Leanpub Header

Skip to main content

The Anatomy of Modern Endpoint Detection and Response

From Kernel Hooks to Zero Trust — A Security Professional's Guide

This book is 100% completeLast updated on 2026-07-03

Endpoint Detection and Response is at the core of modern cybersecurity. This book explores the technologies behind EDR, from kernel-level telemetry to threat hunting and zero-trust architectures, providing practical guidance for deploying and operating EDR at scale.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
About

About

About the Book

Endpoint Detection and Response has evolved from a niche category into the backbone of modern cybersecurity operations. This book dissects EDR systems from the inside out, covering kernel-level instrumentation on Windows and Linux, behavioral telemetry engineering, machine learning detection models, threat hunting methodologies, and integration with zero-trust architectures. Whether you are a SOC analyst tuning your first EDR deployment, a security architect designing an enterprise detection strategy, or a CISO evaluating platforms, this book provides the technical depth and practical guidance needed to operate EDR at scale in today's threat landscape.

Share this book

Bundle

Bundles that include this book

Author

About the Author

Steve T. Publications

Steve T. is a cybersecurity leader, researcher, and engineer with more than 20 years of experience across application security, infrastructure security, vulnerability management, software development, and secure engineering practices. Having built his career alongside the growth of the modern internet, he has worked through multiple generations of technology, evolving security threats, and changing development methodologies.

He is currently part of the advanced research organization at a leading cybersecurity company, where he focuses on emerging threats, security innovation, and the practical application of research. His work involves investigating new attack techniques, evaluating emerging technologies, conducting deep technical analysis, and helping organizations better understand and manage complex security risks.

In addition to his research responsibilities, Steve leads a team of senior engineers and subject matter experts who create technical books, training programs, and educational resources for security professionals. Through this work, he helps engineers, developers, architects, and security practitioners strengthen their skills and build more secure systems.

Steve's technical expertise spans software development, reverse engineering, web application security, penetration testing, security architecture, incident response, vulnerability research, operating system internals, and secure software development. His ability to analyze systems at both the source code and binary levels enables him to bridge the worlds of software engineering, security research, and practical defense.

Over the course of his career, Steve has worked with organizations across a wide range of industries, helping them identify, assess, and remediate security weaknesses in critical applications and infrastructure. He is recognized for combining deep technical expertise with a pragmatic approach to security, focusing on solutions that are effective, sustainable, and aligned with business goals.

Through his work in research, engineering, leadership, and education, Steve continues to contribute to the advancement of cybersecurity and the development of secure, resilient technology systems.

Contents

Table of Contents

From Kernel Hooks to Zero Trust — A Security Professional’s Guide

Introduction: Why Endpoints Matter More Than Ever

  1. What You Will Learn
  2. Who This Book Is For
  3. How to Read This Book
  4. A Note on Scope and Limitations

Chapter 1: The Endpoint Awakening

  1. The Signature Era and Its Limits
  2. When Antivirus Failed — Key Breaches That Changed Everything
  3. The Birth of EDR as a Category
  4. Why Endpoints Became the New Battleground

Chapter 2: The Modern Threat Landscape

  1. Living-off-the-Land Techniques
  2. Fileless Malware and Memory-Only Attacks
  3. Supply Chain and Initial Access Brokers
  4. The MITRE ATT&CK Framework as a Lens
  5. Ransomware Economics and Endpoint Targeting

Chapter 3: EDR Architecture Fundamentals

  1. The EDR Agent — Design and Deployment
  2. Data Collection Pipeline Architecture
  3. Cloud vs On-Premises Backend Models
  4. Performance Overhead and Resource Management
  5. Multi-Tenant and Enterprise Scale Considerations

Chapter 4: Kernel-Level Hooks and System Instrumentation

  1. Windows ETW and Sysmon — The Telemetry Backbone
  2. Linux Audit Subsystem and eBPF
  3. Kernel Callbacks and SSDT Hooking
  4. Process Injection Detection Mechanisms
  5. File System Filter Drivers

Chapter 5: Behavioral Telemetry and Signal Engineering

  1. Process and Execution Telemetry
  2. Network Connection and DNS Signals
  3. File System and Registry Activity
  4. User and Authentication Events
  5. Signal-to-Noise Ratio — The Core Challenge

Chapter 6: Rule-Based Detection and Signature Engineering

  1. YARA Rules for Endpoint Detection
  2. Sigma Rules and Normalized Detection
  3. Heuristic Analysis Engines
  4. Detection as Code Practices
  5. Tuning and Reducing False Positives

Chapter 7: Machine Learning in Endpoint Security

  1. Supervised Learning for Malware Classification
  2. Unsupervised Anomaly Detection at Scale
  3. Behavioral Scoring and Risk Models
  4. Model Training Data and Feature Engineering
  5. A Walkthrough — Building a Behavioral Anomaly Detection Model
  6. Adversarial ML — Attacking the Detector

Chapter 8: Threat Hunting Methodologies

  1. Hypothesis-Driven Threat Hunting
  2. Intelligence-Led Hunting from Indicators
  3. Data-Driven Anomaly Investigation
  4. Building a Threat Hunting Program
  5. Real-World Hunt Case Studies

Chapter 9: Incident Response and Automated Playbooks

  1. Containment Strategies — Isolate, Block, Kill
  2. Automated Response Playbooks
  3. Forensic Data Collection at the Endpoint
  4. Memory Dumping and Artifact Preservation
  5. Integration with SOAR Platforms

Chapter 10: Integration with Zero Trust Architecture

  1. Zero Trust Principles and Endpoint Posture
  2. Device Health Attestation and Conditional Access
  3. Identity-Aware Endpoint Security
  4. Microsegmentation and Lateral Movement Prevention
  5. Continuous Verification in Practice
  6. A Walkthrough — Implementing EDR-Based Conditional Access at Scale
  7. Continuous Verification in Practice (Revisited)

Chapter 11: The XDR Evolution and Beyond

  1. From EDR to XDR — Data Convergence
  2. Cloud-Native Endpoint Protection
  3. AI-Assisted Analysis and Auto-Investigation
  4. The Role of Open Source and OSSEC Modern Successors
  5. Future Trends and Emerging Capabilities

Chapter 12: Building and Operating an EDR Program

  1. Vendor Selection and Evaluation Criteria
  2. Deployment Strategies — Phased Rollout
  3. A Walkthrough — Deploying EDR at a 10,000-Endpoint Organization
  4. Tuning for Your Environment
  5. Building the SOC Team Around EDR
  6. Measuring ROI and Program Maturity

Conclusion: The Endpoint as Security Foundation

References

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub