Malware Analyst.

A specialist who reverse-engineers malicious binaries — static and dynamic — to extract indicators, characterize capabilities, attribute to threat groups, and produce detection content for SIEM/EDR coverage. It belongs to the Roles & Careers category of cybersecurity.

A specialist who reverse-engineers malicious binaries — static and dynamic — to extract indicators, characterize capabilities, attribute to threat groups, and produce detection content for SIEM/EDR coverage.

A malware analyst (also called reverse engineer or threat analyst, depending on the org) is the practitioner who takes a captured binary, document, or implant and tears it apart to answer: what does it do, who wrote it, how do we detect and stop it, and what does the broader campaign look like. Workflow typically begins with safe acquisition, then triage in a sandbox (ANY.RUN, Joe Sandbox, Cuckoo/Cape, MalwareBazaar) for behavioural signatures, followed by static analysis with IDA Pro, Ghidra, Binary Ninja, or Cutter for x86/ARM, jadx/dex2jar for Android, Hopper or Ghidra for macOS, dnSpy for .NET, and Hindsight/MSI tooling for installers. Dynamic analysis pairs a debugger (x64dbg, WinDbg, lldb, gdb) with sandboxed live execution. Outputs include YARA rules, Sigma rules, IOCs, attribution clues (PDB strings, language, code reuse), capability matrices, and written reports for CTI consumers. Many malware analysts also operate as 'threat intelligence' or 'threat research' staff, feeding the broader defender community through blog posts, conference talks, and vendor research feeds. Certifications often associated: GIAC GREM, SANS FOR-610, eLearnSecurity eCRE, plus Offensive Security and TCM Security RE courses.

Defences for Malware Analyst typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Reverse engineer, Threat research analyst.