Description

Agentic reverse engineering blends interactive reversing with autonomous agent workflows. Building on last year’s RECON workshop on MCP‑based Ghidra integration, this session introduces Agent Skills - structured bundles of instructions, scripts, and resources that coding agents can discover and execute. Skills introduce workflow capture and progressive disclosure, enabling agents to perform complex RE tasks with far less context overhead.

Participants will learn how coding agents operate through iterative loops (generate → execute → inspect → refine) and how Skills plug directly into these loops to automate analysis. The workshop emphasizes practical application: attendees will build a multi‑platform driver‑analysis Skill that supports IOCTL enumeration, platform‑specific dispatch‑flow analysis (Windows IRPs, Linux file operations, macOS IOKit user‑client methods), code‑flow analysis, and reproducible workflow capture.

Learning Objectives

By the end of this workshop, participants will be able to:

• Understand the Agent Skills framework and how it extends MCP concepts
• Build custom reverse‑engineering Skills using coding agents
• Create interactive, agent‑driven workflows for multi‑platform driver analysis
• Implement progressive disclosure to reduce context size and improve agent performance
• Capture expert RE heuristics and encode them into reusable Skills
• Integrate Skills with existing RE tools and workflows

Outline

1. Foundations of Agentic Reverse Engineering

• Skills framework vs. MCP
• Coding agent capabilities (Claude Code, OpenCode, Mistral Vibe)
• Environment setup
• Workflow capture and progressive disclosure
• How Skills integrate into agent loops

2. Skill Building: Architecture, Workflows, and Iteration

• Designing RE Skill architecture and folder structure
• Implementing analysis workflows
• Adding domain knowledge, heuristics, and resources
• Designing structured output schemas
• Testing and validating Skills
• Improving agent performance and reducing unnecessary context

3. Hands‑On Build: Driver Analysis Skill

• Multi‑platform driver analysis: Windows .sys, macOS .kext, Linux modules
• IOCTL enumeration and mapping
• Dispatch‑flow analysis (IRPs, file ops, IOKit)
• Code‑flow analysis using callgraphs and xrefs
• Applying workflow capture in a real Skill
• Scaffolding and integrating Skill components

4. Interactive RE with Agent Automation

• Combining manual reversing with agentic automation
• Offloading repetitive tasks and validating hypotheses

5. Extending and Iterating Skills

• Adding workflows, tests, and examples
• Integrating tutorials, blog posts, and prior research
• Strategies for long‑term Skill evolution

6. Wrap‑Up

• Review of completed Skill
• Next steps for building agentic RE automation

Requirements

Participants must bring a laptop capable of running at least one of:

• OpenCode: https://opencode.ai/docs/
• Mistral Vibe: https://github.com/mistralai/mistral-vibe
• Claude Code: https://code.claude.com/docs/en/overview

Additional requirements:

• Ability to git clone workshop materials
• Basic familiarity with reverse engineering concepts

Prior Work / References

• Offensive Security Tool Development with Ghidra & MCP (RECON 2025) - https://www.clearseclabs.com/blog/offensive-security-tool-development-with-ghidra-recon-2025

• Supercharging Ghidra: Build Your Own Private Local LLM RE Stack (Ringzer0 2025) - https://www.clearseclabs.com/blog/supercharging-ghidra-re-llms-ringzer0-countermeasure-2025

• Agent Skills specification
  https://agentskills.io/home

Target Audience

This workshop is designed for:
- Reverse engineers looking to automate their workflows
- Security researchers interested in AI-assisted analysis
- Tool developers wanting to understand agentic AI capabilities
- Anyone who attended last year's MCP workshop and wants to explore the next evolution