Kernel extensions in macOS, which allow third-party developers to enhance the functionality of the XNU kernel by dynamically loading binaries into the kernel space, provide crucial insights into security-related events such as file system, process, and network activities. These extensions, requiring Apple's special kernel extension certificate and user consent since macOS 10.14, can leverage frameworks like the Kernel Authorization (KAuth), Mandatory Access Control (MAC), and IP/Socket filter frameworks to monitor and control system events. However, with macOS 10.15 and beyond, Apple is transitioning to new frameworks such as SystemExtension, EndpointSecurity, and NetworkExtension, which will serve as the foundation for endpoint security tools. The existing frameworks offer powerful capabilities, but developers must navigate certain limitations and changes, especially with the deprecation of some features like the MAC framework in newer SDKs. The article highlights that future parts of the series will delve into the legacy frameworks' nuances and explore the newer frameworks' features and their implications for security development on macOS.