We’re releasing Vigil, a native macOS system monitor that watches your processes and file activity, learns what “normal” looks like, and flags anything unusual. It’s a behavioral antivirus — it doesn’t block, it observes and reports.

The gap it fills

Activity Monitor tells you CPU percentage and memory usage. But it can’t tell you that a process is doing ten times its normal disk I/O, that an unknown process appeared with no executable path, or that an AI coding tool just touched files outside its expected scope. Vigil fills that gap with behavioral baselines and heuristic analysis.

What it does

Vigil has six monitoring views:

  • Overview — a system health score (0-100) with top concerns and process breakdown
  • Processes — detailed process list backed by a knowledge database of ~572 known macOS processes
  • File Activity — real-time stream of file system events (creates, modifications, deletes, renames)
  • AI Activity — dedicated monitoring of AI tools (Claude Code, Copilot, Cursor, Ollama) showing what files they touch and what permissions they’ve been granted
  • File Sharing — cloud sync, backup, and file transfer activity in one view
  • History — behavioral trends comparing process I/O across 7-day, 30-day, 90-day, and 365-day windows

Six automated heuristics run against live process data: unknown processes with high I/O, missing essential system processes, lifetime violations, I/O anomalies against learned baselines, high energy consumers, and phantom processes with no verifiable executable path.

Vigil stores daily I/O statistics per process in a local SQLite database and computes baselines using Welford’s online algorithm — so it gets smarter the longer it runs.

Why behavioral monitoring

Traditional antivirus checks files against a signature database. That misses anything the database doesn’t know about. Vigil takes a different approach — it doesn’t need to know what “bad” looks like if it knows what “normal” looks like. Anything that deviates from the baseline gets surfaced.

This is the same observe-first philosophy behind Tapped, Survey, and Harden. Vigil extends it from network traffic and wireless signals to process behavior and file activity. Together, they give you visibility across your Mac’s full attack surface.