Loupe: audit-grade local log RCA for macOS

When something breaks at 2am, you have logs from 3 sources that don't agree on what happened. The web app says one thing. The database says another. The load balancer was already mad about something else. Centralizing them to a SIEM is overkill for a one-off investigation, sends data off your laptop, and costs $20–100k/year. Tailing each one in a terminal and comparing manually is the alternative everybody actually uses.

Loupe is for when you need a real RCA writeup at the end — and the audience for that writeup is going to verify your evidence.

What Loupe does

Drag your log files in. Loupe parses 8 formats out of the box (syslog RFC 3164/5424, nginx access, mac unified log, pcap, email, JSON, CSV, plaintext) and groups events into incident clusters. Apple Intelligence runs on-device to narrate what happened — one summary sentence, an archetype classification (cascade propagation, infrastructure failure, capacity exhaustion, external attack...), a hypothesis, and citations.

Every citation chip resolves to raw bytes you can tap and inspect. Three tiers, color-coded: the snippet captured at brief-build time, the live bytes from the source file, or the parsed message — whichever is available, the popover tells you which.

When you're done, hit Export. You get a folder with RCA.md, RCA.html, RCA.pdf, IODEF.xml, supporting CSVs, the per-thread investigation chain, and audit-log.json — a hash-chained record of every action in the case. An auditor on the receiving end can replay the chain and verify nothing was tampered with after export.

What Loupe is NOT

Loupe is not a SOC tool. It's not for L1/L2 analysts triaging 10k alerts a day — those people need automation and a SIEM. Loupe is for technical PMs running incident reviews, EMs leading postmortems, senior ICs doing root-cause analysis, and consultants delivering audit-grade writeups. People who need to reach a defensible conclusion and hand it to someone who's going to cross-examine it.

Why on-device

The Determinism Doctrine page on useloupe.tools says it plainly: every claim must resolve to bytes the reader can verify, and verifiability dies the moment your evidence touches a server you don't control. Loupe makes zero network calls. Apple Intelligence runs on the chip. Every export is hash-pinned. The narrator's prompt is logged in the audit chain.

codesign -d --entitlements - on the binary verifies it. No telemetry. No PCC opt-in flag. Every claim on the security page ships with a one-line shell command you can run yourself.

Why $79

Forensic-grade software. Compare to nothing on the shelf at this price point — every other tool in the space is either enterprise-priced (Splunk, Datadog) or DIY (a folder of grep scripts). Pay once, every feature, free updates within v1.x. v1 → v2 upgrade pricing is published up front: $39, no surprise.

There's a 14-day free trial if you want to drag your own logs in before you decide.

Download Loupe · macOS 26+ · signed + notarized direct DMG · security recipes