{"slug": "we-built-a-rust-edr-macos-notarization-tried-to-kill-it", "title": "We built a Rust EDR. macOS notarization tried to kill it", "summary": "Nemesis Security launched a Rust-based EDR called Blue and a pentesting tool called Red, designed to avoid the kernel-panic failures that caused the July 2024 CrowdStrike outage. Blue uses macOS EndpointSecurity and Linux eBPF to catch ransomware in under a second without risking system crashes, while Red autonomously orchestrates 290 Kali tools via LLM to find vulnerabilities. The products are available free for individuals and licensed for teams.", "body_md": "# Tooling for *attack*\n\nand *defense*.\n\nTwo shipping products. Free at the edge for individuals; per-seat for teams; licensed for operators.\n\n## We build the tools we wish\n\nexisted when nobody was looking.\n\nIn July 2024, a single kernel-driver update bricked *8.5 million machines [1]* in a morning. The fix was a manual safe-mode visit per machine. The product was the biggest name in endpoint security.\n\nThat's the failure mode we're built against. Not the threat. The *tool we use against the threat*. An EDR you can't turn off and can't silently crash. A pentest tool that scoreboard-verifies what it claims.\n\nWritten in Rust, signed end to end. No “AI-powered” copy where it doesn't belong.\n\n## The product line.\n\nEach one solves a real problem and ships under its own brand. Don't need both? Don't buy both.\n\n### An EDR that catches ransomware in under a second, and can't brick your fleet on a bad update.\n\nThe big-name kernel drivers BSOD-looped 8.5 million machines last year[[1]](https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/). Blue runs on EndpointSecurity (macOS) and eBPF (Linux). Kernel-authorized APIs that *can't* panic the kernel. Behavioral detection on a kernel-sourced event stream, not signature matching.\n\n`<50ms`\n\n· neutralized in `<1s`\n\n**free for individuals · 1 device, strictly local**. No cloud telemetry, ever. Business + MSSP tiers per-seat with cloud console + AI threat intelligence.\n\n### 290 Kali tools. One reasoning loop. 24.4× more findings than your scanner. Verified.\n\nRed plans, executes, and replans across the full Kali arsenal through a single closed-loop LLM. Recon to report, every tool's output feeding the next decision. In a controlled study against fixed-script automation it surfaced *24.4×*more findings (p<0.001 over 120 runs)[[2]](/red#study) and autonomously surfaced three CVSS 9.8 CVEs without human steering.\n\n**Auto** runs the engagement end-to-end ·\n\n**Co-Pilot** hands the operator the next three commands with the target pre-filled\n\n[·](https://nvd.nist.gov/vuln/detail/CVE-2024-38476)\n\n`CVE-2024-38476`\n\n[·](https://nvd.nist.gov/vuln/detail/CVE-2024-38474)\n\n`CVE-2024-38474`\n\n[. All CVSS 9.8, all surfaced autonomously during the controlled study](https://nvd.nist.gov/vuln/detail/CVE-2023-25690)\n\n`CVE-2023-25690`\n\n**any frontier LLM**(Anthropic / OpenAI / Gemini)\n\n**or fully local via Ollama**(Qwen, Llama, your fine-tune) · no data ever leaves your network · hash-chained audit log\n\n`free`\n\n· Pro `$99/mo`\n\n· Business `$599/mo`\n\n· Enterprise custom · self-serve, no setup fee[Docker image](/red/)·\n\n[Kali UTM VM](/red/)\n\n## One stack. Two coordinates.\n\nEach product is shippable on its own. Together they cover both sides of an engagement. *Finding* the holes, then *stopping* what comes through them. A customer never has to glue separate vendors together to answer one question.\n\n```\n        ┌──────────────┐    ┌──────────────┐\n        │ NEMESIS RED  │    │ NEMESIS BLUE │\n        │              │    │              │\n        │  finds the   │    │  stops the   │\n        │  weakness    │    │  payload     │\n        │  first       │    │  on-device   │\n        └──────┬───────┘    └──────┬───────┘\n               │                   │\n               ▼                   ▼\n        scoreboard proof    sub-second kill\n        of exploitation     + file rollback\n```\n\n## Why Blue, when Falcon exists?\n\nThe honest answer: because Blue is architected for five constraints the big-name EDRs took shortcuts on. Each row below is a concrete capability, not a marketing claim. Every ✓ on the Blue column is something we'd defend in a technical interview.\n\nTwo questions decide which EDR you buy. Does an individual get the real engine for free? And is the agent source readable? Falcon: no and no. Blue: yes and yes.\n\n## Two ways to get started.\n\nPick a product. Each one is live and shipping today.\n\n## Questions you'd ask in a real conversation.\n\nWe're skipping the “how does it work” marketing dance. The architecture spec is on [the trust center](/security/). Here are the three real ones.\n\n## New vendor. Why should I trust you with kernel access?\n\nYou shouldn't, yet. The agent ships with an equivalent hardening story on every platform. **macOS:** Apple Developer-ID + notarization, hardened runtime, Team-ID-pinned self-check (JRMYSV7NC2). **Linux:** sigstore-signed releases, deterministic builds, seccomp `ptrace`\n\n-deny, capability drops. **Windows:** Authenticode EV signing, Protected Process Light (PPL) at runtime, WHQL-certified minifilter. A re-signed or modified binary fails its own self-check on any of the three. An external pentest is on the roadmap before paid GA, and the trust center publishes the threat model honestly, including the limits. We're also Nemesis Red's own customer: the same team that builds Blue gets it attacked by Red before each release.\n\n## Is Nemesis Red just another AI-generated exploit demo?\n\nNo. Red's scoreboard verification is the whole point. Every claimed exploit has to land in a third-party ledger before it counts. You can't lie to a scoreboard. The agent is built around the constraint that if it can't prove the exploit, the exploit didn't happen.\n\n## What does “free for individuals” actually cost me?\n\nHeartbeat metadata (agent version, integrity head hash, threat count delta) and nothing else. No file contents, no command lines, no browser data, no telemetry on the processes you run. The free tier is opt-out-able down to zero outbound traffic; the trust center spells out every byte that leaves your machine.", "url": "https://wpnews.pro/news/we-built-a-rust-edr-macos-notarization-tried-to-kill-it", "canonical_source": "https://www.nemesislabs.xyz/", "published_at": "2026-07-08 03:07:55+00:00", "updated_at": "2026-07-08 03:29:46.566535+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools"], "entities": ["Nemesis Security", "Blue", "Red", "CrowdStrike", "Kali", "Anthropic", "OpenAI", "Gemini"], "alternates": {"html": "https://wpnews.pro/news/we-built-a-rust-edr-macos-notarization-tried-to-kill-it", "markdown": "https://wpnews.pro/news/we-built-a-rust-edr-macos-notarization-tried-to-kill-it.md", "text": "https://wpnews.pro/news/we-built-a-rust-edr-macos-notarization-tried-to-kill-it.txt", "jsonld": "https://wpnews.pro/news/we-built-a-rust-edr-macos-notarization-tried-to-kill-it.jsonld"}}