Build malware RE teams and AI-augmented analysis capabilities
Stand up dedicated malware RE functions from scratch — building analysis pipelines and integrating ML-based detection that catches the custom packers and novel implants your stack misses.
The scale of the malware problem is difficult to internalise. AV-TEST logs over 450,000 new malware samples every day — totalling more than 1.56 billion known samples as of 2025. No team manually reverses more than a fraction of that. But the samples that matter most are precisely the ones that do not look like anything in the catalogue: the custom implants built for a specific target, the novel packers engineered to defeat your detection stack, the malware-free attacks that use valid credentials and trusted tools to move laterally without leaving a signature. CrowdStrike’s 2026 Global Threat Report found that 82 percent of detections in 2025 involved no malware at all — a statistic that illustrates exactly why signature-based detection is structurally losing.
The speed argument for AI-augmented malware analysis is documented and significant. Google Cloud demonstrated that Gemini-assisted malware analysis completed in approximately 30 minutes what previously took a human analyst close to a month — a 1,440x improvement. A Booz Allen deployment found AI tooling labelling 120-plus functions in 2.5 minutes during automated decompilation. These are not marginal efficiency gains; they change what is operationally possible when an unknown sample appears in your environment.
Building a malware RE function that benefits from AI augmentation requires the right foundation: analysts who understand what the AI is doing, can identify when it is wrong, and can investigate the cases it cannot resolve. AI does not eliminate the need for human reverse engineering expertise — it amplifies it, handling the routine so that human attention can go to the novel. The 1 percent of samples that require deep expert analysis, as Kaspersky’s research illustrates, are the ones that matter most. That is where the function’s value lies.
Organisations that build this capability gain something that cannot be purchased from a vendor: current, first-hand knowledge of how adversaries targeting their sector actually operate. That knowledge feeds detection logic, IR playbooks, and architectural decisions in ways that secondary intelligence consumption cannot match.