This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for roles which require reverse engineering (RE), exploit analysis, or malware analysis skills.
Also, I assume you have already checked and are comfortable with Common Security Skills study plan and Network Security study plan.
This plan is more advanced than others; treat it as a specialization.
How this connects: This plan is a good next step if you already know Network Security and have some exposure to Blue Team, Detection & Response or Web Pentest. It helps you explain how malware and exploits work behind the alerts.
- Reverse engineering is about understanding how software works from the binary up.
- Malware analysis combines RE with incident response and threat intel.
- You should be comfortable with low-level concepts (processes, memory, file formats).
- You must treat malware safely (isolated labs, no real systems).
- This path takes time; progress slowly and practice a lot.
- Foundations: OS & Architecture - 3-4 weeks
- Static Analysis Basics - 3-4 weeks
- Dynamic Analysis Basics - 3-4 weeks
- Malware Analysis Workflow - 3-4 weeks
- Advanced Topics - 4-6 weeks
- Books
- Videos
- Courses
- Interview Questions
Duration: 3-4 weeks
Goal: gain minimal low-level background.
- Operating System Internals (high level): processes, threads, memory, syscalls.
- File Formats: PE (Windows), ELF (Linux) basics.
- Assembly Basics: x86/x64 registers, stack, common instructions.
- Safe Lab Setup: VMs, snapshots, network isolation.
Duration: 3-4 weeks
Goal: understand binaries without running them.
- Basic Tools: disassemblers and decompilers (choose one free/available to you).
- Reading Simple Programs: follow control flow, identify functions and strings.
- Indicators: imports, sections, packers/obfuscation indicators.
- Documentation: always write notes on what you observe.
Duration: 3-4 weeks
Goal: observe behavior in controlled environments.
- Sandboxing Concepts: safe execution, monitoring.
- Basic Debugging: stepping through code, breakpoints, inspecting registers and memory.
- Behavioral Analysis: file system changes, network connections, registry changes.
- Combining Static + Dynamic: use static findings to guide runtime analysis.
Duration: 3-4 weeks
Goal: structure your approach to suspicious binaries.
- Triage: hash, AV checks, basic metadata, sandbox run.
- Classification: trojan, ransomware, downloader, etc. (high level).
- Reporting: technical reports for defenders and summaries for stakeholders.
- Link to IR: feeding IOCs back into detection and response.
Duration: 4-6 weeks
Goal: explore deeper areas as you gain confidence.
- Obfuscation & Packing (high level): recognizing and lightly unpacking simple cases.
- Anti-Debugging & Evasion: basic techniques used by malware.
- Exploit Analysis (optional): looking at simple exploits and shellcode.
- Threat Intel Integration: mapping findings to threat groups and techniques.
- Introductory RE or malware analysis books from reputable authors.
- Books that walk through real-world malware case studies.
- Conference talks on RE and malware analysis.
- Walkthroughs of analyzing real malware samples (from trustworthy sources).
- Short videos explaining assembly and OS internals.
- Beginner RE/malware analysis courses with controlled labs.
- More advanced RE courses if you decide to go deeper.
- Complementary courses on Windows internals or exploit development.
- How would you safely analyze a suspicious binary you received from the SOC?
- What is the difference between static and dynamic analysis and when would you use each?
- How do you communicate your malware analysis findings back to defenders?