Skip to content

Reverse Engineering & Malware Analysis Study Plan

This page is updated based on jassics/security-study-plan/reverse-engineering-malware-security-study-plan. It's more advanced than the others - treat it as a specialization.

Also, I assume you have already checked and are comfortable with the Common Security Skills study plan and Network Security study plan.

How this connects: This is a good next step if you already know Network Security and have some exposure to Blue Team, Detection & Response or Web Security Testing. It helps you explain how malware and exploits work behind the alerts.

In Short

  1. Reverse engineering is about understanding how software works from the binary up.
  2. Malware analysis combines RE with incident response and threat intel.
  3. Be comfortable with low-level concepts (processes, memory, file formats).
  4. Treat malware safely - isolated labs, no real systems.
  5. This path takes time; progress slowly and practice a lot.

ToC

  1. Foundations: OS & Architecture - 3-4 weeks
  2. Static Analysis Basics - 3-4 weeks
  3. Dynamic Analysis Basics - 3-4 weeks
  4. Malware Analysis Workflow - 3-4 weeks
  5. Advanced Topics - 4-6 weeks
  6. Books, Videos, Courses
  7. Interview Questions

Foundations: OS & Architecture

Duration: 3-4 weeks

Goal: gain minimal low-level background.

Week 1-4: Core Concepts

  1. OS Internals (high level) - processes, threads, memory, syscalls
  2. File Formats - PE (Windows), ELF (Linux) basics
  3. Assembly Basics - x86/x64 registers, stack, common instructions
  4. Safe Lab Setup - VMs, snapshots, network isolation

Static Analysis Basics

Duration: 3-4 weeks

Goal: understand binaries without running them.

Week 5-8: Static RE

  1. Basic Tools - disassemblers and decompilers (pick one free/available)
  2. Reading Simple Programs - follow control flow, identify functions and strings
  3. Indicators - imports, sections, packer/obfuscation indicators
  4. Documentation - always write notes on what you observe

Dynamic Analysis Basics

Duration: 3-4 weeks

Goal: observe behavior in controlled environments.

Week 9-12: Dynamic RE

  1. Sandboxing Concepts - safe execution, monitoring
  2. Basic Debugging - stepping through code, breakpoints, inspecting registers/memory
  3. Behavioral Analysis - file system changes, network connections, registry changes
  4. Combining Static + Dynamic - use static findings to guide runtime analysis

Malware Analysis Workflow

Duration: 3-4 weeks

Goal: structure your approach to suspicious binaries.

Week 13-16: Structured Analysis

  1. Triage - hash, AV checks, basic metadata, sandbox run
  2. Classification - trojan, ransomware, downloader, etc. (high level)
  3. Reporting - technical reports for defenders, summaries for stakeholders
  4. Link to IR - feeding IOCs back into detection and response

Advanced Topics

Duration: 4-6 weeks

Goal: explore deeper areas as you gain confidence.

Week 17-22: Deeper RE

  1. Obfuscation & Packing (high level) - recognizing and lightly unpacking simple cases
  2. Anti-Debugging & Evasion - basic techniques used by malware
  3. Exploit Analysis (optional) - looking at simple exploits and shellcode
  4. Threat Intel Integration - mapping findings to threat groups and techniques

Books, Videos, Courses

  • Introductory RE or malware analysis books from reputable authors, plus books walking through real-world malware case studies
  • Conference talks on RE/malware analysis; walkthroughs of analyzing real malware samples from trustworthy sources; short videos on assembly and OS internals
  • Beginner RE/malware analysis courses with controlled labs; more advanced RE courses if you go deeper; complementary courses on Windows internals or exploit development

Interview Questions

  1. How would you safely analyze a suspicious binary you received from the SOC?
  2. What is the difference between static and dynamic analysis, and when would you use each?
  3. How do you communicate your malware analysis findings back to defenders?

Practice next: jassics/security-interview-questions for broader question sets (no dedicated RE/malware page exists there yet), and jassics/security-study-plan for the latest updates to this plan.