Reverse Engineering & Malware Analysis Study Plan
This page is updated based on jassics/security-study-plan/reverse-engineering-malware-security-study-plan. It's more advanced than the others - treat it as a specialization.
Also, I assume you have already checked and are comfortable with the Common Security Skills study plan and Network Security study plan.
How this connects: This is a good next step if you already know Network Security and have some exposure to Blue Team, Detection & Response or Web Security Testing. It helps you explain how malware and exploits work behind the alerts.
In Short
- Reverse engineering is about understanding how software works from the binary up.
- Malware analysis combines RE with incident response and threat intel.
- Be comfortable with low-level concepts (processes, memory, file formats).
- Treat malware safely - isolated labs, no real systems.
- This path takes time; progress slowly and practice a lot.
ToC
- Foundations: OS & Architecture - 3-4 weeks
- Static Analysis Basics - 3-4 weeks
- Dynamic Analysis Basics - 3-4 weeks
- Malware Analysis Workflow - 3-4 weeks
- Advanced Topics - 4-6 weeks
- Books, Videos, Courses
- Interview Questions
Foundations: OS & Architecture
Duration: 3-4 weeks
Goal: gain minimal low-level background.
Week 1-4: Core Concepts
- OS Internals (high level) - processes, threads, memory, syscalls
- File Formats - PE (Windows), ELF (Linux) basics
- Assembly Basics - x86/x64 registers, stack, common instructions
- Safe Lab Setup - VMs, snapshots, network isolation
Static Analysis Basics
Duration: 3-4 weeks
Goal: understand binaries without running them.
Week 5-8: Static RE
- Basic Tools - disassemblers and decompilers (pick one free/available)
- Reading Simple Programs - follow control flow, identify functions and strings
- Indicators - imports, sections, packer/obfuscation indicators
- Documentation - always write notes on what you observe
Dynamic Analysis Basics
Duration: 3-4 weeks
Goal: observe behavior in controlled environments.
Week 9-12: Dynamic RE
- Sandboxing Concepts - safe execution, monitoring
- Basic Debugging - stepping through code, breakpoints, inspecting registers/memory
- Behavioral Analysis - file system changes, network connections, registry changes
- Combining Static + Dynamic - use static findings to guide runtime analysis
Malware Analysis Workflow
Duration: 3-4 weeks
Goal: structure your approach to suspicious binaries.
Week 13-16: Structured Analysis
- Triage - hash, AV checks, basic metadata, sandbox run
- Classification - trojan, ransomware, downloader, etc. (high level)
- Reporting - technical reports for defenders, summaries for stakeholders
- Link to IR - feeding IOCs back into detection and response
Advanced Topics
Duration: 4-6 weeks
Goal: explore deeper areas as you gain confidence.
Week 17-22: Deeper RE
- Obfuscation & Packing (high level) - recognizing and lightly unpacking simple cases
- Anti-Debugging & Evasion - basic techniques used by malware
- Exploit Analysis (optional) - looking at simple exploits and shellcode
- Threat Intel Integration - mapping findings to threat groups and techniques
Books, Videos, Courses
- Introductory RE or malware analysis books from reputable authors, plus books walking through real-world malware case studies
- Conference talks on RE/malware analysis; walkthroughs of analyzing real malware samples from trustworthy sources; short videos on assembly and OS internals
- Beginner RE/malware analysis courses with controlled labs; more advanced RE courses if you go deeper; complementary courses on Windows internals or exploit development
Interview Questions
- How would you safely analyze a suspicious binary you received from the SOC?
- What is the difference between static and dynamic analysis, and when would you use each?
- How do you communicate your malware analysis findings back to defenders?
Practice next: jassics/security-interview-questions for broader question sets (no dedicated RE/malware page exists there yet), and jassics/security-study-plan for the latest updates to this plan.