This module establishes the core technical foundations required for understanding, analyzing, and developing Endpoint Detection and Response systems. Students begin by exploring what EDR solutions are designed to detect, how they are architected, and the role of static, dynamic and heuristic engines. The module breaks down how modern enterprise security products evaluate files, monitor behavior, classify suspicious activity, generate alerts and enforce protection logic.
Students learn the structure of Microsoft Defender for Endpoint as a representative enterprise EDR. This includes the components responsible for scanning, behavioral monitoring, real time analysis, heuristic correlation, and how the system maps detection events to the MITRE ATT&CK framework. The module also guides students through navigating the MDE portal, understanding alerts, incidents, device views and execution artifacts.
A significant part of the module introduces students to the Windows internals knowledge required to understand detection logic and telemetry sources. This includes Windows architecture, processes and threads, handles, virtual memory, the registry, services, x64 architecture and assembly, the Windows calling convention, driver fundamentals and Event Tracing for Windows. These building blocks form the base for analyzing EDR behavior, simulating malicious techniques, and later developing custom detections or bypasses.
By the end of this module, students will understand how EDR engines function, what telemetry they use, how detections are structured, and how Windows internals concepts relate to EDR visibility. Students will also configure and explore the MDE console, review scan processes, and write an initial custom detection rule.
In this module, students will move from conceptual understanding into structured, hands on EDR research. Students will learn how to design and execute EDR research using a repeatable methodology, prepare clean research environments, gather meaningful telemetry, and analyze real EDR implementations. The module combines OpenEDR and Microsoft Defender for Endpoint (MDE) to demonstrate differences in maturity, protection mechanisms, and telemetry pipelines, and introduces foundational EDR component reverse engineering techniques.
Students will learn how the “development side” of an EDR is structured, with emphasis on Windows services and drivers as core building blocks, how they are configured and operated, and what practical engineering guidelines matter when writing user-mode EDR components.
In this module, students will begin hands-on kernel-mode development with a focus on building the foundational knowledge required to understand and implement EDR kernel components. Students will learn core Windows kernel programming concepts, memory management, object handling, driver structure, and communication between kernel-mode drivers and user-mode clients. The module incrementally builds from low-level primitives to a complete, testable driver, emphasizing correctness, stability, and security.
In this module, students will deepen their understanding of I/O Request Packets (IRPs) as the core mechanism used by Windows drivers to receive requests and communicate with user-mode clients. Students will learn how dispatch routines are structured and invoked, how to reason about execution context when handling requests, and how to access user-mode buffers safely from kernel mode. The module then shifts to the most common EDR-style communication path: DeviceIoControl and IOCTL-style requests, including how different buffer management methods influence data flow between user mode and the driver.
Students will learn the “core mechanics” of an EDR kernel driver: collecting telemetry via kernel callbacks (process, thread, image load, object, and registry), correlating events with driver-maintained state, and coordinating decisions with user mode when analysis should not live in the kernel. Students will also learn the synchronization primitives needed to build safe, high-performance callback code paths that run system-wide.
In this module, students will learn how file system mini-filters are used as a core visibility and enforcement mechanism in Endpoint Detection and Response systems. Students will understand why mini-filters are essential for monitoring file system activity, how they integrate into the Windows I/O stack, and what types of file operations are observable through them. The module introduces mini-filter architecture, registration and attachment concepts, and demonstrates how mini-filters can be used to collect security-relevant telemetry for detection and response. Students will also learn how file system behavior, such as alternate data streams and file access patterns, can be leveraged by attackers and detected by EDR solutions using mini-filters.
In this module, students will deepen their understanding of file system mini-filters by focusing on advanced behavior, real-world usage patterns, and practical considerations relevant to EDR development and research. Students will learn how mini-filters observe and interact with file system operations at different stages, how filter ordering and altitude affect visibility and enforcement, and how common file system techniques are abused by attackers. The module emphasizes how EDR solutions leverage mini-filters to detect malicious activity, handle complex file access scenarios, and balance visibility with performance and stability in production environments.
In this module, students will learn how EDR detection engines operate at a conceptual and practical level. Students will explore how telemetry collected from the operating system is transformed into detection signals, how rule-based logic differs from behavioral and heuristic approaches, and where machine learning may or may not be applicable in real EDR products. The module discusses practical detection challenges, including hooking considerations, tradeoffs between accuracy and performance, and why detection logic must be designed to operate reliably under adversarial conditions. Students will gain a realistic understanding of what modern EDR detection engines actually do, rather than idealized models.
In this module, students will examine the practical limitations of EDRs and the realities of bypass research. Students will learn why many EDR protections are constrained by stability, compatibility, and performance requirements, and how these constraints shape both defensive design and offensive research. The module discusses bypass thinking at a high level, including how attackers probe detection logic, why some protections are intentionally partial, and how research findings should be interpreted responsibly. Students will leave with a grounded perspective on EDR strengths and weaknesses, emphasizing understanding over exploitation.