AI-Assisted Reverse Engineering for Threat Intelligence: What Actually Works.
BLUF: AI genuinely speeds up malware reverse engineering, but only in the right half of the job. Point an agent like Claude at a decompiler through an MCP server and it will deobfuscate scripts, decrypt and extract configuration and indicators, summarise unfamiliar functions, and draft a first-pass report faster than an analyst working by hand. Where it still fails is the second half: unpacking multi-stage native code, reading adversarially poisoned code correctly, and attribution. This is useful for a threat intelligence team not because “the AI reverse engineers the malware for you,” but because the mechanical work compresses from an afternoon to minutes, so an analyst can turn a sample into intelligence, indicators, mapped techniques, and a lead on the actor behind it, while keeping the judgement where it belongs. This guide covers where AI fits in your pipeline, where you want it to stay away, and how to run it without getting misled.
The state of AI-assisted reverse engineering in 2026
Two years ago, using a language model on a malware sample meant pasting a decompiled function into a chat window and hoping. That is not where the field is now. The pattern that took over in 2025 and 2026 is the same one behind wiring a threat intelligence platform into an agent: an MCP server sits in front of the reverse engineering tool and exposes its operations to an agent, so the model can decompile a function, follow cross-references, rename what it works out, and write comments back, in a loop, driving the disassembler the way an analyst drives it.
The tooling has matured quickly. GhidraMCP, the most widely used community server for the open-source Ghidra platform, connects Claude to a live Ghidra instance and has become the reference setup for the free stack. IDA Pro has its own equivalent in ida-pro-mcp, now moving towards a headless variant for automation. Ghidra's own project, run by the NSA, and Hex-Rays, which makes IDA, have both deliberately chosen not to ship their own AI assistant, and are instead building cleaner APIs for external agents to drive. Binary Ninja went the other way and shipped an official AI assistant, Sidekick, notable for offering a fully on-premises deployment for binaries that cannot leave the network, which is exactly the constraint a lot of malware work runs into.
The marketing around “AI decompilers” can be confusing: the language model is not replacing the decompiler. Research models that decompile binaries directly exist, and they are improving, but their headline benchmarks measure whether the output runs, not whether it faithfully reconstructs the original types, structures, and names, which is the part that's actually hard to do. In practice the 2026 workflow is still Ghidra or IDA producing the pseudocode, with an agent working on top of it to explain, name, navigate, and extract. That division is important to understand.

Where AI fits in reverse engineering: the fast, unglamorous 80 per cent
The strongest, best-evidenced use of AI in malware analysis is the repetitive work that eats an analyst's day. In a published case study in November 2025, Check Point researchers pointed a frontier model, driving IDA Pro and a debugger through MCP, at the XLoader malware family. The model identified the routines that decrypt XLoader's stored strings, wrote working IDAPython scripts to run the decryption itself, and recovered command-and-control domains and 175 encrypted strings in under an hour. What this means for a CTI team doing their own reverse engineering: faster turnaround means fresher indicators and quicker detection updates.
That pattern generalises: LLMs are reliably good at a cluster of jobs that are roughly the same every time: the answer is checkable, and the work is tedious: deobfuscating a PowerShell or JavaScript dropper, decrypting and pulling out a configuration block, extracting indicators from a mess of strings, writing a short summary of what an unfamiliar function does, or drafting a detection rule or mapping observed behaviour to MITRE ATT&CK techniques. A May 2026 benchmark that ran eight models across a set of triage binaries found that the serious ones classified the samples and produced useful reports for a reasonable amount of time and money.
The scale of what this unlocks is real: in one run in October 2025, VirusTotal turned its Gemini-powered Code Insight loose on 9,981 first-seen macOS binaries and surfaced close to a hundred malicious files that every traditional engine had missed entirely, including a multi-stage dropper and a credential stealer sitting at zero detections. The same pass also flagged thirty files as false positives from Microsoft's engine, which were subsequently fixed. None of that replaces an analyst, but hands them a shortlist and a head start. Where AI helps and where it stops is a pattern that runs across security work, not just reverse engineering, and we take the broader view in our guide to where LLMs help in cybersecurity.
The analysis-to-intelligence pipeline
For a threat intelligence team, extracting indicators is the beginning, not the end. A C2 domain and a config block are raw material. Intelligence is what you get when that material is turned into something a defender can act on and a decision-maker can trust. This is where AI-assisted reverse engineering becomes a capability that empowers the rest of the workflow, because the same agent session that decompiled the sample can carry it several steps further.
Take a single unknown binary through the chain. The agent unpacks the surface layer, decompiles the interesting functions, and deobfuscates the strings, that is the mechanical work from the previous section. From there it extracts the indicators and writes them into a structured form. It maps the behaviours it found, the persistence mechanism, the injection technique, the C2 protocol, onto ATT&CK, so the sample becomes a set of techniques. It drafts candidate detections from what it saw. And then the step that most coverage skips entirely: it checks the extracted infrastructure and the technique profile against what you already know, so a fresh sample is read against your existing picture of an actor rather than in isolation, and a match to a tracked group's tradecraft or infrastructure becomes a lead.
That last movement is the integration, tradecraft, and self-maintaining knowledge part of a real AI deployment, and it is where the intelligence value concentrates. Anyone can get a summary out of a chatbot. Turning a binary into ATT&CK-mapped techniques, indicators, detections, and a correlated actor lead, with the sourcing attached, is a different thing, and it is what Liberty91's agent stack is built around. The reverse engineering agent is one specialist in that chain, handing its output to the next.
If you want to run the mechanical end of this yourself, it is relatively easy to get started. The free stack is GhidraMCP connecting Claude to a local Ghidra instance: install the plugin, run the bridge, point your client at it, open a sample, and start asking the agent what functions do. Our own open-source CTI skills cover the tradecraft and production steps that come after, and our guide to Claude Code for threat intelligence walks through the wider workstation this fits into.

Where AI doesn't work: the hard 20 per cent
The failures are as consistent as the wins, and they are more dangerous because the output looks just as confident either way.

The first is hallucinated meaning in decompiled code. A model reading pseudocode can produce a fluent, plausible, and wrong account of what a function does, and nothing in the output signals which one you have. The most striking evidence sits in how the serious labs have responded. When SentinelOne built a multi-agent system for malware analysis in early 2026, running Claude models across radare2, Ghidra, Binary Ninja, and IDA, the entire design existed to catch this. Every finding has to carry an explicit agree-or-disagree consensus field, and the whole analysis is re-run so the agents cross-check each other. In their write-up, that scaffolding is what caught one agent misreading a C2 endpoint that another agent had transcribed correctly, and stopped a decompiler artefact from being reported as a finding. It isn't that the models are bad, but rather that a single unverified pass cannot be trusted.
The second is that the hard native-code work still belongs to humans. Multi-stage packers, unusual obfuscation, and scattered key-derivation routines regularly defeat the models. Microsoft's Project Ire, an autonomous malware reverse engineering agent and one of the most capable systems published to date, scored well on straightforward samples but managed a recall of only 0.26 on a set of genuinely hard real-world files. It convicted accurately when it convicted, but it missed close to three-quarters of the actual malware. This is very important to be aware of, before you let anyone tell you AI reverse engineers malware unattended.
The third is specific to adversarial code, and it is the one analysts most need to internalise. A study published in April 2026 showed that attacker-planted, misleading identifier names survive language-model deobfuscation: if a malware author names a function to mislead, the model tends to carry the lie forward rather than see through it. Which means the thing the model is often best at, giving readable names to unnamed code, is exactly the thing an adversary can poison. On code written specifically to be analysed, treat recovered names as a hypothesis, not a fact.
Pointing an agent at live malware without getting misled
There is a second, sharper risk that follows from feeding a model attacker-controlled input, and malware authors have already noticed. If your workflow sends the contents of a binary to a language model, then the strings inside that binary are untrusted text arriving in the model's context, and a sample can carry a prompt injection aimed squarely at the AI analyst.
This is not hypothetical. In mid-2025, researchers found a sample, self-named Skynet, that embedded text instructing any analysing model to ignore its task and report no malware found. In that case the tested models ignored it. But by June 2026 the technique had escalated: a macOS backdoor assessed with high confidence to a North Korean cluster, nicknamed Gaslight, carried a 3.5 KB block of 38 fabricated system messages designed to look like an AI triage tool's own scaffolding, with the aim of pushing an analysing agent into aborting or refusing the job. It did not defeat any production platform in testing, and there is no evidence it succeeded against a real workflow. The point is the escalation itself. When adversaries start building payloads specifically to mislead AI analysts, that is the clearest signal there is that the technique has become real enough to be worth attacking.
The practical defence is the same discipline you would apply to any untrusted input, plus a little malware-specific care. Do the work in an isolated analysis environment, never on anything that matters. Treat everything the model tells you about a sample as a claim to be checked against the disassembler, the debugger, or the sandbox, not as a finding. Keep the human on the decisions that carry consequences, the conviction, the attribution, the call that this matters. And know that legitimate malware analysis sometimes trips a model's own safety guardrails, since a defensive request and an offensive one can look similar from the inside; providers offer routes for verified defensive work, and it is worth setting that up before you need it.
The shape of it
Put together, the picture is not complicated. AI has become a real force multiplier on the fast, boring majority of malware reverse engineering, the deobfuscation, the extraction, the first-pass triage and reporting, and it stays a liability if you let it own the unpacking, the adversarial semantics, and the attribution. The teams getting value from it are not the ones that trust it more. They are the ones that structure it, verify its output, and keep the analyst on the judgement.
For a threat intelligence team that division is a gift, because the half AI does well is precisely the half that used to consume the time an analyst should have spent on analysis. The agent takes a sample from raw binary to extracted indicators, mapped techniques, and a correlated lead in minutes, and the analyst spends their time on the part that was always the point: deciding what it means, whether it fits an actor you track, and what your organisation should do about it. That is the same principle that runs through how AI is changing the analyst's role across the whole discipline. The machine carries the reverse engineering scaffolding; the intelligence is still yours to make.
Frequently asked questions.
Can AI actually reverse engineer malware, or is it hype?
Both, depending on which part of the job you mean. AI is genuinely strong at the mechanical majority of malware analysis: deobfuscating scripts, decrypting and extracting configuration and indicators, summarising unfamiliar functions, and drafting detections and ATT&CK mappings. Published work in 2025 and 2026 shows frontier models recovering a malware family's command-and-control config in under an hour and surfacing malicious files that traditional engines missed at scale. It remains weak at the hard part: unpacking multi-stage native code, reading deliberately misleading code correctly, and attribution. One of the most capable published autonomous systems missed close to three-quarters of genuinely hard real-world malware. So AI accelerates reverse engineering substantially, but it does not do it unattended, and treating a confident summary as a verified finding is the main way teams go wrong.
How do I connect Claude to Ghidra for reverse engineering?
The common free setup is GhidraMCP, a community MCP server that bridges Claude to a running Ghidra instance. You install the plugin into Ghidra, run the Python bridge it ships with, and register that bridge in your MCP client, such as Claude Desktop or Claude Code. Once connected, you open a sample in Ghidra and ask the agent questions in plain language; it decompiles functions, follows cross-references, proposes renames, and writes comments back into your database. IDA Pro users have an equivalent in ida-pro-mcp, and there are servers for Binary Ninja and radare2 as well. Ghidra 12 users who want a setup built for long analysis sessions can also look at ReVA, which is designed with many small tools to reduce hallucination.
How do I turn AI malware analysis into ATT&CK techniques and detections?
Treat the reverse engineering output as the input to an intelligence step rather than the end of the task. Once the agent has decompiled the sample and extracted its behaviours, have it map each observed behaviour, the persistence mechanism, the injection method, the C2 protocol, onto MITRE ATT&CK, then draft candidate detections from what it found. The important discipline is verification: an analyst confirms the mapped techniques and tests the detections against real telemetry before either is trusted, because a plausible-but-wrong mapping is easy for a model to produce. Structured CTI skills can standardise this step so every sample is processed the same way.
Is it safe to point an AI agent at a live malicious binary?
Only with the same care you would apply to detonating one. Two risks stack up. The obvious one is the malware itself, so all of this belongs in an isolated analysis environment, never on a production or sensitive machine. The subtler one is that the strings inside a binary are attacker-controlled text, and if your workflow feeds them to a model, a sample can carry a prompt injection aimed at the AI analyst; documented samples in 2025 and 2026 have embedded instructions designed to make an analysing model abort or under-report. Keep the model's role to producing claims you then verify in the disassembler, debugger, or sandbox, and keep a human on any decision that carries weight.
Which model is best for reverse engineering?
There is no single answer, and it moves month to month, so treat any ranking as perishable. What matters more than the specific model is the setup around it: a capable frontier model driving a real decompiler through MCP, with a verification step that checks its output rather than trusting it. Published systems have used models from several vendors successfully; a notable multi-agent malware-analysis system built in early 2026 ran on Claude models specifically because the workflow needed both a strong orchestrator and cheaper subagents. Pick a current, capable model, wire it to your tools properly, and put the effort into the verification scaffolding rather than the model choice. The same reasoning applies to security work more broadly, which we cover in our guide to where LLMs help in cybersecurity.
Can I run AI-assisted reverse engineering offline or on-premises?
Yes, and for a lot of malware work you should. Sensitive samples, customer data, and classified material often cannot leave the network, which rules out a cloud API. There are two routes. Locally run models, including some fine-tuned specifically on decompiler output, can drive the open tooling entirely offline, at some cost in capability compared with a frontier model. Alternatively, Binary Ninja's official Sidekick assistant offers a fully on-premises deployment for exactly this constraint. The trade-off is the usual one: a local model keeps everything in your control but is generally less capable than the best cloud model, so match the choice to how sensitive the sample is.
How does AI-assisted reverse engineering feed threat actor tracking?
This is where it pays off for an intelligence team. The indicators and technique profile the agent extracts from a sample only become intelligence when they are correlated against what you already know: does the C2 infrastructure overlap with a campaign you track, does the tradecraft match a group's known techniques, is this a new tool in a familiar actor's kit. An agent that reads each new sample against a maintained knowledge base of actors and campaigns turns isolated reverse engineering into a running picture, so a fresh binary becomes a datapoint in an ongoing investigation rather than a one-off. That correlation and the self-maintaining knowledge behind it is the part that is hard to do by hand and the reason a reverse engineering agent is most valuable as one specialist inside a larger agentic CTI workflow.


