OpenDLP 4.0 — Enterprise Data Loss Prevention for macOS | AIMF
VERSION 4.0 • CHAOS DEFENSE ENGINE V2

OpenDLP

Enterprise Data Loss Prevention for macOS

Military-grade data protection powered by the Chaos Defense Engine — 35 adaptive strategies, real-time exfiltration detection, hardware-bound encryption, and automatic ~/Documents vault protection. Built and battle-tested against 15+ real attack vectors.

AES-256-GCM Encryption 35 Defense Strategies Secure Enclave Bound 7-Day Free Trial

Key Features

Security Core Security Core

  • AES-256-GCM Encryption - Military-grade vault encryption
  • Secure Enclave Integration - Hardware-backed device fingerprinting
  • HMAC-SHA256 Signing - Tamper-proof metadata
  • Keychain Integration - Secure key storage

Real-Time Protection Real-Time Protection

  • Live Threat Detection - 5-level threat classification system
  • Boundary Detection - Monitors local, network, cloud, and removable storage
  • Auto-Encryption - Automatic encryption on boundary crossing
  • File System Monitoring - Real-time file operation tracking

Advanced Security Advanced Security

  • Tamper Detection - System integrity verification with SHA-256 hashing
  • Automated Response - Configurable threat response actions
  • Access Control Lists - 4-level device authorization (Owner, Full, ReadOnly, Temporary)
  • Forensic Logging - Complete audit trail with event export

Monitoring Dashboard Monitoring Dashboard

  • Real-Time Status - Live system health and threat level
  • Security Events Feed - Chronological event tracking
  • Statistics & Analytics - Comprehensive security metrics
  • Event Management - Acknowledge, filter, and export events

Use Cases

1Secure USB Vaults

Create encrypted vaults on USB drives with military-grade protection:

  • AES-256-GCM encryption
  • Device-based access control
  • Automatic tamper detection
  • Multi-device synchronization

2Data Exfiltration Prevention

Automatically detect and encrypt files when:

  • Moving to cloud sync folders (Dropbox, iCloud, etc.)
  • Copying to network shares
  • Transferring to removable drives
  • Crossing network boundaries

3Real-Time Security Monitoring

Monitor your system for:

  • Unauthorized access attempts
  • Suspicious file operations
  • System tampering
  • Encryption failures
  • ACL violations

4Forensic Analysis

Complete audit trail with:

  • Timestamped security events
  • Threat level classification
  • Source identification
  • Detailed event metadata
  • JSON export for analysis

Red Team Case Studies

Cross-Machine SCP Exfiltration Test

Cross-Machine SCP Exfiltration

Real SCP file pull between two physical Macs on a LAN. File containing SSNs, API keys, and credit cards was exfiltrated via SSH — detected by device UUID mismatch, encrypted with entropy-derived AES-256, plaintext destroyed.

COMPLETED 17/17 Tests Passed
USB Drive Exfiltration Test

USB Drive Exfiltration

Copy protected files to a USB flash drive. OpenDLP detects the removable media boundary crossing, encrypts the file before it reaches the drive, and logs the event with full forensic metadata.

COMING SOON
Cloud Sync Exfiltration Test

Cloud Sync Exfiltration (iCloud / Dropbox)

Move protected files into iCloud Drive or Dropbox sync folders. OpenDLP detects the cloud boundary crossing and encrypts files before they sync to remote servers, rendering cloud copies useless.

COMING SOON
AirDrop Exfiltration Test

AirDrop & Bluetooth Exfiltration

Transfer protected files via AirDrop or Bluetooth — peer-to-peer channels invisible to traditional network DLP. OpenDLP detects the transfer at the file level and encrypts before delivery completes.

COMING SOON

Threat Detection

🟢

None

System secure, no threats

🟡

Low

Minor events, monitoring only

🟠

Medium

Potential threats, investigate

🔴

High

Active threats, immediate action

🟣

Critical

System compromise, lockdown

Security Event Types

Unauthorized Access Failed authorization attempts
Boundary Crossing File movement across boundaries
Suspicious Activity Unusual file operations
Encryption Failure Failed encryption operations
Tamper Attempt System integrity violations
Device Revoked Access revocation events
Vault Access Vault operation logging
File Modification File change tracking
Network Anomaly Unusual network activity
System Integrity Health check results

Endpoint Security Framework

Why OpenDLP Needs Apple’s ESF Entitlement

OpenDLP is requesting com.apple.developer.endpoint-security.client to move from user-space file monitoring (FSEvents) to kernel-level interception via Apple’s Endpoint Security Framework. This enables pre-read encryption — stopping exfiltration before data leaves the device.

Kernel-Level File Monitoring ES_EVENT_TYPE_AUTH_OPEN and ES_EVENT_TYPE_NOTIFY_READ provide process-level attribution for every file access. FSEvents cannot tell us which process opened a file.
Process Identity Inspection ESF provides the full audit token, code signing info, and parent process chain — critical for detecting process masquerading attacks (e.g., renaming scp to mdworker).
Pre-Read Encryption With ESF’s AUTH events, we can intercept file reads and trigger encryption before the data leaves the device. FSEvents only notifies after the fact — creating a race condition.
Network Correlation ESF process-level events combined with network monitoring determine if a file read is associated with an outbound connection — enabling accurate exfiltration detection without false positives.

Validated Against 15+ Real Attack Vectors

OpenDLP has been tested in live red team exercises between two physical macOS devices. The Endpoint Security Framework will close the remaining detection gaps that user-space APIs cannot address:

SCP / SSH Transfer Cross-machine file pull via secure copy — 17/17 tests passed
DNS Tunneling Data exfiltration encoded in DNS TXT queries
ICMP Covert Channels Data hidden in ping packet payloads
Reverse Shells Outbound shell connections for remote file access
Process Masquerading Malicious binaries renamed to look like system processes
LaunchAgent Persistence Persistent access via macOS launch daemons
Clipboard Exfiltration Sensitive data copied to pasteboard and sent externally
AirDrop / Bluetooth Peer-to-peer transfers invisible to network DLP

Current Architecture: Two-Track Approach

OpenDLP ships today with full functionality using FSEvents (Track 1). When the ESF entitlement is granted, the monitoring layer swaps to kernel-level interception (Track 2) with zero changes to the rest of the codebase:

Track 1 (Current):  FSEvents → User-space file monitoring
                    Works today. Detects + encrypts after file access.

Track 2 (With ESF): Endpoint Security Framework → Kernel-level
                    Intercepts file reads BEFORE data is accessed.
                    Adds process attribution + code signing verification.

Swap point:         FileSystemMonitor.swift
                    One protocol conformance change. All other
                    components (encryption, detection, logging,
                    dashboard) remain identical.

Bundle ID: com.aimf.opendlp

Production Ready

VERSION 4.0 - OPERATIONAL 🟢

OpenDLP is a production-ready, enterprise-grade Data Loss Prevention system for macOS with Chaos Defense Engine V2, hardware-bound encryption, and 35 adaptive defense strategies. 7-day free trial — no credit card required.

90.8%
Test Coverage
12,000+
Lines of Code
35
Defense Strategies
15+
Attack Vectors Tested

System Capabilities

  • Device fingerprinting
  • Vault encryption (AES-256-GCM)
  • Access control (4 trust levels)
  • Boundary detection (5 types)
  • Auto-encryption (3 policies)
  • Real-time monitoring
  • Threat detection (5 levels)
  • Tamper detection
  • Automated response
  • Forensic logging
  • Security dashboard
  • Zero-trust architecture
  • Cross-machine exfil defense
  • Entropy-based key generation
  • xattr device identity binding
  • Sanctioned process allowlists

OpenDLP — Enterprise Data Loss Prevention for macOS

github.com/aimarketingflow/opendlp

© 2026 AIMF LLC

AI Marketing Flow logo
Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About

Contact Us

Site Info

Privacy Policy

Terms of Use