Malware Analysis & Reverse Engineering
Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.
What is Malware Analysis & Reverse Engineering?
Malware analysis and reverse engineering is the discipline of understanding the adversary's weapons at the code level. When a new malware sample is discovered — whether through incident response, threat hunting, or sandbox detonation — analysts dissect it to understand its capabilities, extract indicators of compromise, map it to ATT&CK techniques, and build defenses.
Static analysis examines the malware without executing it — inspecting PE headers, import tables, embedded strings, and entropy patterns. Dynamic analysis runs the malware in a controlled sandbox environment, monitoring API calls, file system changes, registry modifications, and network communications. Advanced analysis involves disassembly and debugging to understand the malware's logic at the assembly level.
The field requires deep technical skills — reading x86/x64 assembly, understanding Windows internals, recognizing packer and obfuscation techniques, and writing YARA rules for detection. Tools like IDA Pro, Ghidra, x64dbg, and Volatility are the analyst's essential toolkit.
Why it matters
Every detection rule, threat intelligence report, and incident response action is ultimately informed by someone who analyzed the malware. RE is the foundation that powers threat intelligence, detection engineering, and defensive tool development.
Malware analysis feeds directly into threat intelligence (extracting IOCs and TTPs), detection engineering (writing YARA/SIGMA rules), and incident response (understanding what the attacker's tools do). It's the technical foundation beneath multiple security disciplines.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Standards and frameworks
Curated resources
Authoritative sources we ground Malware Analysis & Reverse Engineering questions in — frameworks, research, guides, and tools.
NSA Ghidra
NSA's open-source software reverse-engineering framework. Disassembler, decompiler, scripting. The free standard for malware analysis training and most public reversing work.
YARA — The Pattern-Matching Swiss Army Knife
Rule language for identifying malware families by binary patterns and metadata. Foundational for both detection engineering and malware classification.
Mandiant FLARE Open-Source
Mandiant's FLARE team publishes capa, FLOSS, and other widely-used reversing tools alongside in-depth malware deep-dive blog posts. The reference for vendor-published reversing primitives.
Practical Malware Analysis (Sikorski & Honig, No Starch Press)
The standard textbook used in most university and SANS courses. Covers static, dynamic, behavioral analysis with hands-on labs. Cite for any "how do you analyze X" pedagogical question.
REMnux — Linux Toolkit for Malware Analysis
Curated Linux distribution preloaded with hundreds of reverse-engineering and malware-analysis tools. Maintained by Lenny Zeltser. The default sandbox VM in most malware-analysis training courses.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
EC Council Computer Hacking Forensics Investigator
EC Council Computer Hacking Forensics Investigator
Zero Point Security Red Team Operator II
Zero Point Security Red Team Operator II
GIAC Certified Forensic Analyst
Advanced host forensics, memory analysis, timeline reconstruction.
GIAC Reverse Engineering Malware
Static + dynamic malware analysis, unpacking, custom RE tooling.
GIAC Exploit Researcher and Advanced Penetration Tester
GIAC Exploit Researcher and Advanced Penetration Tester
Offensive Security Certified Expert 3
Offensive Security Certified Expert 3
Offensive Security Exploit Developer
Offensive Security Exploit Developer
Offensive Security Exploitation Expert
Offensive Security Exploitation Expert
Offensive Security MacOS Researcher
Offensive Security MacOS Researcher
Also touched
GIAC Certified Incident Handler
Incident handling methodology and lifecycle.
GIAC Cyber Threat Intelligence
Structured threat intel production, ATT&CK, analytic tradecraft.
Offensive Security Certified Professional
Hands-on penetration testing — exploitation, privilege escalation, AD attacks.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Malware Analysis & Reverse Engineering
110 questions available. Beginner to expert questions, scored against the global leaderboard.