CISA Unleashes Thorium: A Powerful New Platform for Automated Malware & Forensic Analysis at Scale
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced the public release of Thorium—a powerful analytical platform tailored for experts in digital forensics and malware analysis.
This innovative solution, developed in collaboration with the Los Alamos and Sandia National Laboratories, is aimed at analysts across government agencies, private enterprises, and academic institutions who require a rapid, scalable tool to automate cyberattack investigations.
Thorium boasts a dynamic architecture capable of executing over 1,700 tasks per second and processing up to 10 million files per hour per authorized group. With built-in Kubernetes orchestration and integration with the distributed ScyllaDB database, the platform scales effortlessly to accommodate demanding workloads, including large-scale analysis of suspicious artifacts.
Engineered with incident response realities in mind, Thorium enables seamless integration of virtually any analysis tool—from open-source solutions and proprietary CLI utilities to custom Dockerized scripts. Embedded tagging and full-text search capabilities allow swift filtering of results, while a robust access control model ensures data isolation across user groups.
Special emphasis was placed on collaborative tool sharing: Thorium supports the import and export of even complex processing pipelines, streamlining the dissemination of effective practices across teams and institutions. The platform accommodates automated workflows for binary analysis, incident response, and forensic investigations.
According to Jermaine Roebuck, CISA’s Deputy Director of Threat Hunting, the open release of Thorium equips professionals with a powerful instrument for deep automation of digital artifact analysis, including potentially malicious software. This, in turn, enhances the detection of hidden vulnerabilities in seemingly secure applications.
Coinciding with this announcement, CISA also introduced the Eviction Strategies Tool—a utility designed to facilitate coordinated removal of adversaries from compromised networks and systems. It offers strategic guidance during incident response, assisting teams in containing and eradicating threats while minimizing the risk of re-intrusion.
It is worth noting that last year, the agency unveiled Malware Next-Gen, a system for submitting malware samples for advanced analysis. Prior to that, CISA launched a free vulnerability scanning program for critical infrastructure, strengthening protection of the nation’s most sensitive digital assets.
Thorium now stands as a natural extension of these initiatives, offering the cybersecurity community a versatile framework for unifying and automating defense tools across all operational tiers.