Prelude Security Runtime Memory Protection is a Windows endpoint agent written in Rust that operates exclusively in user mode to detect malicious in-memory code execution. It focuses on identifying "out-of-context execution" — instances where an attacker coerces an application to run unintended code paths — covering techniques such as local and remote process injection, exploitation resulting in dynamic code execution, and fileless malware. Unlike traditional EDR architectures that rely on synchronous, kernel-mode drivers and opportunistic memory scanning, this agent operates asynchronously, consuming telemetry out-of-band without inline hooking or blocking. It leverages hardware-level telemetry sources including Intel Processor Trace (IPT), Last Branch Record (LBR), and Context Switches, as well as OS-level sources such as Event Tracing for Windows (ETW), to continuously monitor thread execution across the entire system. The agent models all memory allocations and the full-system context around every executing thread to evaluate whether a given control flow is legitimate. It processes approximately 700 million events per day per endpoint entirely at the edge, avoiding cloud-based data lake dependencies, with a reported CPU utilization under 2%. Detection decisions are made in real-time by anchoring on the CPU instruction pointer (RIP on x64) as a ground truth source. By running in user mode rather than kernel mode, the agent avoids the risk of system crashes (BSODs) associated with kernel-mode drivers. The product is described as a research preview and targets detection of in-memory attacks that bypass traditional file-based and behavioral detection methods.