In the final installment of a series on Mac system extensions for threat detection, the shift from kernel extensions to Apple's new EndpointSecurity and SystemExtensions frameworks is explored. Announced at WWDC 2019, these frameworks will replace kernel extensions in macOS 10.16, as third-party vendors will no longer be permitted to run in the kernel. The EndpointSecurity framework offers a userland alternative to the in-kernel Kauth and MAC frameworks, providing detailed system event information and allowing developers to more easily debug their applications. SystemExtensions, which run in user mode, mitigate the risks associated with kernel code development by enabling modern debugging tools and preventing system crashes from faulty code. These frameworks are tailored to enhance security applications by allowing event subscription, authorization, and notification handling through userland APIs, thus improving development efficiency and system stability.