// Comparison

Evading EDR vs The Art of Memory Forensics: Which Should You Read?

Two cybersecurity books on Malware, compared honestly: who each is for, what each does best, and which to read first.

Advanced

4/52024

The Definitive Guide to Defeating Endpoint Detection Systems

Matt Hand

A component-by-component teardown of how modern EDR sensors actually collect telemetry, and where each data source can be starved, blinded, or bypassed.

Advanced

5/52014

The Art of Memory Forensics

Detecting Malware and Threats in Windows, Linux, and Mac Memory

Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters

Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.

Read this if

Red teamers and detection engineers who want to reason about EDR from the sensor up rather than copy-pasting the bypass of the week.

Incident responders, threat hunters, and malware analysts moving past disk forensics into the place where modern attackers actually live: in memory, in transit, and unbacked by files on disk. Also the textbook for the GCFA-and-beyond DFIR career path.

Skip this if

Anyone wanting a turnkey list of working bypasses. Skip this if you don't run Windows or won't sit through the internals.

Beginners with no OS-internals background; the book assumes you know what a process, a handle, and a kernel object are. Also dated on Volatility 3 — written for 2.x — though the conceptual material translates cleanly.

Key takeaways

EDR is a collection of telemetry sources, not a monolith; evasion means knowing which source sees what.
Most durable bypasses attack the sensor's data collection, not its detection logic.
Vendor-agnostic understanding outlives any specific bypass, which vendors patch fast.

Memory is the only place where modern post-exploitation tools are guaranteed to be honest; the book makes that argument by showing what you can recover that disk cannot.
Volatility plugins are an investigative grammar — once you know the verbs, you can construct the questions; the book is the dictionary for the grammar.
Cross-OS memory forensics is one workflow with three dialects; the unified Windows/Linux/macOS coverage is the book's underrated structural choice.

How they compare

We rate The Art of Memory Forensics higher (5/5 against 4/5 for Evading EDR). For most readers, that means The Art of Memory Forensics is the primary pick and Evading EDR is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Evading EDR and The Art of Memory Forensics both cover Malware, so reading them in sequence reinforces the same material from different angles.

Keep reading

Evading EDR

→ Alternatives to Evading EDR → What to read after Evading EDR