I was hoping that someone who understands how Auditor works would be able to answer a few questions I have.
The Mobile Verification Toolkit is a pretty cool project that makes it possible to look for Indicators of Compromise for Pegasus and other spyware with STIX data - see the docs.
This technical overview describes how Pegasus works. What I'm wondering is what (if any) features of Pegasus would go unnoticed by Auditor - I understand that Auditor protects against firmware and OS tampering, but are there limitations to the OS tamper-evidence? Knowing these gaps would enable me to use the MVT more effectively to look for what isn't covered by Auditor.