We built a Rust EDR. macOS notarization tried to kill it

davidobi0231 pts0 comments

Nemesis Labs — Endpoint defense, autonomous pentest.<br>sign indownload →

NEMESIS LABS / 2026Two tools / one team<br>Tooling for attack<br>and defense.<br>Two shipping products. Free at the edge for individuals; per-seat for teams; licensed for operators.

BREACH LOOKUPCheck an email or domain against public breach recordslook up →<br>[ BLUE ]endpoint defenseCatches ransomware on-device in under a second. Free for individuals.free[ RED ]autonomous pentest290 Kali tools through one closed-loop LLM. 24.4× more findings than fixed-script scanners.Free · Pro $99/mo

We build the tools we wish<br>existed when nobody was looking.<br>In July 2024, a single kernel-driver update bricked 8.5 million machines[1] in a morning. The fix was a manual safe-mode visit per machine. The product was the biggest name in endpoint security.<br>That's the failure mode we're built against. Not the threat. The tool we use against the threat. An EDR you can't turn off and can't silently crash. A pentest tool that scoreboard-verifies what it claims.<br>Written in Rust, signed end to end. No “AI-powered” copy where it doesn't belong.

The product line.<br>Each one solves a real problem and ships under its own brand. Don't need both? Don't buy both.

Nemesis Blue· endpoint defense<br>An EDR that catches ransomware in under a second, and can't brick your fleet on a bad update.<br>The big-name kernel drivers BSOD-looped 8.5 million machines last year[1]. Blue runs on EndpointSecurity (macOS) and eBPF (Linux). Kernel-authorized APIs that can't panic the kernel. Behavioral detection on a kernel-sourced event stream, not signature matching.<br>download →trust center →

availablemacOS · Linux · Windows<br>latencylocal verdict in · neutralized in<br>recoveryautomatic file rollback from APFS / Btrfs snapshots<br>pricefree for individuals · 1 device, strictly local . No cloud telemetry, ever. Business + MSSP tiers per-seat with cloud console + AI threat intelligence.<br>read the architecture →

Nemesis Red· autonomous pentest<br>290 Kali tools. One reasoning loop. 24.4× more findings than your scanner. Verified.<br>Red plans, executes, and replans across the full Kali arsenal through a single closed-loop LLM. Recon to report, every tool's output feeding the next decision. In a controlled study against fixed-script automation it surfaced 24.4×more findings (p[2] and autonomously surfaced three CVSS 9.8 CVEs without human steering.<br>start free →pricing + how it works →

two modesAuto runs the engagement end-to-end · Co-Pilot hands the operator the next three commands with the target pre-filled<br>tool depth290 Kali tools across 17 offensive categories · LLM picks the right one per phase per target<br>CVEs foundCVE-2024-38476 · CVE-2024-38474 · CVE-2023-25690 . All CVSS 9.8, all surfaced autonomously during the controlled study<br>deploymentself-hosted, on-prem · BYOK to any frontier LLM (Anthropic / OpenAI / Gemini) or fully local via Ollama (Qwen, Llama, your fine-tune) · no data ever leaves your network · hash-chained audit log<br>air-gaplocal-inference mode runs on a single workstation GPU. No cloud LLM dependency. Cleared for environments where external API calls aren't an option.<br>pricingstart free · Pro $99/mo · Business $599/mo · Enterprise custom · self-serve, no setup fee<br>availableDocker image · Kali UTM VM<br>read the architecture →

One stack. Two coordinates.<br>Each product is shippable on its own. Together they cover both sides of an engagement. Finding the holes, then stopping what comes through them. A customer never has to glue separate vendors together to answer one question.

┌──────────────┐ ┌──────────────┐<br>│ NEMESIS RED │ │ NEMESIS BLUE │<br>│ │ │ │<br>│ finds the │ │ stops the │<br>│ weakness │ │ payload │<br>│ first │ │ on-device │<br>└──────┬───────┘ └──────┬───────┘<br>│ │<br>▼ ▼<br>scoreboard proof sub-second kill<br>of exploitation + file rollback

Why Blue, when Falcon exists?<br>The honest answer: because Blue is architected for five constraints the big-name EDRs took shortcuts on. Each row below is a concrete capability, not a marketing claim. Every ✓ on the Blue column is something we'd defend in a technical interview.

capability<br>Nemesis Blue<br>CrowdStrike · SentinelOne<br>Norton · McAfee · AV

Cannot brick your fleet on a bad update<br>anti-Channel-File-291

no third-party kext / driver<br>8.5M machines, July 2024 [1]<br>low kernel surface anyway

Sub-50ms verdict, fully on-device<br>no cloud round-trip required

behavioral + ML, both local<br>some cloud-dependent rules<br>signature-only, fast but shallow

Automatic file rollback after detection<br>from APFS / Btrfs / VSS snapshots

built in · no upsell<br>sold separately (backup product)<br>not in scope

Tamper-as-alarm. Silence is the loudest signal.<br>agent killed → out-of-band alert

watchdog + heartbeat-gap detection<br>self-reported; fails open if killed<br>fails open silently

Free tier with the full detection engine<br>not a paywalled demo

audit-mode free · enforce-mode Pro<br>$50–100 per endpoint / yr minimum<br>free version cripples real-time

Published threat model with honest residual risk<br>we tell you...

free blue nemesis kernel endpoint tools

Related Articles