CISA released Thorium platform to support malware and forensic analysis

CISA released Thorium platform to support malware and forensic analysis

CISA released Thorium platform to support malware and forensic analysis

Pierluigi Paganini
CISA released Thorium platform to support malware and forensic analysis August 01, 2025

CISA released Thorium platform to support malware and forensic analysis

CISA releases Thorium, an open-source tool for malware and forensic analysis, now available to analysts in government, public, and private sectors.

CISA has released Thorium, a new open-source platform designed to support malware and forensic analysis.

The platform was designed in collaboration with Sandia National Laboratories, the US Agency presented it as a scalable, open-source platform for automated file analysis and result aggregation. The tool aims at boosting malware analysis, digital forensics, and incident response. Thorium integrates commercial, open-source, and custom tools within a unified system. It enables cybersecurity teams to automate workflows, analyze complex threats, and manage large-scale data efficiently. Users can run tools as Docker images, tag and search results, and enforce access controls with group-based permissions. Thorium empowers analysts across sectors to streamline and scale their threat assessment operations.

“Today, CISA, in partnership with Sandia National Laboratories, announced the public availability of Thorium, a scalable and distributed platform for automated file analysis and result aggregation.” reads the press release published by the U.S. Cybersecurity and Infrastructure Security Agency. “Designed to scale with hardware using Kubernetes and ScyllaDB, Thorium can ingest over 10 million files per hour per permission group while maintaining rapid query performance.”

Thorium offers full control through a RESTful API and can be accessed via web browser or command-line utility for quick and flexible use. Thorium is built for high scalability, leveraging Kubernetes for orchestration and ScyllaDB for high-performance data handling. Right out of the box, it can ingest over 10 million files per hour per permission group and schedule more than 1,700 jobs per second. This design ensures that even under heavy workloads, Thorium maintains rapid job scheduling and fast result querying, making it suitable for large-scale malware analysis and forensic operations. As needs grow, teams can scale Thorium horizontally with additional hardware to meet increasing demands without performance degradation.

Thorium use cases include:

  • Tool Testing: Benchmark and troubleshoot tools at scale.
  • Malware Analysis: Automate static/dynamic analysis and trigger follow-up actions.
  • Host Forensics: Process artifacts like memory or disk images for faster insights.

In April 2024, the Cybersecurity and Infrastructure Security Agency released a malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cybersecurity and Infrastructure Security Agency)




Source link