diff --git a/.gitignore b/.gitignore
index 66fd13c..ec8081a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,6 @@
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
+out/
 # Dependency directories (remove the comment below to include it)
 # vendor/
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..23cdef9
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,18 @@
+out/odk-detection.sql:
+	mkdir -p out
+	osqtool pack detection/ > out/odk-detection.conf
+
+out/odk-policy.sql:
+	mkdir -p out
+	osqtool pack policy/ > out/odk-policy.conf
+
+out/odk-incident_response.sql:
+	mkdir -p out
+	osqtool pack incident_response/ > out/odk-incident_response.conf
+
+packs: out/odk-detection.sql out/odk-policy.sql out/odk-incident_response.sql
+
+out/odk-packs.zip: packs
+	cd out && zip odk-packs.zip *.conf
+
+all: out/odk-packs.zip
\ No newline at end of file
diff --git a/detection/README.md b/README.md
similarity index 95%
rename from detection/README.md
rename to README.md
index 25f7922..cfb4f77 100644
--- a/detection/README.md
+++ b/README.md
@@ -2,6 +2,8 @@
 
 Real-world queries for using osquery as part of your detection & response pipeline.
 
+![osquery-defense-kit](images/logo-small.png?raw=true "osquery-defense-kit logo")
+
 ## Organization
 
 * `detection/` - Threat detection queries suitable for alerting.
@@ -67,3 +69,7 @@ Here is a partial list of what stages would have been detected by particular que
   * `c2/unexpected-talkers-macos.sql`
   * `execution/exotic-command-events.sql`
   * `execution/unexpected-executable-directory-macos.sql`
+
+## Local pack generation
+
+Run `make packs`
diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql
index b5d73c8..1810f99 100644
--- a/detection/credentials/unexpected-dev-opener-macos.sql
+++ b/detection/credentials/unexpected-dev-opener-macos.sql
@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
 --
--- platform: linux
+-- platform: darwin
 SELECT
   pof.pid,
   pof.path AS device,
diff --git a/images/logo-small.png b/images/logo-small.png
new file mode 100644
index 0000000..72a6933
Binary files /dev/null and b/images/logo-small.png differ
diff --git a/images/logo.png b/images/logo.png
new file mode 100644
index 0000000..58e8ad8
Binary files /dev/null and b/images/logo.png differ
diff --git a/incident_response/alf.sql b/incident_response/alf.sql
new file mode 100644
index 0000000..b9765f3
--- /dev/null
+++ b/incident_response/alf.sql
@@ -0,0 +1,8 @@
+-- Retrieves the configuration values for the Application Layer Firewall for OSX.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+-- version: 1.4.5
+
+select * from alf;
diff --git a/incident_response/alf_exceptions.sql b/incident_response/alf_exceptions.sql
new file mode 100644
index 0000000..bf5d06e
--- /dev/null
+++ b/incident_response/alf_exceptions.sql
@@ -0,0 +1,8 @@
+-- Retrieves the exceptions for the Application Layer Firewall in OSX.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+-- version: 1.4.5
+
+select * from alf_exceptions;
diff --git a/incident_response/alf_explicit_auths.sql b/incident_response/alf_explicit_auths.sql
new file mode 100644
index 0000000..caabd04
--- /dev/null
+++ b/incident_response/alf_explicit_auths.sql
@@ -0,0 +1,8 @@
+-- Retrieves the list of processes with explicit authorization for the Application Layer Firewall.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+-- version: 1.4.5
+
+select * from alf_explicit_auths;
diff --git a/incident_response/alf_services.sql b/incident_response/alf_services.sql
new file mode 100644
index 0000000..462ecf2
--- /dev/null
+++ b/incident_response/alf_services.sql
@@ -0,0 +1,8 @@
+-- Retrieves the services for the Application Layer Firewall in OSX.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+-- version: 1.4.5
+
+select * from alf_services;
diff --git a/incident_response/app_schemes.sql b/incident_response/app_schemes.sql
new file mode 100644
index 0000000..49afaf4
--- /dev/null
+++ b/incident_response/app_schemes.sql
@@ -0,0 +1,8 @@
+-- Retrieves the list of application scheme/protocol-based IPC handlers.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Post-priori hijack detection, detect potential sensitive information leakage.
+-- version: 1.4.7
+
+select * from app_schemes;
diff --git a/incident_response/arp_cache.sql b/incident_response/arp_cache.sql
new file mode 100644
index 0000000..21010a2
--- /dev/null
+++ b/incident_response/arp_cache.sql
@@ -0,0 +1,7 @@
+-- Retrieves the ARP cache values in the target system.
+--
+-- interval: 3600
+-- value: Determine if MITM in progress.
+-- version: 1.4.5
+
+select * from arp_cache;
diff --git a/incident_response/crontab.sql b/incident_response/crontab.sql
new file mode 100644
index 0000000..72d8e6c
--- /dev/null
+++ b/incident_response/crontab.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the jobs scheduled in crontab in the target system.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Identify malware that uses this persistence mechanism to launch at a given interval
+-- version: 1.4.5
+
+select * from crontab;
diff --git a/incident_response/disk_encryption.sql b/incident_response/disk_encryption.sql
new file mode 100644
index 0000000..c39e931
--- /dev/null
+++ b/incident_response/disk_encryption.sql
@@ -0,0 +1,8 @@
+-- Retrieves the current disk encryption status for the target system.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Identifies a system potentially vulnerable to disk cloning.
+-- version: 1.4.5
+
+select * from disk_encryption;
diff --git a/incident_response/etc_hosts.sql b/incident_response/etc_hosts.sql
new file mode 100644
index 0000000..c3970c8
--- /dev/null
+++ b/incident_response/etc_hosts.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the entries in the target system /etc/hosts file.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Identify network communications that are being redirected. Example: identify if security logging has been disabled
+-- version: 1.4.5
+
+select * from etc_hosts;
diff --git a/response/execution/process_events.sql b/incident_response/execution/process_events.sql
similarity index 100%
rename from response/execution/process_events.sql
rename to incident_response/execution/process_events.sql
diff --git a/incident_response/installed_applications.sql b/incident_response/installed_applications.sql
new file mode 100644
index 0000000..33a34c0
--- /dev/null
+++ b/incident_response/installed_applications.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the currently installed applications in the target OSX system.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Identify malware, adware, or vulnerable packages that are installed as an application.
+-- version: 1.4.5
+
+select * from apps;
diff --git a/incident_response/ip_forwarding.sql b/incident_response/ip_forwarding.sql
new file mode 100644
index 0000000..2c70d8e
--- /dev/null
+++ b/incident_response/ip_forwarding.sql
@@ -0,0 +1,8 @@
+-- Retrieves the current status of IP/IPv6 forwarding.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Identify if a machine is being used as relay.
+-- version: 1.4.5
+
+select * from system_controls where oid = '4.30.41.1' union select * from system_controls where oid = '4.2.0.1';
diff --git a/incident_response/iptables.sql b/incident_response/iptables.sql
new file mode 100644
index 0000000..309a46f
--- /dev/null
+++ b/incident_response/iptables.sql
@@ -0,0 +1,8 @@
+-- Retrieves the current filters and chains per filter in the target system.
+--
+-- interval: 3600
+-- platform: linux
+-- value: Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans
+-- version: 1.4.5
+
+select * from iptables;
diff --git a/incident_response/kernel_modules.sql b/incident_response/kernel_modules.sql
new file mode 100644
index 0000000..9a136d0
--- /dev/null
+++ b/incident_response/kernel_modules.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the information for the current kernel modules in the target Linux system.
+--
+-- interval: 3600
+-- platform: linux
+-- value: Identify malware that has a kernel module component.
+-- version: 1.4.5
+
+select * from kernel_modules;
diff --git a/incident_response/kextstat.sql b/incident_response/kextstat.sql
new file mode 100644
index 0000000..061f746
--- /dev/null
+++ b/incident_response/kextstat.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the information about the current kernel extensions for the target OSX system.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Identify malware that has a kernel extension component.
+-- version: 1.4.5
+
+select * from kernel_extensions;
diff --git a/incident_response/last.sql b/incident_response/last.sql
new file mode 100644
index 0000000..c661fb3
--- /dev/null
+++ b/incident_response/last.sql
@@ -0,0 +1,8 @@
+-- Retrieves the list of the latest logins with PID, username and timestamp.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
+-- version: 1.4.5
+
+select * from last;
diff --git a/incident_response/launchd.sql b/incident_response/launchd.sql
new file mode 100644
index 0000000..01cc02b
--- /dev/null
+++ b/incident_response/launchd.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the daemons that will run in the start of the target OSX system.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at system boot
+-- version: 1.4.5
+
+select * from launchd;
diff --git a/incident_response/listening_ports.sql b/incident_response/listening_ports.sql
new file mode 100644
index 0000000..9f12913
--- /dev/null
+++ b/incident_response/listening_ports.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the listening ports in the target system.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Detect if a listening port iis not mapped to a known process. Find backdoors.
+-- version: 1.4.5
+
+select * from listening_ports;
diff --git a/incident_response/logged_in_users.sql b/incident_response/logged_in_users.sql
new file mode 100644
index 0000000..2a392d5
--- /dev/null
+++ b/incident_response/logged_in_users.sql
@@ -0,0 +1,8 @@
+-- Retrieves the list of all the currently logged in users in the target system.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Useful for intrusion detection and incident response. Verify assumptions of what accounts should be accessing what systems and identify machines accessed during a compromise.
+-- version: 1.4.5
+
+select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;
diff --git a/incident_response/loginwindow1.sql b/incident_response/loginwindow1.sql
new file mode 100644
index 0000000..932b6ab
--- /dev/null
+++ b/incident_response/loginwindow1.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the values for the loginwindow process in the target OSX system.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at system boot
+-- version: 1.4.5
+
+select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';
diff --git a/incident_response/loginwindow2.sql b/incident_response/loginwindow2.sql
new file mode 100644
index 0000000..490d8cc
--- /dev/null
+++ b/incident_response/loginwindow2.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the values for the loginwindow process in the target OSX system.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at system boot
+-- version: 1.4.5
+
+select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';
diff --git a/incident_response/loginwindow3.sql b/incident_response/loginwindow3.sql
new file mode 100644
index 0000000..50b63dc
--- /dev/null
+++ b/incident_response/loginwindow3.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the values for the loginwindow process in the target OSX system.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at system boot
+-- version: 1.4.5
+
+select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';
diff --git a/incident_response/loginwindow4.sql b/incident_response/loginwindow4.sql
new file mode 100644
index 0000000..a080aa1
--- /dev/null
+++ b/incident_response/loginwindow4.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the values for the loginwindow process in the target OSX system.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at system boot
+-- version: 1.4.5
+
+select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';
diff --git a/incident_response/mounts.sql b/incident_response/mounts.sql
new file mode 100644
index 0000000..438b19c
--- /dev/null
+++ b/incident_response/mounts.sql
@@ -0,0 +1,8 @@
+-- Retrieves the current list of mounted drives in the target system.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
+-- version: 1.4.5
+
+select * from mounts;
diff --git a/incident_response/nfs_shares.sql b/incident_response/nfs_shares.sql
new file mode 100644
index 0000000..44f1f20
--- /dev/null
+++ b/incident_response/nfs_shares.sql
@@ -0,0 +1,8 @@
+-- Retrieves the current list of Network File System mounted shares.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Scope for lateral movement. Potential exfiltration locations. Potential dormant backdoors.
+-- version: 1.4.5
+
+select * from nfs_shares;
diff --git a/incident_response/open_files.sql b/incident_response/open_files.sql
new file mode 100644
index 0000000..fbe7fd0
--- /dev/null
+++ b/incident_response/open_files.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the open files per process in the target system.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Identify processes accessing sensitive files they shouldn't
+-- version: 1.4.5
+
+select distinct pid, path from process_open_files where path not like '/private/var/folders%' and path not like '/System/Library/%' and path not in ('/dev/null', '/dev/urandom', '/dev/random');
diff --git a/incident_response/open_sockets.sql b/incident_response/open_sockets.sql
new file mode 100644
index 0000000..ecfbce4
--- /dev/null
+++ b/incident_response/open_sockets.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the open sockets per process in the target system.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Identify malware via connections to known bad IP addresses as well as odd local or remote port bindings
+-- version: 1.4.5
+
+select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';
diff --git a/response/persistence/crontab.sql b/incident_response/persistence/crontab.sql
similarity index 100%
rename from response/persistence/crontab.sql
rename to incident_response/persistence/crontab.sql
diff --git a/response/persistence/launchd.sql b/incident_response/persistence/launchd.sql
similarity index 100%
rename from response/persistence/launchd.sql
rename to incident_response/persistence/launchd.sql
diff --git a/incident_response/process_env.sql b/incident_response/process_env.sql
new file mode 100644
index 0000000..029808a
--- /dev/null
+++ b/incident_response/process_env.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the environment variables per process in the target system.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Insight into the process data: Where was it started from, was it preloaded...
+-- version: 1.4.5
+
+select * from process_envs;
diff --git a/incident_response/process_memory.sql b/incident_response/process_memory.sql
new file mode 100644
index 0000000..55d4e66
--- /dev/null
+++ b/incident_response/process_memory.sql
@@ -0,0 +1,8 @@
+-- Retrieves the memory map per process in the target Linux system.
+--
+-- interval: 86400
+-- platform: linux
+-- value: Ability to compare with known good. Identify mapped regions corresponding with or containing injected code.
+-- version: 1.4.5
+
+select * from process_memory_map;
diff --git a/incident_response/ramdisk.sql b/incident_response/ramdisk.sql
new file mode 100644
index 0000000..db573da
--- /dev/null
+++ b/incident_response/ramdisk.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the ramdisk currently mounted in the target system.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Identify if an attacker is using temporary, memory storage to avoid touching disk for anti-forensics purposes
+-- version: 1.4.5
+
+select * from block_devices where type = 'Virtual Interface';
diff --git a/incident_response/recent_items.sql b/incident_response/recent_items.sql
new file mode 100644
index 0000000..f50c6ab
--- /dev/null
+++ b/incident_response/recent_items.sql
@@ -0,0 +1,8 @@
+-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify recently accessed items. Useful for compromised hosts.
+-- version: 1.4.5
+
+select username, key, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';
diff --git a/incident_response/sandboxes.sql b/incident_response/sandboxes.sql
new file mode 100644
index 0000000..a03d208
--- /dev/null
+++ b/incident_response/sandboxes.sql
@@ -0,0 +1,8 @@
+-- Lists the application bundle that owns a sandbox label.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Post-priori hijack detection, detect potential sensitive information leakage.
+-- version: 1.4.7
+
+select * from sandboxes;
diff --git a/incident_response/shell_history.sql b/incident_response/shell_history.sql
new file mode 100644
index 0000000..489f93e
--- /dev/null
+++ b/incident_response/shell_history.sql
@@ -0,0 +1,8 @@
+-- Retrieves the command history, per user, by parsing the shell history files.
+--
+-- interval: 86400
+-- platform: posix
+-- value: Identify actions taken. Useful for compromised hosts.
+-- version: 1.4.5
+
+select * from users join shell_history using (uid);
diff --git a/incident_response/startup_items.sql b/incident_response/startup_items.sql
new file mode 100644
index 0000000..ddf56cd
--- /dev/null
+++ b/incident_response/startup_items.sql
@@ -0,0 +1,8 @@
+-- Retrieve all the items that will load when the target OSX system starts.
+--
+-- interval: 86400
+-- platform: darwin
+-- value: Identify malware that uses this persistence mechanism to launch at a given interval
+-- version: 1.4.5
+
+select * from startup_items;
diff --git a/incident_response/suid_bin.sql b/incident_response/suid_bin.sql
new file mode 100644
index 0000000..06a9049
--- /dev/null
+++ b/incident_response/suid_bin.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the files in the target system that are setuid enabled.
+--
+-- interval: 3600
+-- platform: posix
+-- value: Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.
+-- version: 1.4.5
+
+select * from suid_bin;
diff --git a/incident_response/wireless_networks.sql b/incident_response/wireless_networks.sql
new file mode 100644
index 0000000..1497c77
--- /dev/null
+++ b/incident_response/wireless_networks.sql
@@ -0,0 +1,8 @@
+-- Retrieves all the remembered wireless network that the target machine has connected to.
+--
+-- interval: 3600
+-- platform: darwin
+-- value: Identifies connections to rogue access points.
+-- version: 1.6.0
+
+select ssid, network_name, security_type, last_connected, captive_portal, possibly_hidden, roaming, roaming_profile from wifi_networks;