Documentation
SecVF wiki
Run malware safely. Capture every packet. Spin up isolated AI agents. Read the architecture, follow the workflows, file an issue if anything bites.
SecVF is a native macOS app built on Apple's Virtualization framework. This wiki covers every feature: installing the app, creating VMs, configuring network modes, capturing traffic with tshark, running the Kali router and FakeNet honeypot, using the AI sandbox, the command line and the terminal UI, the security model, and how to contribute.
New here? Start with Installation, then Your first VM. Twenty minutes from clone to detonating a sample.
What's in the docs
Get started
- Installation — system requirements, getting the source, building, signing.
- Your first VM — create a Linux guest, attach to a network, boot it, take a snapshot.
VM management
- Managing VMs — the VM library, multi-window sessions, ISO cache, macOS guests, lifecycle.
- Network modes — NAT, virtual switch, router VM, FakeNet — when to use which.
- File transfer — every way to move files host↔guest: VirtioFS,
vm copy-to, virtual USB, scp, HTTP one-shot. - USB devices & passthrough — physical USB to guests, virtual USB disks, hardware keys, SDR/JTAG dongles.
Capture & analysis
- Packet analysis — live capture, display filters, protocol breakdown, PCAP export.
- Router VM — Kali Linux as gateway, traffic interception, helper commands.
- Traffic analysis workflows — concrete recipes: DNS exfil hunt, JA3, beacon timing, FakeNet reveals, hidden C2 discovery.
- FakeNet honeypot — DNS sinkhole + fake HTTP/HTTPS responders for offline malware behavior capture.
Detection & SIEM
- SIEM & detection — opt-in detection stack (Loki + Promtail + Grafana + Suricata + YARA) with pre-built dashboards and Sigma-derived alerts.
- Containment breakout — the four isolation boundaries, indicators, response procedures, severity matrix.
Scripts & provisioning
- Scripts reference — every shell script SecVF ships, per-file documentation.
AI sandbox
- AI sandbox — ephemeral macOS guests, APFS CoW session cloning, vsock IPC, DTrace and ESF telemetry.
CLI, TUI & automation
- CLI reference — every
secvf-clicommand and flag. - TUI guide — the Textual-based terminal UI for headless work.
- Automation & AI agents — drive SecVF programmatically; JSON CLI, agent loops, MCP integration, safety rails.
Reference
- Architecture — every module, every protocol, every notification.
- Security model — the threat model, isolation guarantees, audit trail.
- Logging & telemetry — every log surface, per-window detail, on-disk schemas, SIEM bridging.
- Troubleshooting — common errors and how to recover.
- FAQ — what people ask before they file an issue.
Project
- Contributing — coding conventions, test pattern, PR checklist.
Conventions used in these docs
| Symbol | Meaning |
|---|---|
~/.avf/ | The SecVF data directory. VM bundles, logs, caches. |
| ⌘⇧P | A keyboard shortcut. Mac modifier symbols. |
// Swift | Swift code in the SecVF macOS app. |
# bash | Shell command, run on host (or guest where noted). |
| tip | A non-obvious win. |
| caution | Read before you do it. |
| danger | Destructive or hostile-input territory. |