Meet the team
Calum Hall
Co-Founder / CEO
With extensive experience in macOS security, Calum now serves as Phorion’s CEO. Starting in offensive security, he transitioned to Blue Team roles to address challenges in defending macOS estates. After leading GitHub's Threat Detection and Response unit for over two years, Calum gained deep expertise in detection strategies, incident response, and securing macOS environments. His balanced understanding of both attack and defense drives Phorion’s mission to deliver advanced security solutions for macOS.
Luke Roberts
Co-Founder / CTO
As the CTO and co-founder of Phorion, Luke brings a wealth of experience in macOS security, having spent years at the forefront of offensive security research and exploitation. He has a deep technical background in conducting sophisticated threat emulation exercises, developing cutting-edge TTPs (Tactics, Techniques, and Procedures), and performing advanced security research. Leveraging this knowledge, he leads the technical vision at Phorion, focused on building a robust platform designed to stay ahead of emerging threats and empower organizations to protect their macOS devices effectively.
Published research
In 2021, the founders of Phorion presented at BlackHat, discussing advanced offensive tradecraft targeting macOS management platforms like Jamf and native MDM. Their research uncovered critical attack paths, enabling threat actors to exploit Apple management frameworks as command and control servers. You can watch the full talk here.
At Objective by the Sea v6.0, Phorion made its public debut with a talk focused on strengthening Apple's TCC mechanism. During the presentation, they launched Kronos, an open-source tool designed to enhance the security and privacy of Apple's Transparency, Consent, and Control (TCC) framework. By monitoring Apple log data, Kronos improves visibility into TCC prompt requests and resource usage. Additionally, it allows users to revoke TCC permissions after a set period, offering greater control over app permissions. The talk can be found here.
At GitHub Universe in 2022, Calum released a talk walking through some of the detection strategies that he and his team at GitHub have built out over the years. Primarily focussing on the steps his team has taken to reduce alert fatigue, this talk explores some of the automation work that his team have performed. This talk can be found here.
At Objective by the Sea v3.0, Luke and Calum presented their research on the abuse of Jamf environments. Starting from an external, unprivileged position, the Phorion founders demonstrated how the TTPs they identified could be exploited for persistence, lateral movement, and credential theft. The research also introduced the Jamf Attack Toolkit, providing insights into potential attack methods. This work highlighted significant security gaps in macOS enterprise environments, whilst providing actionable insights into how administrators can best protect their endpoints. The talk can be found here.
During their time as offensive security consultants, Luke and Calum ran F-Secure Consulting's macOS Attack Detection Fundamental sessions. Throughout these sessions Calum and Luke walked through some common macOS TTPs, and discussed the telemetry that can be pulled from macOS devices to best detect these attacks. These sessions provided Blue teams across the industry with the expertise and techniques they required to detect these TTPs within their estates.
Come chat to us!
Ready to elevate your macOS detection? Phorion is now open to customers committed to advancing their defensive capabilities. Experience unparalleled macOS security designed for defenders, by defenders. Request a demo today and enhance your protection.
