FAQ

General

Is SecVF free?

Yes. The direct download from GitHub releases is MIT-licensed and free forever. There's also a paid Mac App Store build at $6.99 — same code, sandbox-adjusted, packaged for auto-updates. The App Store price is a "support the developer" tier; it doesn't unlock features.

What's the difference between the free and App Store versions?

Same MIT-licensed code base. The App Store build is sandboxed (Apple's requirement), which moves VM bundles to a sandbox container and swaps the tshark shell-out for in-process libpcap. Functionally identical for nearly all workflows. See Security model for details.

Why MIT and not GPL?

App Store distribution is incompatible with GPL (Apple's EULA imposes restrictions that conflict with GPL §6). MIT lets us dual-distribute. See docs/LICENSE-REVIEW.md for the full reasoning.

Will it work on Intel Macs?

Partially. Linux guests run on Intel; macOS guests require Apple Silicon (this is an Apple framework restriction, not ours). The AI sandbox needs macOS guests, so it's Apple-Silicon-only. Everything else works on Intel Macs that meet the macOS 14+ requirement.

Why macOS only? No Linux / Windows host?

SecVF is built on Apple's Virtualization framework — a macOS-only API. Porting to other hosts would mean rewriting the hypervisor layer from scratch (Linux + KVM, Windows + Hyper-V) and we'd lose the "native, no kext" property. For now it's macOS-native by design.

Isolation & safety

How does isolation compare to Docker or other VM apps?

Stronger than Docker (containers share the host kernel; SecVF gives each guest its own kernel behind the hypervisor). Comparable to VMware Fusion / Parallels (same hypervisor primitive). Different from kata-containers or gVisor (those add a sandboxed kernel but inside a container; SecVF skips the container layer entirely). See the vs. matrix on the AI sandbox page.

Can malware escape from a SecVF VM?

Only via a hypervisor exploit. Apple's Virtualization framework is the trust boundary; an escape requires a 0-day in that, not in a Linux/macOS kernel. Such bugs exist but are rare and patched aggressively. See Security model for the full threat statement.

Is it safe to run real malware in this?

For analysis purposes — yes, with the right network mode (use Router VM or FakeNet, never plain NAT). Hardware boundaries are real. That said: don't run nation-state-targeted samples on your daily-driver Mac. For high-stakes analysis, use a dedicated analysis machine.

Will my host get infected if a guest gets compromised?

The guest can't directly touch the host filesystem (no shared folders by default), can't touch host memory (hardware-enforced), and can't escape its kernel without a hypervisor bug. Network is the only path out, and you control which mode that is.

What about the AI agent in the sandbox writing malicious files to my workspace?

That's the whole point of the workspace share — the agent can write to that one directory by design. The point of isolation is that the agent can't write outside that directory. If you mount a sensitive directory as the workspace, the agent can damage its contents. Don't do that. Use a scratch directory for agent workspaces.

Features

Does it support snapshots?

Yes — bundle-level. Stop the VM, right-click → Duplicate. On APFS volumes the clone is instant (copy-on-write); only divergent blocks consume disk. Live snapshots (running-VM state) aren't supported by Apple's framework yet.

Can I run Windows in a guest?

Yes — Windows for Apple Silicon via the Insider Preview ARM64 builds. SecVF doesn't ship a one-click Windows installer (Apple's framework requires a manual install), but it boots Windows ISOs fine. UTM's documentation has a good Windows-on-Apple-Silicon walkthrough that translates to SecVF.

Does it support GPU acceleration?

Linux guests get the framework's standard virtio-gpu — fine for desktop work, not for ML or 3D graphics. macOS guests get Apple's accelerated display device. There's no GPU passthrough; the framework doesn't expose Metal devices to guests yet.

Can I share clipboard between host and guest?

Not yet. The framework's clipboard sharing is macOS-guest-only and requires guest configuration; we haven't wired it up. On the roadmap.

How do I get files into a VM?

Three options:

• Scripts USB — for shipping a directory of scripts (used by the router setup). VM Library → right-click → Mount Scripts USB.
• scp — once the guest is running and has IP, regular scp works.
• VirtioFS share — opt-in directory share. Off by default for isolation; enable per-VM in Edit configuration.

Performance

How fast is a VM compared to native?

Apple's framework reports ~95–98% of native CPU performance. Disk I/O is close to native on APFS-backed disk images. Network through the virtual switch is ~1.2 Gbps single-core (not your wire speed, but plenty for analysis). The AI sandbox boot is ~5–8 s; session clone is sub-millisecond.

How much RAM should I give a VM?

Linux desktop: 4 GB. Linux headless analysis VM: 2 GB. macOS guest: 8 GB minimum. The framework doesn't oversubscribe — RAM allocated is RAM reserved.

Why does my macOS guest feel slow?

macOS guests are heavy. 4 GB and 2 cores is a bare minimum; 8 GB and 4 cores is more comfortable. The framework's graphics acceleration is good but not native.

Tools & integration

Do I need to install Wireshark?

You need tshark (which ships with Wireshark) for the packet analysis features in the direct-download build. brew install wireshark is the easy path. The App Store build uses in-process libpcap and doesn't need tshark.

Can I use Wireshark itself?

Yes — export captures as pcapng and open in Wireshark. The display filters we use are Wireshark's, so anything you learn there works in SecVF.

What's the Scripts USB?

A virtual USB disk SecVF creates on demand to ship a directory of scripts into a guest (mostly used for the router VM setup). It's a regular HFS+ image attached as a USB device. The guest mounts and reads it like any USB stick.

Does it work with Vagrant / Packer / Terraform?

Not directly. The CLI (secvf-cli) is a reasonable target for shell-out integrations though — secvf vm create and secvf vm start are scriptable. A Packer plugin would be welcomed as a contribution.

Project

Who builds SecVF?

The project is maintained by DaxxSec. Background: DFIR. Open source contributions welcome.

How can I contribute?

See Contributing. Quickest win: pick an open issue, write a test, send a PR. We also welcome wiki improvements, distro additions to distros.json, and translation if you're feeling generous.

Why is the App Store version a separate fork?

Sandbox adjustments are non-trivial — VM bundle path changes, libpcap instead of tshark, no arbitrary subprocess exec. Keeping them in a downstream fork keeps the main repo clean and full-featured. The fork pulls from main regularly. See LICENSE-REVIEW.md.

Will there be an iOS version?

Apple's Virtualization framework is macOS-only. iPadOS got it briefly then lost it. So no, not without Apple changing course.

What's your roadmap?

Open items live as GitHub issues. Big themes:

• Live snapshots once the framework supports them
• Better Windows-on-Apple-Silicon setup wizard
• More display filters / Wireshark-grade decode for offline mode
• Plugin API for custom packet dissectors
• Clipboard sharing (host ↔ guest)

How do I report a security issue?

Not in a public issue. See Security model § reporting. GitHub Security Advisories or security@daxxsec.tech.