Teaching malware analysis where it matters most
We believe effective incident response starts with fundamentals, especially when time is limited and pressure is high. That’s why we’re proud to shine a spotlight on some of the great work being done by Lauren Pearce our Global Head of Digital Forensics and Incident Response (DFIR).
In her ongoing role as a malware analysis instructor at Cyber Fire, a hands-on incident response training program hosted by the U.S. Department of Energy (DOE), Lauren is helping equip the next generation of critical infrastructure defenders with practical, real-world malware analysis skills.
Cyber Fire brings together practitioners from across the DOE National Laboratory system to deliver lab-driven, investigation-focused training to government employees and critical infrastructure defenders. The program emphasizes fundamentals, creativity, and problem-solving under pressure, the same skills required during real-world incidents.
Making malware analysis accessible (not easy)
Lauren teaches the Malware Analysis track, a course designed to make deeply technical material accessible to professionals from a wide range of backgrounds, giving them the confidence to analyze malicious code in an incident response context.
The class is roughly half lecture and half hands-on lab, covering topics like:
- Windows Internals
- Common malware techniques
- X86/x64 assembly fundamentals
- Debugging and reversing binaries.
Concepts are demonstrated using real malware samples, while student labs focus on a safe, instructor-written binary designed to teach reversing techniques without risk. The emphasis is not on academic perfection, but on extracting actionable intelligence quickly, an essential skill in incident response.
Lauren originally built this curriculum in 2015 while working as a malware analyst on the incident response team at Los Alamos National Laboratory. She managed and evolved the course there until she left in 2021 and has continued returning twice a year as an instructor. The content has since undergone a major refresh, keeping pace with modern threats and tooling. Cyber Fire has been a part of her career for a decade and remains a highlight each year.
The hard part (yes, it’s assembly)
Without question, the most challenging part of the course is the assembly lecture on Day 2.
Assembly language is not glamorous, and there’s no shortcut around it when learning to reverse engineer binaries. While the instructor team has experimented with countless approaches over the years, it remains a necessarily dry, but foundational, skill.
Many participants arrive convinced they’re ‘not technical enough’ for malware analysis. Day 1 frequently includes reassurance and encouragement not to switch tracks before Day 2. For those who stay, the payoff is real. By the end of the week, students are extracting indicators of compromise, analyzing malware behavior, and stepping through binaries in a debugger, tasks they initially believed were far beyond their reach.
One of the most rewarding moments is watching a student solve their first ‘crackme’: methodically debugging through a binary and pulling out a secret key.
Another hallmark of the course is the high number of repeat students. Some participants come back two or even three times. The course is designed with the understanding that students absorb what they’re ready for. As their experience grows, the same material continues to deliver deeper value.
Why this work matters
Cyber Fire brings together cybersecurity professionals from across the country from large federal agencies to small rural utilities all focused on defending systems critical to national security and public safety.
The adversaries targeting U.S. critical infrastructure are sophisticated and persistent. High-quality, practitioner-led training remains one of the most effective ways to stay ahead.
We value hands-on experience grounded in real incident response and we’re proud to share our expertise to support work that strengthens the broader defender community.
Join us at Cyber Fire Foundry 2026-1
Registration is open for Cyber Fire Foundry 2026-1, which takes place from April 20–24, 2026 in La Jolla, California.
Cyber Fire is a U.S. Department of Energy–sponsored, no-cost cybersecurity training program for U.S. federal, state, local, tribal, and territorial employees and contractors, as well as those working in critical infrastructure (as defined by DHS).
Tracks include:
- Network Archaeology
- Host Forensics
- Malware Analysis
- Incident Coordination
- Entry Point
- Operational Technology
🔗 More information and registration:
