Phorion tops the rankings of macOS EDRs in The EDR Telemetry Project’s latest scoring release. With more than twice the points of the closest competitor, this blog breaks down not only how we landed in this position, but crucially why it matters that we did.
The EDR Telemetry Project is an open source, community-driven project designed to evaluate detection and response telemetry across industry vendors. In March 2026, the project released its first ever macOS vendor evaluation, and the results were underwhelming for most vendors, except Phorion.
High telemetry scores are only meaningful if they translate into real detection capability. The rest of this post walks through a few specific areas where Phorion’s visibility enables detections that most competing products simply cannot offer.
Visibility that matters
| # | Vendor | / 42.7 | % | |
|---|---|---|---|---|
| 1 | Phorion | 35 | 82% | |
| 2 | Elastic | 16.55 | 39% | |
| 3 | CrowdStrike | 14.6 | 34% | |
| 4 | MDE | 13.7 | 32% | |
| 5 | LimaCharlie | 13.6 | 32% | |
| 6 | ESET Inspect | 13.5 | 32% | |
| 7 | BitDefender | 12.9 | 30% | |
| 8 | Qualys | 8.4 | 20% |
Phorion’s telemetry is shaped by our own detection engineering. Where additional data improves coverage of real-world Tactics, Techniques, and Procedures (TTPs), we build it in. The result is an agent equipped with the telemetry required for reliable, out-of-the-box detection and response. Crucially, the telemetry sources we ingest are always growing, as you can see from some of our recent research where we continuously track new events Apple makes available.
Below are just a few examples of where Phorion’s extensive visibility can give you the edge.
File Access Events
File access telemetry is one of the noisiest event categories an EDR can collect, which is exactly why most vendors avoid it entirely. Some offer a middle ground, allowing teams to monitor specific file paths, which can be useful when you know exactly what you’re looking for. But during an incident, what if you didn’t think about or know about a critical file? Was it accessed, or are you left guessing?
Phorion collects file access events across the board. This means that when an infostealer touches ~/Library/Keychains, when a malicious VS Code extension reads SSH keys from ~/.ssh/, or when an attacker accesses browser cookie stores, the telemetry is already there. Beyond detection, Phorion’s cookie theft protections actively block non-browser processes from accessing sensitive browser file paths and terminate offending processes the moment they touch protected locations. With the prevalence of infostealers on macOS, file access telemetry is one of the most critical gaps in the majority of EDRs on the market.
TCC Service Usage
Transparency, Consent, and Control (TCC) governs access to some of the most sensitive capabilities on macOS: screen recording, accessibility, input monitoring, camera and microphone usage. When a process requests or is granted one of these permissions, it represents a significant change in what that process can do. Of the vendors evaluated, only one competitor collects any TCC telemetry at all, and even then only for permission modifications. Phorion collects every instance in which a TCC-protected service is used.
Phorion’s extensive visibility into TCC events, built on the same research behind Kronos, enables detection of highly sensitive permission grants. If a previously unknown binary gains accessibility access (a common prerequisite for keylogging) or screen recording permission (used by surveillance tooling), that event is captured and available for detection logic. Without TCC telemetry, these permission changes happen silently.
File Attribute Changes
File attribute changes represent a category where the gap between Phorion and the rest of the field is particularly wide. No other evaluated vendor fully supports these events.
This matters because, as an industry, we have observed threat actors in the wild manipulating file attributes for defence evasion. As a result, this seemingly nondescript event type proved valuable for identifying malicious behaviour across environments. Ingesting these events proactively - before specific TTPs are publicly associated with them - means the data is already available when a new technique surfaces, rather than wishing you had it after the fact.
An example of how we can use extended attribute events for specific detection cases:
event_type:SetExtAttr AND
source_signing_id:com.apple.osacompile AND
extattr:com.apple.ResourceFork
Resource fork abuse via osacompile. Attackers use osacompile to hide compiled AppleScript inside a file’s resource fork by writing to the com.apple.ResourceFork extended attribute. This is a macOS-specific evasion technique that bypasses conventional content inspection: the malicious payload lives in the resource fork rather than the data fork. Without SetExtAttr events, this technique is invisible to endpoint telemetry.
Dispelling the myth of performance
One of the most common justifications for limited telemetry is performance. The argument is that collecting more events introduces unacceptable CPU and memory overhead, so vendors aggressively trim what they capture to keep their footprint low.
Phorion takes a different approach. Our agent is built natively for macOS, with deep integration into the platform. That investment enables us to collect and process event data others leave behind, without degrading the experience for end users.
Performance isn’t a reason to create critical blind spots; it’s an engineering problem. And it’s one that Phorion continuously stays on top of by design.
You don’t have to take our word for it. Phorion includes built-in performance visibility, so you can see exactly what the agent is doing on every endpoint:
Telemetry is the foundation of detection and response. The EDR Telemetry Project’s first macOS evaluation confirmed what we already knew: most vendors are leaving critical data on the floor. Phorion collects it, uses it to detect real threats, and does so without compromising the endpoints it protects.
Interested in seeing what this visibility looks like in practice? Get in touch to arrange a demo.
