In this module, students will learn how EDR detection engines operate at a conceptual and practical level. Students will explore how telemetry collected from the operating system is transformed into detection signals, how rule-based logic differs from behavioral and heuristic approaches, and where machine learning may or may not be applicable in real EDR products. The module discusses practical detection challenges, including hooking considerations, tradeoffs between accuracy and performance, and why detection logic must be designed to operate reliably under adversarial conditions. Students will gain a realistic understanding of what modern EDR detection engines actually do, rather than idealized models.