I build with AI tools all day. An infostealer wiped me out anyway.

Q: Isn't the free checklist enough?

For many people, yes. The checklist is the complete map — what to do, in what order — and it is deliberately ungated. The playbook is for when you would rather run a script than type the commands, want exact firewall and agent-sandbox rules prebuilt, need the judgment calls the checklist cannot make for you (wipe or clean? which credentials are truly burned?), or want it to stay current as threat families evolve. Different job, not a longer version of the same thing.

Q: Is this just antivirus, or a tool I install?

Neither. It is a hardening-and-recovery playbook plus the scripts and configs to apply it. Every security tool referenced — Little Snitch, LuLu, the Objective-See suite, 1Password — links to the original maintainer. Nothing is bundled or redistributed. You install from the official source and stay in control.

Q: Will the scripts break my machine?

They are built to be read before they are run, reversible where it matters, and they touch configuration — not your data. The consistent framing throughout is that no tool or playbook makes a Mac unhackable. The goal is to reduce attack surface, raise the bar, and recover faster if something gets through.

Q: Who built this and why trust it?

Someone who builds with AI tooling and MCP servers daily, got hit by an AMOS/Poseidon-class infostealer anyway, and rebuilt from scratch. The free checklist is the proof: read it, and decide whether the person who wrote it is worth paying. It is written from a real infection and rebuild — not from a vendor brochure or a security certification.

The hit

The dashboard was green. The backdoor was still running.

I was technical enough to be targeted, not immune.

It came in through a trusted install on a Mac where I ran as admin.

For about three months, an AMOS/Poseidon-class infostealer ran as me, masquerading as Apple processes. One process wrote my login password to a hidden file; another kept running after antivirus said the machine was clean.

That meant every password, API key, SSH key, cloud token, and browser session that machine had touched had to be treated as already stolen.

Read the compressed incident note

The painful part was not only finding malware. It was realizing how much access sat within reach of anything running under my user account. Once trust was gone, the only sane path was wipe, reinstall, rotate credentials, rebuild the machine, and rethink what should have been reachable in the first place.

AMOS/Poseidon-class behavior documented by: Objective-See · Apple Platform Security · CISA

Why it matters

The obvious advice did not match the actual problem.

The useful guidance was scattered. The recovery sequence was the missing piece.

Admin-by-default riskDaily work had too much reach when one bad install ran as me.
False confidenceAntivirus reported clean while a disguised process remained loaded.
Credential sprawlBrowser sessions, keys, and tokens created a larger blast radius.
No clear runbookThe hardest part was knowing what to rotate, wipe, check, and rebuild first.

Start here — free

The recovery & hardening checklist. Ungated, no signup.

The full sequence I used while rotating credentials and rebuilding — what to do in the first hours if you’re hit, then how to rebuild clean and close the gaps. Read it whether you ever buy anything or not.

1

If you’re hit right nowRotate from a clean device, preserve evidence, audit persistence, decide wipe vs clean.

2

Rebuild cleanErase, reinstall, and set up standard-user + time-boxed admin so one prompt isn’t game over.

3

Harden so it can’t recur silentlyOutbound firewall, persistence alerts, secrets off disk, hardware 2FA, supply-chain hygiene, restore data only.

It’s deliberately complete. The free checklist is the map — what to do, in what order. That’s what earns the right to sell you anything at all.

Read the free checklist →

Free vs the playbook

The checklist tells you what to do. The playbook does it, decides it, and proves it.

If the paid version were just a longer checklist, it wouldn’t be worth your money — so it isn’t. Here’s the actual line.

Free · the map

The checklist

Everything you need to understand the threat and work the recovery yourself.

The full first-hours triage sequence
The clean-rebuild order of operations
The hardening gaps to close, explained
Generic commands and official tool links

Free, ungated, yours to keep. For many people, this is enough — and that’s fine.

Playbook · the vehicle

What a checklist can’t be

The parts that take the work, the guesswork, and the fear off your plate.

Done-for-you scripts — run the persistence audit and rotation tracking instead of typing it
Prebuilt configs — an outbound-firewall ruleset and an agent egress allowlist + settings.json, ready to drop in
Decision trees — is this process malicious? wipe or clean? which credentials are actually burned?
The real incident, decoded — the actual persistence, the watchdog loop, how the AV missed it
Updates as threats move — you own the current version, not a frozen PDF

In progress now — being built from the rebuild. Early access below.

What early access gets you

Concrete artifacts, not a wall of theory.

The point of the playbook is that you have something to run today — not just something else to read.

⌘

Audit & rotation scriptsPersistence sweep and a credential-rotation tracker so nothing slips through the cracks during a rebuild.

▦

Prebuilt firewall & egress rulesAn outbound ruleset and the full agent network allowlist + sandbox config, so your tools work and exfil doesn’t.

⎇

Triage decision treesThe forks the checklist can’t make for you — malicious-or-not, wipe-or-clean, what’s truly exposed.

◎

The decoded real incidentThe actual annotated case: the disguised persistence, the relaunch loop, and why a green dashboard lied.

↻

Living updatesThe stealer families evolve. You get the current version and the changelog, not a stale download.

⚑

Developer threat modelContaining agents, keeping keys off disk across an MCP fleet, supply-chain gates — the always-on case.

Straight answers

The questions a skeptical developer would actually ask.

Isn’t the free checklist enough?

For a lot of people, yes — and I mean that. The checklist is the complete map and I’m not holding it hostage. The playbook is for when you’d rather run a script than type the commands, want the exact firewall and agent-sandbox rules prebuilt, need the judgment calls the checklist can’t make for you, or want it to stay current as the threat moves. Different job, not a longer version of the same thing.

Is this just antivirus, or a tool I install?

Neither. It’s a hardening-and-recovery playbook plus the scripts and configs to apply it. Every security tool it references (Little Snitch, LuLu, the Objective-See suite, 1Password, and so on) links to the original maintainer — nothing is bundled or redistributed. You install from the source and stay in control.

Will the scripts break my machine?

They’re built to be read before they’re run, reversible where it matters, and they touch your configuration — not your data. The honest framing throughout is that no tool or playbook makes a Mac “unhackable.” The goal is to reduce attack surface, raise the bar, and recover faster.

Who are you, and why trust this?

Someone who builds with AI tooling all day, got hit by an AMOS/Poseidon-class infostealer anyway, and rebuilt from scratch. This is written from that — not from a vendor brochure. The free checklist is the proof: read it, and decide whether the person who wrote it is worth paying.

Early access

Get the playbook first — and help set the price.

Honest pre-launch: nothing to buy yet. You’re reserving early access and telling me what the full thing is worth to you — the price below is a genuine test, not a checkout.

Email address

What would feel fair for the full playbook?Price test only

$29Checklist + scripts

$49Full playbook

$79+ configs & updates

No spam. One email when it’s ready, and the checklist link in case you haven’t read it.

Thanks — you’re on the list. Watch your inbox, and the free checklist is at /checklist whenever you want it.

This is an experience-based educational resource from someone who lived through an infection and rebuild — not professional security advice, and not a guarantee. No tool or playbook can make any machine “unhackable.” The goal is to raise the bar and help you recover faster. You remain responsible for your own systems.