick Compares
One app that replaces six tools
Nick is the only macOS security tool that combines behavioral AI, YARA scanning, persistence monitoring, process auditing, network watchdog, and camera/mic detection in a single open-source app — for free.
| Feature | NickThis | Objective-See6 apps | Built-inmacOS only | Intego$40–70/yr | Norton$59/yr |
|---|---|---|---|---|---|
| Behavioral AI scoring | |||||
| Correlated threat detection | |||||
| YARA scanning | |||||
| Persistence monitor | |||||
| Process auditor | |||||
| Network watchdog | |||||
| Camera & mic monitoring | |||||
| System hardening audit | |||||
| Single app | |||||
| Open source | |||||
| No cloud dependency | |||||
| Free |
The Differentiator
AI Behavioral Scoring
Individual signals are noisy. A new process in /tmp could be a developer build. An unsigned binary could be your own tool. A new outbound connection could be a software update.
Correlated signals are actionable. Nick’s ThreatCorrelator aggregates signals across all six monitors within a 30-second sliding window, then feeds a ~40-feature vector to a CoreML behavioral model. The output: a 0.0–1.0 threat probability.
On macOS 26, alert explanations are generated on-device via Foundation Models — plain English, no cloud call.
Alert Thresholds
No data ever leaves your Mac.
Dropper Sequence Example
curl downloads binary to /tmp
MEDIUMUnsigned binary executes 2 seconds later
HIGHOutbound connection to raw IP on :443
CRITICAL
Nick Lab · Interactive Demo
Try the scoring engine
Toggle threat signals or pick a real-world scenario to watch the ThreatCorrelator calculate a live risk score — the same correlation logic Nick runs on your Mac.
Nick Lab
Behavioral Threat Scorer
Toggle signals or pick a scenario to see the ThreatCorrelator live
Scenario Presets
Manual Signal Selection
Threat Score
Logged silently — no notification
Active signals
0
Monitor types
0
How it works
No signals active. Toggle signals above or select a preset scenario to see the behavioral scoring engine in action.
Alert thresholds
This is a simplified front-end approximation of Nick's ThreatCorrelator logic for demonstration purposes.
Improve the real model on GitHub →Open Source
Nick is community-powered
Security tools ask for deep trust. Full Disk Access. Network monitoring. Camera and microphone access. For Nick, you can read every line that runs with those permissions. And you can improve it.
Questions
Frequently asked questions
Does Nick replace an antivirus?
Nick is complementary to signature-based tools. It adds behavioral and correlation-based detection that signature scanners miss — but it is not a signature database replacement for known malware families.
Will Nick slow down my Mac?
The v1.0 target is under 1% CPU and under 50MB RAM in steady state. Detection monitors use event-driven APIs (FSEvents, NWPathMonitor) rather than continuous polling wherever possible.
Why macOS 26 and not earlier versions?
The YARA static library build currently targets macOS 26. Foundation Models for natural-language alert explanations is also a macOS 26 feature. Broader compatibility is on the roadmap.
Is Nick on the App Store?
No. Full Disk Access and the privileged helper (SMAppService) are incompatible with App Store sandboxing. Nick is distributed as a notarized DMG from GitHub Releases.
What does AGPL-3.0 mean for me?
You can freely use, modify, and distribute Nick. If you run a modified version as a network service, you must publish your source code. This keeps the detection logic open to the security community permanently.
How does the AI scoring work?
Nick's ThreatCorrelator collects signals from all monitors within a 30-second sliding window and feeds a ~40-feature vector to a CoreML behavioral model. The model outputs a 0.0–1.0 threat probability. Scores above 0.8 trigger a high-priority notification with a Foundation Models–generated plain-English explanation.
Free · Open Source · macOS 26+
Download Nick v1.0
Free. Open source. No cloud. Six detection layers and on-device AI behavioral scoring — all in one native macOS app.
Requires macOS 26+ · Apple Silicon or Intel · AGPL-3.0