Jacob Gajek

What you will learn:

Production EDR kernel drivers represent the ultimate endpoint security boundary, yet their complexity—often exceeding 5MB of opaque code—renders systematic manual reverse engineering impractical. This talk introduces an agentic AI workflow that fundamentally shifts the economics of kernel analysis by leveraging Cursor IDE and the Model Context Protocol (MCP) to automate the mechanical burden of IDA Pro-based reverse engineering. We will demonstrate a repeatable, phase-based methodology—covering PE triage, IOCTL surface enumeration, and automated documentation—that has successfully mapped thousands of functions across multiple production EDR stacks. Attendees will gain a transferable framework for rapidly identifying BYOVD-relevant attack surfaces and validating security trust boundaries, moving beyond vendor marketing claims to empirical, AI-assisted analysis of the security tools they rely on daily.