The Iru Blog

Inside SStar Agent, a cross-platform RAT with an unfinished macOS toolkit

Enroll Windows devices automatically through Autopilot

NVD's shift to risk-based prioritization: how Iru Vulnerability Management stays ahead of the limitations

NIST formally transitioned the National Vulnerability Database to a risk-based enrichment model in April 2026, meaning only CVEs that meet specific criteria, like those in CISA's KEV catalog or affecting federal software, will be prioritized for enrichment. Everything else gets deferred. This leaves a significant gap for security teams that depend on NVD data for vulnerability management. Iru VM was built to operate independently of NVD's limitations, drawing from multiple sources and providing its own human-in-the-loop enrichment. To date, Iru's Security Research team has enriched close to 2,000 CVEs and corrected around 170 inaccurate NVD records, with 66% of all vulnerability detections across customer endpoints driven by Iru-enriched data. The CVE program has long been a vital part of vulnerability intelligence and protecting critical infrastructure. For the past couple of decades, the National Vulnerability Database (NVD), run by NIST, has served as a foundational reference for vulnerability intelligence, providing severity scores, product metadata, and structured enrichment that security teams and tooling depend on every day.

How to build a tech stack that runs itself

Gorilla's IT lead shares the playbook he uses to automate onboarding, offboarding, and compliance with Iru so routine work runs itself and the team can focus on higher-value projects. IT teams are being asked to do more than ever. Device management, security, compliance, AI enablement, and often all of it with a team of one. The difference between keeping up and falling behind often comes down to how much of the routine work can run without you.

Introducing Iru MCP: IT is moving from operators to builders

Iru MCP lets IT teams query, manage, and automate endpoint workflows from AI tools like Claude Code and Cursor.Iru MCP lets IT teams query, manage, and automate endpoint workflows from AI tools like Claude Code and Cursor. One prompt can replace multi-tool, multi-step processes while keeping humans in control of every irreversible action. Endpoints just joined your IT team's AI build environment.

Zero-Trust Endpoint Security: How To Defend Your Largest Attack Surface

In January 2026, the Dutch Data Protection Authority (the agency responsible for protecting citizens' personal data) had its own employee's work-related data accessed and stolen. Attackers exploited critical zero-day vulnerabilities in Ivanti's endpoint mobile management software before patches were even available. That same day, bad actors attacked the European Commission, and Finland's government IT provider lost data on up to 50,000 employees. All three incidents traced back to a single point of failure: endpoint management tools that granted access based on device identity alone, without verifying whether those devices were actually secure.

Iru Quarterly Threat Report: May 2026

Welcome to the Iru Threat Intelligence Report, our quarterly summary of emerging threats in the macOS ecosystem and how Iru is responding in real time. In each edition, we break down key threat discoveries and the protections we've deployed to keep customer devices secure.

Apple's Managed Migration Assistant: Bring IT control to macOS device refreshes

For the first time, IT has declarative MDM control over what transfers when a user migrates from an old Mac to a new one.

Understanding ADE: Enrollment, configuration, and where the gap lives

A guide to how Automated Device Enrollment works, where it stops, and how to close the window between enrolled and ready.

Securing Windows: Vulnerability management, auto patching, and OS updates

Unpatched software is behind roughly 60% of breaches. And with AI models getting better at finding exploitable vulnerabilities faster than most teams can remediate them, the window between disclosure and exploitation is shrinking fast.

Local admin cccounts on Mac: should IT teams create them?

Updated May 2026. For IT teams deploying Mac computers, the question is: To create local IT admin accounts on those computers or not? What Are Mac Admin and Standard User Accounts? To be clear on what we’re talking about: A local IT admin account is a user account with admin privileges created on a Mac in addition being used as to the primary user account. There are several reasons IT teams might want to distribute such accounts—but there are also good reasons why they might not. There are also several ways to do so, as well as a couple of alternatives that could obviate the need to deploy such accounts altogether. Let’s walk through each of those decisions.

12 IT and security voices shaping the conversation in 2026

Finding good information in IT and security has never been the hard part. Finding the people who are genuinely advancing the conversation — the ones with fresh perspectives who are helping shape where the industry is heading — takes more effort.

MiniRAT: A Go-based macOS RAT delivered via malicious npm package

MiniRAT is a Go-based macOS RAT dropped onto developer machines via a malicious npm package. It evades VMs, persists via a LaunchAgent disguised as an Apple component, and beacons over HTTPS using an AES-encrypted C2 config. Operators can run shell commands, exfiltrate files, and stage secondary payloads. A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.

Apple is about to enforce stricter TLS standards for MDM. Are you ready?

Apple announced that starting as early as iOS 27, iPadOS 27, macOS 27, watchOS 27, tvOS 27, and visionOS 27, its operating systems will enforce stricter TLS requirements for system processes, including MDM, DDM, Automated Device Enrollment, and app distribution. Servers that don't support TLS 1.2 or later (TLS 1.3 recommended), ATS-compliant ciphersuites, and valid certificates may have their connections refused. SCEP servers and content caching servers are currently exempt. IT admins should audit their infrastructure now using Apple's Network Diagnostics Logging Profile to identify non-compliant servers before fall 2026. Starting as early as the next major OS release, Apple devices will refuse to connect to any device management service, Mobile Device Management (MDM) server, enrollment endpoint, or app distribution infrastructure that does not meet tightened TLS standards. Non-compliant servers will simply stop working for enrollment, device management, app delivery, and software updates.