Explain how EDRs hook user-mode API calls - Describe direct system call techniques - Explain syscall proxying (indirect syscalls) - Discuss the detection arms race