they usually work in kernel extensions or use https://developer.apple.com/documentation/endpointsecurity - which gives them pretty good coverage of all the processes running, and arguments etc