Open source · macOS · MIT licensed

One command.
Every Mac.
Locked down.

fort runs 15+ security checks on your Mac and fixes what it safely can: disk encryption, firewall, screen lock, SSH, sharing and more. One binary, no agent, no signup.

zsh — fort
brew install djadmin/tap/fort
Requires Homebrew
View on GitHub Join waitlist for teams →
Audit. Fix. Done.

Three commands, the whole job. No dashboard to learn, no agent to manage, nothing running in the background.

Step 01
$ fort

See what's failing

Audits every security control in under 3 seconds. Score, current state, expected state. No interpretation needed.

Step 02
$ fort --fix

Fix it automatically

Remediates every fixable setting. Use --dry-run first to see exactly what changes before it runs.

Step 03
$ fort --report

Keep a record

Writes a timestamped HTML report with machine identity, per-check results, and the exact command behind each. Print to PDF in one click.

Audit your Mac from a conversation.

Use fort inside Claude Code. Ask “is my Mac secure?” and it runs the audit, explains every finding and why it matters, then fixes only what you approve. Read-only until you say otherwise.

brew install djadmin/tap/fort
/plugin marketplace add djadmin/fort
/plugin install fort@fort
Install the fort binary, then add the plugin. It runs fort on your Mac, no extra service, nothing uploaded.
15+ controls. Zero guesswork.

Every check uses stable, documented macOS APIs. No private frameworks. Works on macOS 12 Monterey through the latest release.

🔐
Password manager CC6.1
Detects 1Password, Bitwarden, LastPass, and 9 other managers in /Applications.
💾
Disk encryption (FileVault) CC6.1
Verified via fdesetup status. High confidence, no guessing.
🔒
Screen lock CC6.1 ⚡ auto-fix
Password required on sleep, delay set to immediate. Fixable without sudo.
🛡️
Antivirus / EDR CC6.8
Detects CrowdStrike Falcon, SentinelOne, Malwarebytes, and 14 others by app and process.
🔥
Application firewall CC6.6 ⚡ auto-fix
macOS built-in application-layer firewall via socketfilterfw.
🚪
Gatekeeper CC6.8 ⚡ auto-fix
Blocks unsigned and unnotarized apps from running on the system.
🌐
Remote login (SSH) CC6.6 ⚡ auto-fix
Inbound SSH should be off on employee laptops. Detected via launchctl without sudo.
🔄
Automatic OS updates CC6.8 ⚡ auto-fix
Ensures security patches are automatically checked. Required for most compliance frameworks.
🛡
System integrity (SIP) CC6.8
Prevents root-level system file modification. Required for Gatekeeper and XProtect to function.
👤
Local admin rights CC6.3
Verifies the current user is not running as a local administrator. Most commonly cited audit finding.
🚫
Guest account CC6.1 ⚡ auto-fix
Verifies the guest account is disabled. Guest access bypasses all logical access controls.
🔑
Automatic login CC6.1 ⚡ auto-fix
Verifies auto-login is disabled. Physical access to an auto-login Mac bypasses all authentication.
📡
Sharing services CC6.6
Checks file sharing, screen sharing, remote management, and internet sharing are all off.
📶
AirDrop CC6.6 ⚡ auto-fix
Verifies AirDrop is set to Contacts Only or Off. "Everyone" is a data exfiltration risk.
📦
OS patch status CC6.8
Checks pending update count from cached Software Update prefs, no network call needed.
👆
Touch ID for sudo CC6.1 ⚡ auto-fix
Detects whether PAM accepts Touch ID for sudo. fort enables it via /etc/pam.d/sudo_local, password still works as fallback.
A record you can keep.

Run fort --report for a self-contained HTML snapshot of your Mac's security posture. No portal, no upload, no account. View sample report →

Verbatim command output

Every check captures the exact command run and its raw output. Expand any finding to see the full terminal transcript. Never a black box.

📄

Print to PDF in one click

Self-contained HTML file with machine identity, serial number, and timestamp. Open in any browser, hit Cmd+P.

🗺️

Maps to security frameworks

Each check references the relevant controls in SOC 2, ISO 27001, NIST CSF, and CIS. Handy context if your team tracks them.

fort
Endpoint Security Assessment
16/16
16 pass · 0 fail · 0 warn
alice-mbp
15.5
C02XF2K...
May 21, 2026
CheckStatusFound
Password managerpass1Password
Disk encryptionpasson
Screen lockpassimmediate
Antivirus / EDRwarnXProtect only
Application firewallpasson
Who it's for.
🧑‍💻

Developers & power users

Lock down your own machine in seconds. Read every check before you run it. It's one MIT-licensed Go binary, no magic.

🔐

The privacy-conscious

No account, no telemetry, no background process. fort reads local state, shows its work, and exits. Run it whenever you want.

🛠️

Small teams & consultants

A fast, repeatable way to check and harden Macs without enrolling them in MDM. One command per machine, no IT department needed.

Team dashboard.

Fleet view, drift alerts, and policy files, across every Mac in your org. Join the waitlist and we'll reach out first.

✓ You're on the list. We'll be in touch.

No spam. Unsubscribe anytime. The CLI is always free.

Common questions
How do I check my Mac's security settings?

Install fort with brew install djadmin/tap/fort and run fort. It audits 15+ security settings — disk encryption, firewall, screen lock, SSH, Gatekeeper, Touch ID for sudo, automatic updates and more — in about 3 seconds and explains each result in plain English.

Is fort free and open source?

Yes. fort is free and released under the MIT license. The full source, including every check, is on GitHub.

Does fort send my data anywhere?

No. The audit makes zero network calls. fort reads local system state and exits — no account, no telemetry, nothing uploaded. Every check prints the exact command it ran, so you can verify it instead of trusting it.

Can fort help with SOC 2 or ISO 27001 compliance?

Yes. Every check maps to controls in SOC 2, ISO 27001, NIST CSF and CIS v8, and fort --report writes a self-contained, auditor-ready HTML evidence report with machine identity, per-check results, and the exact commands run.