One app.
Six layers of protection.

Nick — open-source macOS security dashboard

Nick is a free, open-source macOS security suite that replaces six separate tools — with behavioral AI threat scoring that runs entirely on your Mac. No cloud. No subscription. Read every line of code.

Download v3.0 Free View on GitHub

Requires macOS 13+ · Apple Silicon or Intel · Free · AGPL-3.0

The Problem

macOS is secure. Until it isn't.

XProtect, Gatekeeper, and SIP are signature-based and reactive. They catch threats Apple has catalogued — after the fact. They don't catch a signed app quietly exfiltrating your keychain, curl piping to bash, a LaunchAgent silently dropped by a compromised installer, or a reverse shell opened through ssh port forwarding.

Existing tools either cost $60+/year, require installing 5–6 separate utilities with no unified view, or are enterprise-only. Nick is one app that replaces six tools, with the only open-source on-device AI behavioral threat scoring engine for macOS.

“XProtect, Gatekeeper, and SIP are signature-based and reactive. They catch threats Apple has catalogued — after the fact. They don't catch a signed app quietly exfiltrating your keychain, curl piping to bash, a LaunchAgent silently dropped by a compromised installer, or a reverse shell opened through ssh port forwarding.”

Everything in One App

Eight layers of protection

Virus Scans

Real-time file scanning with SHA-256 signature matching and heuristic YARA rules — catches known malware and novel variants.

Ransomware Shield

Canary files planted across your home folder trigger immediate alerts. Entropy detection and behavioral monitoring catch encryption loops before damage spreads.

Network Monitor

Every active TCP/UDP connection mapped to its owning process in real time. Anomaly detection flags reverse shells, SSH tunnels, and unexpected listeners.

Privacy Guard

TCC database monitoring for camera, microphone, and contacts. Any unauthorised permission change or unexpected access triggers an instant alert.

Email Guard

Attachment scanning for Mail and Outlook. Suspicious files are analysed with YARA rules and entropy scoring before they can execute.

Performance

Disk cleanup with 33 scan categories powered by the Junkyard engine — caches, logs, Xcode simulators, and more, all sent to Trash first.

Smart Scan

One-tap security audit that checks every detection layer simultaneously and surfaces actionable Fix buttons for each finding.

Process Inspector

Attack chain visualisation — maps parent-child process relationships, flags LOLBin abuse, and traces the full execution path of suspicious behaviour.

Everything macOS built-ins miss.

Nick combines detection, protection, and performance tools in one native Mac security suite.

System Integrity Audit

Continuously verifies your Mac’s security posture: SIP, FileVault, Gatekeeper, Application Firewall, XProtect definition freshness, TCC database integrity, and sudo configuration — with actionable fix recommendations.

Persistence Monitor

FSEvents watcher on every known macOS persistence location — LaunchAgents, LaunchDaemons, Login Items, cron, periodic scripts, and browser extensions. Parses each plist, validates code signatures, and diffs against a first-run baseline.

Network Watchdog

Maps every active connection to its owning process. Detects reverse shells (shell process with outbound TCP), SSH tunnels via argument inspection, unexpected listening ports, and connections to known malicious domains.

Process Auditor

Polls running processes via sysctl every 5 seconds. Flags unsigned or ad-hoc signed binaries, execution from /tmp or hidden directories, LOLBin abuse patterns (curl | bash, obfuscated osascript), and suspicious parent-child chains.

YARA Scanner

Embedded libyara engine with curated macOS-specific rules. Supports quick, full, targeted, and real-time scan modes. Heuristic analysis includes entropy scoring, Mach-O header inspection, and embedded URL/IP extraction.

Camera & Mic Sentinel

Detects unauthorised activation of CoreMediaIO video devices and CoreAudio input devices in real time. Attributes each activation to the responsible process and escalates to high severity when an unsigned binary is found accessing media hardware.

Endpoint Security (New in v3.0)

Apple’s Endpoint Security API gives Nick real-time kernel-level visibility into every process fork, file open, and network flow — events arrive before execution completes. This enables true blocking (not just detection): Nick can quarantine a file mid-write and prevent a malicious process from launching.

Nick Endpoint Security — real-time kernel event interception

Ransomware Shield & Quarantine (New in v3.0)

Canary files planted across your home folder, Downloads, and Desktop trigger an immediate alert if any process touches them. Files from flagged processes are automatically moved to quarantine. Tamper protection prevents unauthorized termination of Nick itself — so ransomware can’t disable your security tool before encrypting your disk.

Nick Ransomware Shield — canary files and automatic quarantine

Performance Engine (New in v3.0)

Powered by the Junkyard disk-cleanup engine — 33 scan categories including Xcode derived data, iOS simulators, system caches, app logs, and duplicate files. Results always go to Trash first; nothing is deleted without your approval. Sparkle keeps Nick’s threat signatures and YARA rules current automatically — no manual re-download required.

Nick Performance Engine — 33 cleanup categories powered by Junkyard

How Nick Compares

One open-source app that replaces six security tools.

Nick combines behavioral AI, virus and YARA scanning, ransomware protection, persistence monitoring, process inspection, network monitoring, Privacy Guard, email attachment scanning, performance cleanup, and Smart Scan — all in one native Mac app.

Feature	NickThis	Objective-See6 apps	Built-inmacOS only	Intego$40–70/yr	Norton$59/yr	AvastFree–$35/yr
Behavioral AI scoring
Correlated threat detection
Endpoint Security API
Virus / YARA scanning
Ransomware Shield
Persistence monitor
Process Inspector
Network Monitor
Privacy Guard (TCC)
Email Guard
Performance cleanup
Smart Scan
System hardening audit
Single app
Open source
No cloud dependency
Free

The Differentiator

AI Behavioral Scoring

Individual signals are noisy. A new process in /tmp could be a developer build. An unsigned binary could be your own tool. A new outbound connection could be a software update.

Correlated signals are actionable. Nick’s ThreatCorrelator aggregates signals across all six monitors within a 30-second sliding window, then feeds a ~40-feature vector to a CoreML behavioral model. The output: a 0.0–1.0 threat probability.

On macOS 26, alert explanations are generated on-device via Foundation Models — plain English, no cloud call.

Alert Thresholds

< 0.3Logged silently

0.3 – 0.6Low-priority notification

0.6 – 0.8Medium notification with explanation

> 0.8High-priority alert + recommended action

No data ever leaves your Mac.

Dropper Sequence Example

curl downloads binary to /tmp

MEDIUM

Unsigned binary executes 2 seconds later

HIGH

Outbound connection to raw IP on :443

CRITICAL

Correlated score0.92

Nick AI behavioral scoring — threat correlation dashboard

Nick Lab · Interactive Demo

Try the scoring engine

Toggle threat signals or pick a real-world scenario to watch the ThreatCorrelator calculate a live risk score — the same correlation logic Nick runs on your Mac.

Nick Lab

Behavioral Threat Scorer

Toggle signals or pick a scenario to see the ThreatCorrelator live

Scenario Presets

Manual Signal Selection

ProcessProcessMonitor

PersistencePersistenceWatcher

NetworkNetworkAnalyzer

FilesystemFileSystemWatcher

YARAYARAEngine

TemporalThreatCorrelator

Threat Score

0.00INFO

Logged silently — no notification

Active signals

Monitor types

How it works

No signals active. Toggle signals above or select a preset scenario to see the behavioral scoring engine in action.

Alert thresholds

< 0.3INFO

0.3 – 0.6LOW

0.6 – 0.8MEDIUM

0.8 – 0.95HIGH

≥ 0.95CRITICAL

This is a simplified front-end approximation of Nick's ThreatCorrelator logic for demonstration purposes.

Improve the real model on GitHub →

Open Source

Nick is community-powered

Security tools ask for deep trust. Full Disk Access. Network monitoring. Camera and microphone access. For Nick, you can read every line that runs with those permissions. And you can improve it.

Report bugs and false positives

Submit YARA rules for macOS-specific threats

Improve the CoreML behavioral scoring model

Security audit and responsible disclosure

Test on different Mac configurations

View on GitHub Contributing Guide

Questions

Frequently asked questions

Does Nick replace an antivirus?

Yes — as of v3.0, Nick is a full antivirus. The Apple Endpoint Security system extension provides real-time kernel-level interception of file writes and process execution, and Nick ships with a live SHA-256 signature database that updates automatically via Sparkle. On top of that, behavioral correlation and YARA scanning catch threats that signature databases miss.

Will Nick slow down my Mac?

The v3.0 target is under 1% CPU and under 50 MB RAM in steady state. The Endpoint Security extension receives kernel events asynchronously — there is no polling loop. Other monitors use event-driven APIs (FSEvents, NWPathMonitor) wherever possible.

What macOS versions does Nick support?

Nick v3.0 runs on macOS 13 Ventura and later — Apple Silicon and Intel. Foundation Models–powered natural-language alert explanations require macOS 26; on earlier versions Nick shows plain-text alerts instead.

Is Nick on the App Store?

No. Full Disk Access and the Endpoint Security system extension are incompatible with App Store sandboxing. Nick is distributed as a notarized DMG from 3nsofts.com/nick and GitHub Releases. Sparkle handles automatic updates so you never need to re-download manually.

What does AGPL-3.0 mean for me?

You can freely use, modify, and distribute Nick. If you run a modified version as a network service, you must publish your source code. This keeps the detection logic open to the security community permanently.

How does the AI scoring work?

Nick's ThreatCorrelator collects signals from all monitors within a 30-second sliding window and feeds a ~40-feature vector to a CoreML behavioral model. The model outputs a 0.0–1.0 threat probability. Scores above 0.8 trigger a high-priority notification with a Foundation Models–generated plain-English explanation.

Free · Open Source · macOS 13+

Download Nick v3.0

Free. Open source. No cloud. Full antivirus with Endpoint Security, nine detection layers, and on-device AI behavioral scoring — all in one native macOS app.

Download v3.0 Free (.dmg)View on GitHub

Requires macOS 13+ · Apple Silicon or Intel · AGPL-3.0

Updates automatically via Sparkle — no re-download needed for future versions.

NICK · vv3.0 · macOS 13+ · Last updated 2026-05-31

GitHub License (AGPL-3.0)Security Policy

One app.Six layers of protection.