diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png
new file mode 100644
index 0000000000..cea5e255f5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/next-gen-behavior-blocking.md b/windows/security/threat-protection/windows-defender-antivirus/next-gen-behavior-blocking.md
index 7d81d7587a..f67c916bc7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/next-gen-behavior-blocking.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/next-gen-behavior-blocking.md
@@ -22,9 +22,23 @@ ms.collection:
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-## section 1
+## What is behavioral blocking?
 
-Behavioral blocking and containment capabilities in Microsoft Defender ATP use machine learning to identify threats through behavioral patterns. When threats are detected, Windows Defender Antivirus works together with your cloud protection. Suspicious artifacts and behaviors are monitored, processed, and sent to your cloud protection. 
+Behavioral blocking and containment capabilities in Microsoft Defender ATP use machine learning to identify threats through behavioral patterns. When threats are detected, Windows Defender Antivirus works together with your Microsoft cloud protection. Suspicious artifacts and behaviors are monitored, processed, and sent to your cloud protection for real-time classification by machine learning. If artifacts or behaviors are determined to be malicious, these threats are blocked and contained almost instantly. 
+
+Behavioral blocking is a post-execution protection, as shown in the following diagram:
+
+
+
+Behavioral blocking consists of the following components:
+
+- Behavior-based machine learning
+- Rapid-protection feedback loop
+- [Shadow protection](shadow-protection.md)
+- Client-side behavioral blocking
+- Containment during automated investigation and remediation
+
+  
 
 ## section 2