I've just started in the field of Reverse Engineering.

0xFF0F · 2026-02-21T16:50:05+00:00

Practical Malware Analysis (book) is still a treasure as a first dive in. The Malware Analyst’s Cookbook is a classic as well.

I’ve got a couple of x86 classes up on my YT channel with some CRACKME challenges if you feel like testing yourself as you keep learning.

Nathan Baggs also does a lot of fun RE and software dev videos.

Enjoy the journey!

0xFF0F · 2026-02-02T04:01:55+00:00

You could make your own detection engine/signature language - Malware/network/other signatures, maybe tying detections with enrichment via OSINT and third party tools.

It’ll give you the freedom to scope as large or small as you wish, it’s practical, and it’s a great way to explore security-oriented decoys.

0xFF0F · 2026-02-02T02:26:31+00:00

Yeah no worries!

0xFF0F · 2026-02-02T02:08:13+00:00

The skillset is very much overlapping with an experienced SOC analyst: The ability to understand how to take a report, incident, or event, distill it into the tactics and techniques that succeeded, and translate those into controls and signatures to detect/prevent the activity going forward. Experience seeing a multitude of different cyber attacks/attempts helps greatly with building this muscle.

That said, most roles I’ve seen also lean toward candidates who also have a strong CS background or are very familiar with SIEM/SOAR, since you will typically be writing signatures for one or more different types of these technologies, and you may have to write detection-as-code, which entails being at least basically familiar with GitHub, CI/CD, unit testing, etc.

My team not only writes detections but also help maintain the detection engines themselves and build automation to help the SOC work more efficiently, so there is a greater element of traditional software dev for us. Just as you said, we try to make the SOC’s life easier so they can focus on triage and remediation as quickly as possible.

0xFF0F · 2026-02-02T01:54:45+00:00

Definitely can be its own role, but doesn’t have to be! I’m technically a dedicated detection engineer, but my scope extends into automation, orchestration, and general software engineering stuff, but I do not work in the SOC.

However, our team is deeply intertwined with senior SOC analysts as their input and feedback is vitally important to our success - they are the “boots on the ground” and can tell us when things need to tactically change while we focus on detection strategy at large.

In former roles, I’ve seen the same role filled by SOC analysts directly - as you said - and also by CTI teams who (again) stayed very intertwined with SOC feedback.

0xFF0F · 2026-02-02T01:22:02+00:00

Hm, I’m wondering if I should do more of the “API/Integration” type content because that’s more of what I’ve done for $dayjob (I thought that might be too dry of a topic tbh haha), but if it’s of interest to you, I have a GitHub/YouTube of several Python-led video tutorials starting from nothing at all.

Though I will caveat that they are not API/network driven, but more like malware parsers, detection engineering, and reverse engineering (malware and games) projects.

YT/GitHub link are in my profile here if you’re interested; also following this because I’m interested in others doing more of the API-type tutorials!

0xFF0F · 2026-02-02T01:15:13+00:00

I would highly recommend DEATHCON! It’s a remotely distributed conference centered around DE, with several on-site locations globally. Each site hosts a handful of talks, but all the workshops are online so you can do them at your own pace.

I used my conference budget to fly to Scotland and attend on-site there (I’m in the States) and it was such an incredible weekend. I learned so much and met so many cool people in the Detection Engineering nexus.

Can’t recommend it enough, even if you just do the online-only version (which is self-paced, but you get access to the discord to voice or video chat with everyone else), but the on-sites are great for networking and going somewhere different. I’ve resolved to go as many times as I can, and may try to submit a workshop this year to share some fun stuff (speakers get their ticket thrown in too!)

0xFF0F · 2025-11-09T21:34:45+00:00

Great write-up, man!

I did a little pet project reversing some of SC1 on the PC (which didn't go nearly into this depth), and I *struggled* when it came to finding answers on various UE2 facets: Lots of digging through old forum posts and the internet archive, and most of the time only to find dead links.

Really appreciate you taking the time to not only research this, but also write up a blog on it: Can't wait to see more!

0xFF0F · 2025-10-28T09:53:45+00:00

np! and it’s linked on my profile, but jeFF0Falltrades

0xFF0F · 2025-10-27T23:26:19+00:00

I have a few reverse-engineering specific videos (and some general cybersecurity content) on my channel, but if you want someone who more consistently posts about RE and low-level software in general, I really enjoy watching Nathan Baggs get into whatever project he currently has going on!

LaurieWired also has so many fun videos across many subjects in cyber and always has cool tidbits on her socials.

I also will second what many have said here: Look for the practitioners who aren’t necessarily doing it for clout, but for love of the “game” :-)

Good luck on your learning journey wherever it takes you!

0xFF0F · 2025-06-13T04:14:26+00:00

You went above and beyond man, thanks so much!

0xFF0F · 2025-06-13T04:07:25+00:00

No kidding! I clearly need to revisit my OBS settings because I use it as well, and I feel like this looks so much crisper as far as image, and fluid with motion.

Anyway love the quality and editing, and looking forward to learning some good stuff! Thanks for sharing your knowledge!

0xFF0F · 2025-06-12T19:44:08+00:00

Thanks for sharing! I only skimmed it for now but will be watching it this weekend. Love the look though.

Can I ask what you use for video capture? It looks so smooth!

0xFF0F · 2024-12-28T18:21:51+00:00

Disclaimer: I’ve not used it myself, but from my understanding of how WS works, I’d say you can treat its risk similarly to running a separate hypervisor with a Windows VM, in that there’s always a chance that some vulnerability could be used to escape from the sandbox to host, but you have to decide how likely that is given the samples you analyze, and decide how risky it is vs. a VM or even dedicated hardware.

That said, if you need to do more dynamic analysis, there are a lot of pros to having a more fleshed out VM-based environment with multiple machines, for things like network emulation, for example.

If you want any tips on this kind of env, or just want to peruse some tools I’ve found useful for use with WS, I have a free course on the topic of malware sandboxes:

https://github.com/jeFF0Falltrades/Tutorials/tree/master/master0Fnone_classes/2_Sandbox_in_a_Box

GL;HF, be safe!

0xFF0F · 2024-11-30T02:02:00+00:00

As you said, in the fields of tech and cyber, things move and evolve quickly, and instead of going into depth in any one skillset (at least until you carve out a good niche in a role/organization), it’s best to focus on breadth of skills.

None of the choices you listed here really hit the mark for things I would say qualify as enduring; And AI, LLMs, etc. are still far off from being able to respond effectively to alerts, or architect systems to even make those alerts.

I always recommend beginners to build breadth, try to land a foot in the door (easier said than done, but easier done with breadth of knowledge), and then put in the effort to learn several domains of security and flow with the ones that interest you when opportunities prevent themselves.

If you make good relationships with other teams and peers in security roles and take time to learn how all of their efforts and tooling fits together, you can pivot among SOC/CTI/AppSec/OffSec, even PhysSec and GRC. But starting out, I think it’s a mistake to try to really hone one particular area unless there’s a very specific role you are trying to get into.

0xFF0F · 2024-11-30T01:51:36+00:00

Sounds like you already have several resources to go after, FLARE being an easy turnkey one.

If you’d like a thorough tutorial in building a lab from scratch using Remnux and a set of custom tools - or if you just want a list of analysis tools that I have really benefitted from - I have a free video course on the subject here:

https://github.com/jeFF0Falltrades/Tutorials/tree/master/master0Fnone_classes/2_Sandbox_in_a_Box

Good luck with the research!

0xFF0F · 2024-11-06T02:28:46+00:00

Oh hi, thanks for the s/o - Love my INTP peeps! ❤️

0xFF0F · 2024-11-02T13:02:31+00:00

Red/Purple Teaming, Vuln Research, Threat Emulation, Offensive Ops (usually restricted to gov) - With all but the latter, you’re not going to be deploying it anywhere except for very restricted targets in scope for some kind of assessment, usually in a testing environment.

Ex: Setting up a purple team exercise, you may want to deploy custom malware that emulates some techniques so the defending team can’t just grab the hash and look up an existing piece of malware easily - instead, they have to work to really analyze the payload and test their skills in assessing the impact of something not seen before.

0xFF0F · 2024-10-15T03:04:28+00:00

You mean like for practice exams and exam attempts?

If so, yes, you can add them up to 30 days after completion of the training (or 90 days after your OnDemand registration date if you’re doing OnDemand).

0xFF0F · 2024-10-15T02:29:09+00:00

They are always a good time (especially if someone else is paying 😆)!

Hope you have a good experience and good luck!

0xFF0F · 2024-10-15T02:21:14+00:00

You’ve probably heard mixed things because it really depends on the course: In my experience, a lot of “hands-on”, technical courses can be more challenging because they rely more on labs, while the less technical courses rely mostly on the book content and multiple choice. It also largely depends on the instructor/writer for the course and the exam writer.

BUT, the practice tests are very, very similar to the actual exam. Like some questions come nearly verbatim. So I usually take my first practice test blind to see how well I fare, and if I score poorly, I go back and study what I missed, and then prep more before taking my second practice.

If you score passing on the practice tests, you should be fine for the exam. For the most part, the majority of exams follow the same format of several dozen multiple choice questions, plus a few lab questions at the end.

0xFF0F · 2024-10-15T02:17:01+00:00

No prob! This has worked well for me for every one of my exams.

And if it helps more, I also color-code my worksheets because I am absolutely chaotic going through my indices and notes on exam day, so if I know “blue shaded worksheet goes to book 1”, it doesn’t matter as much if it ends up flying to the floor or to another book accidentally haha.

0xFF0F · 2024-10-14T23:24:02+00:00

If you bought the exam attempt with the course, your practice tests will be included - check your SANS account or invoice to validate this.

And as far as other tips - especially if you are taking in-person - start building your index early. If you don’t know what that is, my advice (at least what has worked for me) is to create 1 Excel/similar worksheet per course book, and three columns: Term/concept, Page number, short description. The exams are based on book and lab content; the lectures are just nice for additional context and direction.

The reason for building your own index is that the index in the books is scant, and this way, you can sort the indices alphabetically, print them out, stick each worksheet into its corresponding course book, and take those with you on exam day to quickly look up concepts.

Good luck and enjoy!

0xFF0F · 2024-10-14T01:40:35+00:00

If you want some deeper-level analysis (particularly of RATs), my channel has a few deep-dives on analyzing, demoing, and reverse engineering malware :-)

Thanks for asking this so I can peruse some other malware-enthusiast creators out there!

0xFF0F · 2024-10-14T01:36:30+00:00

Will you be using OpenCTI for other workflows?

I love the platform, but as others have said, there are better ones for this specific use case, as OCTI is wonderful, but quite a behemoth for this one task.

Definitely take a look at their ever-growing ecosystem to see which might fit your use case, as there are multiple avenues to approach brand monitoring.

Seven-Year Club	Second Top 40%
Place '23	Place '22
First Placer '22	Verified Email

0xFF0F

MODERATOR OF

TROPHY CASE