Intro and plan for the Sanctum EDR

Project plan for the Sanctum EDR build in Rust.


The project can be found here on my GitHub.

Sanctum cover art

Sanctum is going to be an EDR, build in Rust, designed to perform the job of both an antivirus (AV) and Endpoint Detection and Response (EDR). It is no small feat building an EDR, and I am somewhat anxious about the path ahead; but you have to start somewhere and I’m starting with a blog post. If nothing else, this series will help me convey my own development and learning, as well as keep me motivated to keep working on this - all too often with personal projects I start something and then jump to the next shiny thing I think of. If you are here to learn something, hopefully I can impart some knowledge through this process.

There are a lot of challenges here, none of which are comparable to developing the kernel mode driver for my EDR in Rust. There’s shockingly little in the space of blog posts or tutorials for driver development in Rust for Windows, so I’ll be reliant mostly upon the documentation from the Microsoft Windows Drivers (Rust) GitHub repo. This was published September 2023, so only 10 months ago from the time of writing!

I plan to build this EDR also around offensive techniques I’m demonstrating for this blog, hopefully to show how certain attacks could be stopped or detected - or it may be I can’t figure out a way to stop the attack! Either way, it will be fun!

Project Plan

The features I want to implement in this project as as below; I am hoping that this serves roughly as a guide for my milestones, I will be adding to this list no doubt as I go through my journey. If you are reading this and can think of any suggestions, please get in touch with me via Twitter, GitHub, Email ( or YouTube!

Kernel driver


Telemetry service

This could also serve as a user mode AV potentially. For now, I’ll build the plan as if that is what it is doing

Not sure where to put them

Sources of inspiration

Collating a list of resources as I do my research for the project, these can be thought of as bookmarks to come back to later to help me find implementation inspiration for the feature list of Sanctum EDR.

Final thoughts

This is about it for the first post in the series. I’ll post whenever I feel like I have done something worth talking about, or made progress in something new I have learned. As I said, this is more about me documenting my growth and learning, rather than being a tutorial per-se. I hope you enjoy this series and take something positive away from it!

Until next time, ciao!