The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering. An introduction to the Regin development framework is provided along with an instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit. As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.