EDR Internals - Research and development

EDR Internals – Research & Development

This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work, and how to both research and build them from the ground up.

Price: Individuals & Companies

Individual participant: $1,850
($1,450 USD early bird price). 

Organization-Sponsored Employee: $2,550
($2,150 USD early bird price) 

Register now to get early access

blue depth

Trusted by 7,348 students and companies

Sentinel one logo white
microsoft logo white
google logo white
mandiant logo white
intel logo white
cisco white logo tr
citibank logo white
alfa bank logo white
malwarebytes logo white
proofpoint logo white
epam logo white
Sentinel one logo white
microsoft logo white
google logo white
mandiant logo white
intel logo white
cisco white logo tr
citibank logo white
alfa bank logo white
malwarebytes logo white
proofpoint logo white
epam logo white

40+ hours

Live training session

Assignments

In class assignments

Certification

Certificate of completion

EDR Internals: Research & Development course

This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work — and how to both research and build them from the ground up. 

Over the course of 40+ hours, participants will gain practical skills and a deep understanding of EDR internals, common detection methodologies, and real-world evasion techniques. The workshop is structured to offer flexibility in content flow, allowing us to adapt the delivery based on participants’ learning pace and priorities. 

The purpose of this training is not just to expose students to EDR theory but to empower them with the ability to think like an EDR developer and attacker. You’ll learn how static, dynamic, and heuristic engines operate, and then reverse engineer actual EDR components to analyze their logic and protection mechanisms. You’ll also learn how attackers craft evasive techniques to bypass such detection, and then build the components needed to detect or prevent these techniques yourself. 

Whether you start by diving into how EDR drivers hook Syscalls or by exploring process injection and memory bombing, each section includes live demos, guided exercises, and lab environments to reinforce the concepts in real-time. The course also provides an OVA-based research lab you can use to safely test EDR behavior and bypass strategies, even after the course ends.

EDR Internals Instructors

Instructors Pavel Yosifovich and Uriel Kosayev will each bring their unique expertise — from low-level Windows internals and kernel development to advanced EDR evasion and reverse engineering.

Pavel Yosifovich

Pavel Yosifovich

Developer, trainer, author and (sometimes) speaker. Founder of TrainSec academy.

25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses on PentesterAcademy, and “Windows Internals” series of courses on PluralSight.

Uriel Kosayev

Uriel Kosayev

Security Researcher, Trainer & Speaker | Author of the Antivirus Bypass Techniques book & founder of TrainSec

Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques”, “Malware Analysis On Steroids” books, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response.

What you will learn

Pre-requisites:

  • A solid understanding of Windows OS internals (processes, threads, memory, and DLLs)
  • Familiarity with x86/x64 assembly language and low-level system concepts
  • Basic experience with reverse engineering (e.g., using tools like IDA, x64dbg, or Ghidra)
  • Knowledge of malware analysis techniques and common attacker behaviors
  • Comfort working with command-line tools and scripting (e.g., PowerShell, Python, or C/C++)
  • Prior exposure to kernel-mode development or driver analysis is recommended (but not mandatory)
  • A strong desire to learn offensive and defensive security concepts at a low level

EDR Internals: Research & Development course​ contents

Endpoint Detection and Response (EDR) solutions are a core layer of defense in modern enterprise environments. As cyber threats continue to evolve, understanding how EDR systems operate — and how adversaries bypass them — has become essential for both red and blue team professionals. This course offers a comprehensive path into the world of EDR internals, providing the technical depth required to dissect, analyze, and build detection capabilities at both user-mode and kernel-mode levels.

From unpacking the inner workings of commercial EDR engines to building your own detection logic against advanced threats, this training empowers participants to think critically and creatively about endpoint defense. The content bridges the gap between malware reverse engineering, low-level Windows internals, and kernel driver development — all delivered through practical, real-world labs and research-focused exercises.

Whether you’re defending infrastructure, researching detection bypasses, or engineering the next generation of security tools, this course provides the essential skills to navigate and master the world of EDR.

EDR Foundations & Architectural Principles

  • EDR vs. EPP / Antivirus
  • EDR Architecture
  • EDR Detection Techniques
  • Static Engine
  • Dynamic Engine
  • Heuristic Engine

Reverse-Engineering the Defenses: Hands-On EDR Research Lab

  • Research Methodology & Tips
  • Deploying an EDR Research Lab (Provided OVA)
  • Lead Gathering
  • Checking the Exclusions List
  • Testing EDR Self-Protection Mechanisms
  • Process Tokens & File Permissions
  • EDR Persistence Mechanisms
  • Reverse Engineering an EDR Component

Offensive Tradecraft: Modern EDR Bypass & Evasion Techniques

  • FUD Malware vs. Targeted EDR Bypass
  • Rename Obfuscation
  • Control-Flow Obfuscation
  • IAT & API Hashing
  • Strings Encryption
  • Process Injection
  • Timestomping
  • Memory Bombing

Designing the Core: Building User- and Kernel-Mode EDR Components

  • EDR Component Design
  • API and Syscall Hooking
  • Leveraging ETW (Event Tracing for Windows)
  • User & Kernel Mode Components

Kernel Driver Engineering for Endpoint Visibility & Control

  • Process and Thread Callbacks
  • Registry Callbacks
  • Other Callback Mechanisms
  • File System Minifilters
  • Additional Techniques
  • User-Kernel Communication

Detection Engineering: Implementing High-Fidelity Threat Analytics

  • Remote Thread Injection Detection
  • Ransomware Detection
  • Real-World Detection Implementation Lab

Not Ready to enroll yet?

Gain Insider Knowledge for Free: Subscribe to Updates From the TrainSec Knowledge Library Immerse yourself in cutting-edge Cybersecurity knowledge from industry-insiders. Access reliable research insights, practical-driven learning hub, and updates on the latest cybersecurity trends.