North Pole Security

In the next version of Santa, when paired with Workshop you'll be able to specify process tree relationships in a CEL rule.

This lets you mark executables as not usable by processes or require TouchID from the user e.g. here's an example of us preventing Claude Code from running curl w/o TouchID.

Day 24 of our FAAdvent Calendar: Code injection is a major threat to binary allowlisting, especially when Electron/Chromium offer easy scripting/debugging

northpole.security/blog/2025-ad...

Workshop and Santa's CEL rules can prevent attackers from using debugging options to inject malicious code.

Day 23 of our FAAdvent Calendar: Learn how to use Workshop's Risk Engine with entitlements to flag unauthorized VPN and remote access software, preventing data exfiltration and enforcing compliance.

northpole.security/blog/2025-ad...

Day 22 of our FAAdvent Calendar: macOS audio plugins are an old often overlooked persistence trick.

northpole.security/blog/2025-ad...

Malicious .component or .driver bundles dropped in well-known directories can execute code, sometimes as root.

Lock them down!

Day 21 of our FAAdvent Calendar: macOS's built-in security command can be used for nasty actions like dumping Keychain contents or adding rogue certificates.

Stop these attacks using Workshop and Santa CEL rules:

northpole.security/blog/2025-ad...

Day 20 of our FAAdvent Calendar: Living off the land (LoTL) is a common attack technique.

Learn how to use CEL rules to block potentially malicious subactions of legitimate tools like systemsetup, instead of blocking the tool entirely.

northpole.security/blog/2025-ad...

Day 19 of our FAAdvent Calendar: SSH private keys are master keys for your systems. 🔑

northpole.security/blog/2025-ad...

Infostealers like Atomic, Banshee, and Cthulhu target your ~/.ssh/ folder! Learn how to lock them down with Workshop and Santa’s file access Rules.

📢 We’ve just released version 2025.1010 of Workshop

This release adds:
🎄 on-demand monitor mode
🎄 optional automatic updates
🎄 event export to S3/GCS
🎄 near-realtime directory syncing
🎄 local user/group management
🎄 added cwd & euid fields to CEL rules
🎄 live online status on the host details page

Day 18 of our FAAdvent Calendar: Don't let "Sploitlight" (CVE-2025-31199) leak your sensitive macOS data!

northpole.security/blog/2025-ad...

Attacks bypass TCC to exfiltrate files like Apple Intelligence databases.

See how to prevent this persistence trick and data theft with Workshop and Santa:

Day 17 of our FAAdvent Calendar: Enhance your password manager security! 🛡️🔐

northpole.security/blog/2025-ad...

Beyond the account password, using file access rules can prevent other apps from reading your database, protecting you even if encryption is compromised.

Day 16 of our FAAdvent: Attackers are using Docker on macOS to hide from security tools!

They run containers in a Linux VM, bypassing Endpoint Security Framework & can still steal credentials by mounting host volumes. See how Santa and Workshop can prevent this:

northpole.security/blog/2025-ad...

Day 15 of our FAAdvent Calendar: Apple changed macOS's dynamic loader to write temp files to disk, but stealthy attackers adapt.

Learn how to use Workshop & Santa’s file access rules to block this basic technique:

northpole.security/blog/2025-ad...

Day 14 of our FAAdvent Calendar: Learn how attackers can bypass macOS Gatekeeper by stripping the quarantine attribute with xattr, and see how to block this technique using Workshop and Santa's CEL rules.

northpole.security/blog/2025-ad...

Day 13 of our FAAdvent Calendar: Workshop and Santa's file access rules can lock down cron and at job persistence before attackers even get a chance to set their alarms.

northpole.security/blog/2025-ad...

Day 12 of our FAAdvent Calendar: Launch Agents and Daemons are a convenient way for programs to run in the background, but they’re also a great way for malware to gain persistence on a device.

northpole.security/blog/2025-ad...

Day 11 of our FAAdvent Calendar: Prevent persistence by securing /etc/pam.d with a Santa file access rule. Block write attempts even from root!

northpole.security/blog/2025-ad...

Day 10 of our FAAdvent Calendar: A one-liner command is all you need to see if a password is legit, but Santa's CEL rules can stop this common post exploitation behavior.

northpole.security/blog/2025-ad...

Number eight behind a title card saying Hide Your Hashes.

Day 8 of our FAAdvent Calendar: Hide your macOS password hashes!

A one-liner command can expose the hash and salt, but Workshop & Santa's file access rules & CEL rules can protect these crown jewel files.

northpole.security/blog/2025-ad...

Day 7 of our FAAdvent Calendar : Prevent macOS Gatekeeper from being disabled on your fleet by creating a Santa CEL rule!

northpole.security/blog/2025-ad...

Day 6 of our FAAdvent Calendar: Protect your browser cookies from infostealers with Santa's File Access Rules—limit access so only the browser can read its own cookies!

northpole.security/blog/2025-ad...

We've started our FAAdvent Calendar a collection of short things you can do with Workshop and Santa to improve improve your security while staying productive.

northpole.security/blog/2025-ad...

Introducing On-Demand Monitor Mode in Santa and Workshop 🚀🎅 In this video, I introduced a new feature called on-demand monitor mode that will be available in the next versions of Santa and Workshop. This feature allows users to temporarily switch from lockdown...

'Tis the season for new features. 🎁

Introducing On-Demand Monitor Mode in Workshop & Santa—monitor mode access only when you need it, only when you prove you're at the keyboard.

Check out the Loom ⬇️

www.loom.com/share/0c09ed...

Join us in celebrating North Pole Security's first anniversary! 🎉

Reflect on a year of innovation, growth, & unwavering commitment to livable security with Santa and Workshop. Read about our journey and what's next! #FirstAnniversary #Santa #Workshop

northpole.security/blog/one-yea...

- Added a “Copy Details” button to to FAA block dialogs

There are also a few small changes and bug fixes

Please checkout the release notes for more goodies.

Release v2025.8 · northpolesec/santa Notes Announcements 🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It...

Yesterday we released Santa v2025.8 on GitHub.
github.com/northpolesec...

This release includes a handful of new features. Some highlights include:

- Support for CEL string extensions to enable writing more powerful policies.

This lets you do things like args.join(" ").contains("-flag option")

Incredibly humbled by the amazing feedback from our community!

Thank you for growing with us - here's to continuing to build something great together! 🚀

Release v2025.7 · northpolesec/santa Notes Announcements 🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It...

Keeping with our Christmas in July🎄, we just released Santa 2025.7 on GitHub github.com/northpolesec...

This release includes:

- A new icon that matches the company's branding
- Ready for Tahoe!
- Bug fixes and more

North Pole Security Raises $4M to Bring Scalable, Proactive Endpoint Protection to the Enterprise NEW YORK, July 30, 2025 (GLOBE NEWSWIRE) -- North Pole Security today announced it has raised $4 million in seed funding to deliver the first scalable, enterprise-grade endpoint protection platform fo...

Press release can be found at apnews.com/press-releas...

🎉 It's Christmas in July!

We raised $4M to make proactive macOS security scalable for everyone.

Workshop is the first commercial platform built for Santa. Finally making allowlisting usable at scale.

Thanks to A16Z & everyone's who's believed in our mission.

Release v2025.6 · northpolesec/santa Notes ImportantThe binaries initially uploaded for this release only contained the arm64 slice. We have updated the binaries to be universal and also include the x86_64 slice as well. You may need ...

There are also many other updates and bug fixes

Be sure to check out the release notes for full details!

github.com/northpolesec...