Santamon is a detection sidecar for the Santa application that evaluates macOS Endpoint Security telemetry using CEL rules. It processes detection signals locally and sends only relevant alerts to a backend server, keeping raw telemetry on the endpoint. Ideal for home labs and small fleets, it's still in an experimental stage.