CISA Releases Open-Source Thorium Platform For Malware Analysis

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with Sandia National Laboratories, has announced the release of Thorium - a FREE, automated, scalable platform for malware and forensic analysis. Thorium integrates commercial, custom, and open-source tools, allowing cybersecurity teams to rapidly assess malware threats and consolidate forensic data into a unified system.

As advanced persistent threats grow in volume and sophistication, timely and accurate malware analysis is critical. Analysts across government, public, and private sectors often struggle to keep up, juggling numerous specialized tools with limited time and resources.

Thorium addresses these challenges by enabling defenders to incorporate their preferred tools into a single, customizable platform. It supports automated analysis workflows at scale, making it easier to process large volumes of malware, adapt to emerging threats, and manage toolsets efficiently. Thorium is built to handle over 10 million file ingestions per hour per permission group and can schedule more than 1,700 jobs per second, all while delivering fast, searchable results.

“The Thorium framework reflects CISA’s commitment to delivering scalable cybersecurity solutions that support government and critical infrastructure,” said Jermaine Roebuck, CISA Associate Director for Threat Hunting. “By making this platform publicly available, we empower the broader cybersecurity community to use advanced tools for malware and forensic analysis. Our partnership with Sandia National Laboratories helps analysts nationwide collaborate, share insights, and build collective knowledge. Scalable analysis of binaries and digital artifacts strengthens our ability to identify and fix vulnerabilities in software.”

Cybersecurity teams can use Thorium to:

• Integrate command-line tools as Docker images—supporting open-source, commercial, and custom tools—and with additional configuration, integrate virtual machine and bare-metal tools.
• Filter analysis results using tags and full-text search.
• Manage access to submissions, tools, and results through group-based permissions.
• Scale infrastructure with Kubernetes and ScyllaDB to match workload demands.
• Import and export tools easily for sharing across cyber defense teams.

Prerequisites and Instructions

Thorium requires a deployed Kubernetes cluster, block store, and object store. Familiarity with Docker containers and compute cluster management is also necessary for successful deployment. 

Download Thorium HERE