AI Binary Analysis: Agentic Reverse Engineering, Decompilation, and Malware Triage
Quick Answer
AI binary analysis covers the use of LLMs and LLM agents to recover the behavior, structure, and intent of compiled software. This topic gathers the richards.ai cluster on the subject — the survey paper, explainers on assistive and agentic modes, glossary entries for the core vocabulary, an operational hardening checklist, an executive brief, and a working tool. The page offers reading paths for researchers, practitioners, and security leaders.
AI Binary Analysis: Agentic Reverse Engineering, Decompilation, and Malware Triage
AI binary analysis covers the shift from LLM-assisted decompiler summarization to tool-grounded agents that plan, call tools, observe results, and revise their hypotheses. This cluster gathers the richards.ai material on the subject, anchored by the state-of-the-art survey of architecture, benchmarks, and failure modes. Some operational detail in linked artifacts is held back under yellow-level redaction.
What this topic covers
Both modes of AI-driven reverse engineering belong here: assistive LLM use (decompiler summarization, function naming, hypothesis generation) and agentic systems that close a reasoning–action–observation loop over disassemblers, debuggers, sandboxes, and symbolic tools. In-scope material includes agent architecture, decompilation models, benchmarks (BinMetric, AgentRE-Bench, CREBench, FORGE), failure modes, and platform hardening. Out-of-scope: general malware tradecraft, exploit development, and vendor product comparisons.
How to read this page
The survey paper gives the landscape. The two explainers split the practice in half — read the agentic explainer for tool-using systems, and the LLM-assisted companion for the simpler one-pass mode. The glossary entries define the working vocabulary (agentic RE, feedback-driven execution, chain of evidence) and are useful as citations from adjacent work. Platform owners deploying these systems should pair the explainers with the hardening checklist; CISOs scoping the capability should read the executive brief; engineers wanting a worked example should look at Project Lupine.
Where this topic sits
This is a sibling cluster to agentic AI security. Agentic RE inherits the general agentic-AI failure surface — prompt injection from attacker-controlled binary strings, tool hijacking, excessive agency — and adds binary-specific failure modes around obfuscation, anti-analysis, and dynamic-analysis brittleness. Readers tracking the broader research program can browse the rest of the topics index for adjacent clusters on agent architecture, evaluation, and defense.
Papers
1 memberLearn
2 membersWhat Is Agentic Binary Reverse Engineering? Architecture, State of the Art, and Failure Modes
Agentic binary reverse engineering is an execution architecture, not a model. An LLM-driven loop plans, calls reverse-engineering tools…
NotePrimary explainer for the agentic shift — tool use, feedback loops, evidence preservation. Start here if you are new to agent-based RE.
LLM-Assisted Malware Reverse Engineering: What Works and Where the Risks Are
LLM-assisted malware reverse engineering uses a language model as a copilot inside Ghidra or IDA to translate decompiled code into…
NoteCompanion explainer for the assistive (non-agentic) mode. Read alongside the agentic explainer to see both sides of the practice.
Glossary
3 membersAgentic Binary Reverse Engineering
Agentic binary reverse engineering is the practice of using an LLM-driven system that plans, invokes reverse-engineering tools (Ghidra,…
NoteCanonical one-paragraph definition of the practice. Cite this when introducing the term in adjacent work.
Feedback-Driven Execution
Feedback-driven execution is an agent-architecture pattern in which an LLM iteratively reasons about partial evidence, calls a tool,…
NoteThe reasoning–action–observation loop (per FORGE) that distinguishes agentic RE from one-pass LLM analysis.
Chain of Evidence
In agentic binary reverse engineering, a chain of evidence is a structured, machine-readable record that binds every claim an RE agent…
NoteThe evidence-preservation pattern (per Project Ire) that makes agent reports auditable rather than plausible-sounding.