This chapter presents effective steps that readers can use to identify and understand malware in support of incident response. There are many online services that offer free analysis of malware samples and provide automated reports regarding the behavior of the sample. They also maintain databases compiled from thousands of other samples analyzed, threat intelligence and reputation feeds, antivirus signatures, and other sources of data to provide context around the behaviors and indicators observed in the sample. If the sample is considered too sensitive to use third‐party systems, people can perform their own analysis internally. The chapter explains the primary methods to do so: static analysis, dynamic analysis, and reverse engineering. Building and using automated sandboxes and malware analysis platforms will enable people to understand the malware they encounter and take appropriate investigative and preventive actions.