Hi! My name is Phil Stokes, @philofishal in various social media circles, and I’m a macOS security researcher.
I’ve been involved in detecting, hunting, researching and publishing my thoughts on macOS malware and other Mac security topics since 2014. It’s an interest that developed out of my blog applehelpwriter.com, which was an [im|re]pulsive reaction to the changes the platform saw with the release of OS X Lion 10.7 in July 2011.
AppleHelpWriter’s traffic boomed in response to weekly troubleshooting tips on timely topics, written in an engaging style with clear, easy-to-follow instructions. Before long, readers’ increasing frustration with MacKeeper and similar Mac ‘utility’ programs led me to write DetectX as a means to help Mac users safely automate their removal.
Meanwhile, my research into Dropbox’s Dirty Little Security Hack led directly to the first of Apple’s many battles with TCC and Data Privacy protections.
By then, DetectX, and later DetectX Swift, had begun to evolve from a troubleshooting tool into a full on malware detection and remediation program used by organizations, schools, and universities, as well as ‘home’ users who didn’t trust the resource-intensive and largely ineffective traditional AV programs.
That experience introduced me to the world of enterprise security, which in turn led me to SentinelOne, whom I joined in 2018. SentinelOne shared the approach I employed with DetectX: to look for malware based on its behaviour, rather than uselessly scanning all the files on a system.
Together, we’ve been hunting and defeating macOS malware in spades ever since: between 2018 and 2024, I wrote over 100 blog posts for SentinelOne and SentinelLabs on macOS malware threats and security issues.
I’ve also written e-books on Apple’s approach to security, on macOS threat hunting and on macOS malware reversing. I’m particularly a fan of radare2 for triaging malware and building threat hunting and detection rules. It’s a passion of mine to promote the use of this incredibly powerful tool and to increase awareness of its capabilities among malware researchers of all stripes.
Phil Stokes 