This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work and how to both research and build them from the ground up.
Over the course of 40 hours, students will gain practical skills and a deep understanding of EDR internals, common detection methodologies, and real-world evasion techniques. Instructors Pavel Yosifovich and Uriel Kosayev will each bring their unique expertise, from low-level Windows internals and kernel development to advanced EDR evasion and reverse engineering.
40 hours
on-demand video
Assignments
In class assignments
135
Articles & lessons
10+
downloadable resources
Cross-device
Access on mobile & TV
Certification
Certificate of completion
This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work and how to both research and build them from the ground up.
The purpose of this training is not just to expose students to EDR theory but to empower them with the ability to think like an EDR developer and attacker. You’ll learn how static, dynamic, and heuristic engines operate, and then reverse engineer actual EDR components to analyze their logic and protection mechanisms. You’ll also learn how attackers craft evasive techniques to bypass such detection, and then build the components needed to detect or prevent these techniques yourself.
Whether you start by diving into how EDR drivers hook Syscalls or by exploring process injection and memory bombing, each section includes live demos, guided exercises, and lab environments to reinforce the concepts in real-time. The course also provides an OVA-based research lab you can use to safely test EDR behavior and bypass strategies, even after the course ends.
Instructors Pavel Yosifovich and Uriel Kosayev will each bring their unique expertise, from low-level Windows internals and kernel development to advanced EDR evasion and reverse engineering.
25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses on PentesterAcademy, and “Windows Internals” series of courses on PluralSight.
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques”, “Malware Analysis On Steroids” books, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response.
Endpoint Detection and Response (EDR) solutions are a core layer of defense in modern enterprise environments. As cyber threats continue to evolve, understanding how EDR systems operate and how adversaries bypass them has become essential for both red and blue team professionals. This course offers a comprehensive path into the world of EDR internals, providing the technical depth required to dissect, analyze, and build detection capabilities at both user-mode and kernel-mode levels.
From unpacking the inner workings of commercial EDR engines to building your own detection logic against advanced threats, this training empowers students to think critically and creatively about endpoint defense. The content bridges the gap between malware reverse engineering, low-level Windows internals, and kernel driver development all delivered through practical, real-world labs and research-focused exercises.
Whether you’re defending infrastructure, researching detection bypasses, or engineering the next generation of security tools, this course provides the essential skills to navigate and master the world of EDR.
This module establishes the core technical foundations required for understanding, analyzing, and developing Endpoint Detection and Response systems. Students begin by exploring what EDR solutions are designed to detect, how they are architected, and the role of static, dynamic and heuristic engines. The module breaks down how modern enterprise security products evaluate files, monitor behavior, classify suspicious activity, generate alerts and enforce protection logic.
Students learn the structure of Microsoft Defender for Endpoint as a representative enterprise EDR. This includes the components responsible for scanning, behavioral monitoring, real time analysis, heuristic correlation, and how the system maps detection events to the MITRE ATT&CK framework. The module also guides students through navigating the MDE portal, understanding alerts, incidents, device views and execution artifacts.
A significant part of the module introduces students to the Windows internals knowledge required to understand detection logic and telemetry sources. This includes Windows architecture, processes and threads, handles, virtual memory, the registry, services, x64 architecture and assembly, the Windows calling convention, driver fundamentals and Event Tracing for Windows. These building blocks form the base for analyzing EDR behavior, simulating malicious techniques, and later developing custom detections or bypasses.
By the end of this module, students will understand how EDR engines function, what telemetry they use, how detections are structured, and how Windows internals concepts relate to EDR visibility. Students will also configure and explore the MDE console, review scan processes, and write an initial custom detection rule.
In this module, students will move from conceptual understanding into structured, hands on EDR research. Students will learn how to design and execute EDR research using a repeatable methodology, prepare clean research environments, gather meaningful telemetry, and analyze real EDR implementations. The module combines OpenEDR and Microsoft Defender for Endpoint (MDE) to demonstrate differences in maturity, protection mechanisms, and telemetry pipelines, and introduces foundational EDR component reverse engineering techniques.
Students will learn how the “development side” of an EDR is structured, with emphasis on Windows services and drivers as core building blocks, how they are configured and operated, and what practical engineering guidelines matter when writing user-mode EDR components.
In this module, students will begin hands-on kernel-mode development with a focus on building the foundational knowledge required to understand and implement EDR kernel components. Students will learn core Windows kernel programming concepts, memory management, object handling, driver structure, and communication between kernel-mode drivers and user-mode clients. The module incrementally builds from low-level primitives to a complete, testable driver, emphasizing correctness, stability, and security.
In this module, students will deepen their understanding of I/O Request Packets (IRPs) as the core mechanism used by Windows drivers to receive requests and communicate with user-mode clients. Students will learn how dispatch routines are structured and invoked, how to reason about execution context when handling requests, and how to access user-mode buffers safely from kernel mode. The module then shifts to the most common EDR-style communication path: DeviceIoControl and IOCTL-style requests, including how different buffer management methods influence data flow between user mode and the driver.
Students will learn the “core mechanics” of an EDR kernel driver: collecting telemetry via kernel callbacks (process, thread, image load, object, and registry), correlating events with driver-maintained state, and coordinating decisions with user mode when analysis should not live in the kernel. Students will also learn the synchronization primitives needed to build safe, high-performance callback code paths that run system-wide.
In this module, students will learn how file system mini-filters are used as a core visibility and enforcement mechanism in Endpoint Detection and Response systems. Students will understand why mini-filters are essential for monitoring file system activity, how they integrate into the Windows I/O stack, and what types of file operations are observable through them. The module introduces mini-filter architecture, registration and attachment concepts, and demonstrates how mini-filters can be used to collect security-relevant telemetry for detection and response. Students will also learn how file system behavior, such as alternate data streams and file access patterns, can be leveraged by attackers and detected by EDR solutions using mini-filters.
This module covers real-world EDR bypass and evasion techniques through practical demonstrations and technical analysis. Students learn how modern attackers evade detection across memory, kernel, and user-mode boundaries, and how EDR solutions attempt to detect and respond to these behaviors.The module includes advanced techniques such as memory bombing, direct system calls, APC injection, and Active Directory credential dumping via the NTDS database, along with additional evasion patterns observed in active attacks. Each technique is examined to explain why it works, where detection commonly fails, and how effective EDR visibility is achieved in practice.
Students gain a clear understanding of modern evasion tradeoffs, detection limitations, and what realistic, production-grade EDR detection looks like in real environments.
In this module, students will learn how EDR detection engines operate at a conceptual and practical level. Students will explore how telemetry collected from the operating system is transformed into detection signals, how rule-based logic differs from behavioral and heuristic approaches, and where machine learning may or may not be applicable in real EDR products. The module discusses practical detection challenges, including hooking considerations, tradeoffs between accuracy and performance, and why detection logic must be designed to operate reliably under adversarial conditions. Students will gain a realistic understanding of what modern EDR detection engines actually do, rather than idealized models.
In this module, students will examine the practical limitations of EDRs and the realities of bypass research. Students will learn why many EDR protections are constrained by stability, compatibility, and performance requirements, and how these constraints shape both defensive design and offensive research. The module discusses bypass thinking at a high level, including how attackers probe detection logic, why some protections are intentionally partial, and how research findings should be interpreted responsibly. Students will leave with a grounded perspective on EDR strengths and weaknesses, emphasizing understanding over exploitation.
EDR Internals – Research & Development course with 40+ hours of hands-on training on how modern EDRs detect and defend and how to analyze, bypass, and outsmart them. Learn more inside.
Course Provider: Organization
Course Provider Name: TrainSec
Course Provider URL: https://trainsec.net/
Course Mode: Online
Course Workload: PT40H
Duration: PT40H
Course Type: Paid
Course Currency: USD
Course Price: 2100
