// Comparison
Evading EDR vs Windows Security Internals: Which Should You Read?
Two cybersecurity books on Offensive, compared honestly: who each is for, what each does best, and which to read first.
A component-by-component teardown of how modern EDR sensors actually collect telemetry, and where each data source can be starved, blinded, or bypassed.
A Deep Dive into Windows Authentication, Authorization, and Auditing
James Forshaw
Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.
Read this if
Skip this if
Key takeaways
- EDR is a collection of telemetry sources, not a monolith; evasion means knowing which source sees what.
- Most durable bypasses attack the sensor's data collection, not its detection logic.
- Vendor-agnostic understanding outlives any specific bypass, which vendors patch fast.
- Windows authorization is one coherent system once you see the SRM, tokens, and security descriptors as a single pipeline.
- The author's NtObjectManager PowerShell toolkit turns abstract security theory into something you can poke at interactively.
- Most Windows privilege-escalation bugs come from misunderstanding this model, not from exotic memory corruption.
How they compare
We rate Windows Security Internals higher (5/5 against 4/5 for Evading EDR). For most readers, that means Windows Security Internals is the primary pick and Evading EDR is a useful follow-up.
Both books target advanced-level readers, so the choice is about topic, not difficulty.
Evading EDR and Windows Security Internals both cover Offensive, so reading them in sequence reinforces the same material from different angles.