The job market for malware analysts is booming. The US Bureau of Labor Statistics says these roles will grow 33% by 2030, which is significantly more than the 8% average median growth rate for other industries. Finding the right talent is tough — it’s a highly competitive market.
Here at ANY.RUN sandbox, our hiring approach results from the lessons we learned when building our own team. In this article, we’ll share some of our methods to help you with your own talent hunting.
What do malware analysts do in a company?
Malware analysts play a specialized role that intersects with various functions within a cybersecurity team. Their day-to-day responsibilities range from dissecting malware to identifying threat vectors. They work closely with incident responders, threat hunters, and even compliance officers.
The day-to-day tasks of a malware analyst may include:
- Malware reverse engineering: They dissect malicious software to understand its behavior, functionality, and origin.
- IOC extraction: Identify Indicators of Compromise (IOCs) to update threat feeds and fortify defenses.
- Threat intelligence sharing: Coordinate with internal and external teams to share crucial information about emerging threats.
- Incident response: Contribute key data to help the incident response team act more effectively during a security event.
- Compliance reporting: Assist in fulfilling regulatory requirements by providing data and insights on malware threats.
As you can see, malware analysts juggle a range of tasks that touch various parts of the cybersecurity framework. Their work is integral to threat identification, response coordination, and even regulatory compliance.
Why are good malware analysts hard to find?
To effectively handle the responsibilities listed above, malware analysts must possess a broad set of skills, including but not limited to:
- Technical proficiency: Mastery of disassemblers and debuggers like IDA Pro or OllyDbg.
- Analytical thinking: Skill in evaluating both static and dynamic malware analysis results.
- Cybersecurity fundamentals: Strong understanding of how malware affects operating systems and network protocols.
- Reverse engineering: Ability to reverse-engineer malware binaries to understand their operation and intent.
- Scripting: Proficiency in scripting languages such as Python for automation of analysis tasks.
- Soft skills: Teamwork and communication are essential when coordinating with other departments or external agencies.
Each skill on this list is a specialized field in itself. Scripting, for example, is a full-fledged profession that takes years to master. The same goes for reverse engineering and networking. That’s why finding an analyst who excels in all these areas is a tall order.
5 steps to hiring the right malware analyst
With over 7 years of experience in cybersecurity talent hunting at ANY.RUN, we now have a process that gives a consistently high interview success rate and analyst retention. Here’s how we approach hiring:
1. Creating an employee profile
Building an employee profile helps us zero in on exactly what kind of specialist we are looking for. We start by listing hard skills — this helps us to make it clear what’s non-negotiable for the role.
Creating a list of hard skills: These could be skills like “reverse engineering” or “Python scripting,” depending on the role’s needs. For instance, if a vacancy requires reversers more than researchers, the list should reflect that. We prioritize candidates who match most of these skills during the selection process.
Soft skills: After identifying the hard skills, we’ll have a picture of an ideal, albeit robotic, analyst. To find a human fit, we add traits like teamwork or communication to the list — this helps us visualize the candidate not just as a worker but as a person who would fit on the team.
We’ve compiled this table of hard and soft skills for malware analysts. Feel free to draw inspiration from it when crafting your own employee profile:
|Hard Skills||Soft Skills|
|Python scripting||Ability to work in a team|
|Data pattern recognition||Problem-solving|
|Dynamic analysis||Curiosity and desire to learn|
|Windows operating systems|
|Linux operating systems|
|Writing YARA and Sigma rules|
|Intrusion detection with Suricata|
|Python, Bash, and PowerShell scripting|
What should you do if a candidate looks promising but their skills don’t align with current company needs? We recommend closely matching skills with existing job tags for startups in a growth phase. Enterprises, however, are a different story. For companies with robust HR resources and room for lateral moves, it may be more beneficial to consider all applications. You can always train for missing hard or soft skills later, especially if the candidate may switch roles within the cybersecurity department.
2. Candidate shortlisting
After creating the list of hard skills, we use it to screen the initial pool of candidates. At this stage, we focus on how closely their skill set matches the hard skills we’ve listed. We leave the evaluation of soft skills for later.
During the initial screening process, we watch out for several red flags:
- Significant gaps in employment: If the CV shows large gaps without work, it can be a concern.
- Many unfinished projects: For example, it’s worth noting if education is started but not completed.
- Limited educational background: Be wary if all education comes from short courses lacking practical application.
Mind you, red flags don’t automatically disqualify a candidate. Everyone’s circumstances are different. Nevertheless, they should be a reason to push candidates toward the bottom of the list — this filtering method helps us focus on likely hires first and work through interviews efficiently.
All selected candidates are invited to attend an in-person or an online interview — depending on their location.
- Some companies prefer to clearly separate interviews into general and technical ones.
- In others, the division is not so formal, and the stages are mixed.
We find that both approaches are valid — the choice may depend on the style of each hiring manager and existing HR processes.
Preparation is key
Before the interview, we review the CV to spot gaps or inconsistencies. We also reevaluate the company policies and tech stack to ensure that there’s no ambiguity on what we can discuss under NDA. We formulate a list of questions that pinpoint essential software skills and plan if there will be technical tests or other milestones.
Every interview is different, and we design the steps based on individual CVs. For example, if a candidate seems to lack experience, we might include more stages involving a practical challenge.
During the interview, we focus on:
- Gauging interest: We might ask progressively deepening technical questions to understand If the candidate is genuinely interested in malware analysis. Look out not only for their level of knowledge but also their reaction — are they excited about the topic or answering robotically?
- Technical skills: For example, if they’ve only worked with one framework or technology, like the MITRE matrix, but not alternatives, it’s a red flag — it shows a lack of curiosity and watchfulness.
- Adaptability: We like it when a candidate shows a desire to automate and improve workflows. This trait is especially valuable in dynamic settings like startups, where we always search for ways to optimize processes. However, for more static work environments, it can be a con.
4. Post-interview evaluation
After the interview, we tend to consolidate our thoughts quickly while details of the conversation are still fresh in the mind. Our experience shows that it is important to trust your gut feeling about the candidate — if the conversation is awkward or tense, chances are the working relationship will be too.
Being a good human helps to be a good hiring manager. Technical glitches like a broken camera shouldn’t be an immediate deal-breaker. If we have reservations about their technical skills, we administer a follow-up test. Also, we always provide feedback and communicate clearly about the next steps to keep the process transparent and respectful — and it doesn’t matter whether they’ve passed the screening process or not.
Similarly, if the candidate lacks in some areas but excels in interpersonal skills during the interview, we always consider giving them a chance to grow. Skills can be taught, but cultural fit is hard to change.
5. The final stage: onboarding
Once you’ve hired your malware analyst, the onboarding process becomes the next critical step. A well-executed onboarding plan accelerates productivity and fosters a positive work environment.
Encourage your new hire to ask questions. The more they ask, the quicker they’ll become a valuable asset to your team. Make it your mission to arm them with all necessary information, access, and tools right from the start.
Where to find malware analysts
We prefer not just to source talent from listing sites. In our experience, proactive analysts often attend professional events and are active in the community. Successful hires can come from:
- Universities: Educational institutions run regular internship programs, producing capable junior-level candidates.
- CTFs and conferences: We participate in these events ourselves and sometimes scout individuals who excel at exercises.
- Online forums and communities: Platforms like Reddit’s r/cybersecurity and Stack Exchange’s Information Security are good places to augment your search.
- Industry networking events: Local cybersecurity meetups attract professionals actively involved in the cybersecurity landscape.
How to budget for malware analyst’s salaries
When budgeting for a malware analyst role, it’s important to consider salary variances across different regions.
For example, median salaries in the US are typically higher than those in Europe, and if you have an international team, you might consider tapping into those global talent pools.
Here’s how much you can expect to pay for a middle-grade analyst across different regions, according to Glassdoor:
Finding a successful hire depends on the right approach to interview strategy, managing expectations of potential candidates, and knowing when and where they job-hunt.
Hiring malware analysts can be difficult due to role complexity: Malware analysts tackle various tasks, from malware reverse engineering to incident response. They need a broad skill set, including mastery of specific tools, scripting languages, and a variety of soft skills.
You can increase your success rate with the right screening and interview strategy: Watch out for inconsistencies or gaps in CVs. Interviews should probe not just technical aptitude but also a candidate’s engagement with the subject and company fit.
Look beyond job boards and listings: You can have a higher success rate by sourcing talent from communities, CTFs, and local meetups — places that bring together highly involved and proactive professionals.
A few words about us
ANY.RUN is a cloud malware sandbox that helps malware researchers, SOC, and DFIR teams better understand the behavior of malicious and suspicious objects. Our goal is to make dynamic analysis more engaging and approachable while providing faster access to research findings. Every day, 300,000 professionals use our platform for malware research, incident investigation, and digital forensics.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.