This module establishes the core technical foundations required for understanding, analyzing, and developing Endpoint Detection and Response systems. Students begin by exploring what EDR solutions are designed to detect, how they are architected, and the role of static, dynamic and heuristic engines. The module breaks down how modern enterprise security products evaluate files, monitor behavior, classify suspicious activity, generate alerts and enforce protection logic.

Students learn the structure of Microsoft Defender for Endpoint as a representative enterprise EDR. This includes the components responsible for scanning, behavioral monitoring, real time analysis, heuristic correlation, and how the system maps detection events to the MITRE ATT&CK framework. The module also guides students through navigating the MDE portal, understanding alerts, incidents, device views and execution artifacts.

A significant part of the module introduces students to the Windows internals knowledge required to understand detection logic and telemetry sources. This includes Windows architecture, processes and threads, handles, virtual memory, the registry, services, x64 architecture and assembly, the Windows calling convention, driver fundamentals and Event Tracing for Windows. These building blocks form the base for analyzing EDR behavior, simulating malicious techniques, and later developing custom detections or bypasses.

By the end of this module, students will understand how EDR engines function, what telemetry they use, how detections are structured, and how Windows internals concepts relate to EDR visibility. Students will also configure and explore the MDE console, review scan processes, and write an initial custom detection rule.