CISA Launches New Open-Source Thorium Tool to Streamline Malware Analysis

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched Thorium, a new open-source malware analysis platform. Thorium is designed to streamline threat investigations, and it unifies a wide array of tools into one customizable, scalable system to help security teams analyze malware faster and more efficiently.

The problem with traditional malware analysis

Security teams often struggle with fragmented tools that require manual coordination, slowing down malware analysis and forensic investigations. Moreover, traditional methods are time-consuming and lack scalability, which makes it difficult to manage large volumes of data efficiently. The process of searching through results is also tedious without advanced filtering, and managing access across teams adds complexity.

How does Thorium streamline cyber threat investigations?

CISA has collaborated with the Department of Energy’s Sandia National Laboratories to develop Thorium as an open-source malware analysis and forensic platform. It integrates a wide range of tools (commercial, open-source, and custom) into a unified system using Docker containers, which allows security teams to run complex workflows without manual coordination. This tool can process millions of files per hour and thousands of jobs per second, which makes it suitable for large-scale environments.

Thorium allows security teams to respond to threats faster and more effectively. Its event-driven automation, advanced filtering, and group-based permissions make it a better solution for modern cybersecurity operations.

“Designed to scale with hardware using Kubernetes and ScyllaDB, Thorium can ingest over 10 million files per hour per permission group while maintaining rapid query performance. It also allows users to define event triggers and tool execution sequences, control the platform via RESTful API, and aggregate outputs for further analysis or integration with downstream processes,” CISA explained.

According to CISA, Thorium supports importing and exporting tools for seamless sharing across defense teams, and it allows for advanced filtering of results using tags and full-text search. Moreover, access control is managed through group-based permissions to ensure secure collaboration. Thorium is built to scale infrastructure using Kubernetes and ScyllaDB to handle high-volume workloads and adapt to growing operational demands.

Getting started with Thorium?

Cybersecurity teams can download the Thorium malware analysis tool directly from CISA’s official GitHub repository. Organizations need to have a Kubernetes cluster along with block and object storage systems in place to support Thorium’s scalable architecture.

CISA has also recently released the Eviction Strategies tool to help cybersecurity teams during the containment and eviction phases of incident response. It consists of two main components (Playbook-NG and COUN7ER) that let security teams quickly generate customized eviction plans to remove threat actors from compromised environments.