Students will learn the “core mechanics” of an EDR kernel driver: collecting telemetry via kernel callbacks (process, thread, image load, object, and registry), correlating events with driver-maintained state, and coordinating decisions with user mode when analysis should not live in the kernel. Students will also learn the synchronization primitives needed to build safe, high-performance callback code paths that run system-wide.