Key Takeaways:
- CISA has publicly released Thorium, an open-source malware analysis and digital forensics platform developed with Sandia National Laboratories.
- Thorium supports over 10 million file ingestions per hour per permission group and more than 1,700 analysis jobs per second.
- The platform centralizes disparate analysis tools and scales workflows using Kubernetes, ScyllaDB, and a modular plugin model.
- Security teams can integrate commercial, open-source, and custom tools, use full-text search, and apply strict group-level access controls.
- CISA is inviting the cybersecurity community to contribute to Thorium’s GitHub repository and extend its capabilities.
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with Sandia National Laboratories, has released Thorium, a new open-source platform that aims to redefine how organizations conduct malware analysis and digital forensics at scale. Built to support high-throughput analysis in modern security environments, Thorium integrates seamlessly with both existing and custom tools to automate malware detection, analysis, and remediation.
The platform is now available on GitHub, making it accessible to security teams in government, private industry, academia, and research communities. CISA’s move to open-source the system reflects a growing emphasis on collaborative defense and tooling transparency in national cybersecurity strategy.
Designed for Modern Malware Volume
The threat landscape has evolved. Malware variants number in the millions, and their distribution tactics—from phishing attachments to cloud-resident payloads—require response teams to process massive volumes of suspicious files daily. Traditional malware analysis workflows often buckle under this volume, relying on a mix of siloed tools, manual scripting, and inconsistent documentation.
Thorium aims to change that. It supports automated workflows that can analyze over 10 million files per hour per group and execute more than 1,700 analysis jobs per second. The system is architected to ingest these files, push them through user-defined analysis pipelines, and return normalized, searchable results within minutes.
This shift from manual triage to automated orchestration is critical for national CERTs, enterprise SOCs, incident response providers, and cyber threat intelligence teams who need consistent scale and speed.
Plug-and-Play Tool Integration
One of Thorium’s most valuable design elements is its flexibility. Security teams can deploy workflows using Docker containers, virtual machines, or bare-metal executables. This means teams do not need to abandon their preferred tools—instead, they can containerize them and plug them into Thorium’s processing pipeline.
Users can define a series of modular steps—such as static file analysis, dynamic sandboxing, hash verification, unpacking, or signature detection—and apply them across batches of samples. Each step in the workflow can be monitored, scaled independently, and customized for different security contexts.
The system includes role-based access controls and group-level workspaces, enabling organizations to isolate workflows by department, clearance level, or investigative focus. Analysts can tag data, search past results using full-text or metadata queries, and export results to downstream systems.
Built for Scale with Kubernetes and ScyllaDB
Under the hood, Thorium runs on Kubernetes for orchestrating containerized jobs and leverages ScyllaDB as a high-performance, scalable NoSQL database. This infrastructure allows the platform to support elastic scaling across commodity or cloud hardware, adapting to high-volume needs during incident surges or red team exercises.
A RESTful API enables integration with SIEMs, case management tools, and orchestration platforms. As a result, Thorium doesn’t just offer a standalone capability—it can become a modular engine in a broader security operations architecture.
Use Cases Across Sectors
While initially developed for use by government agencies and national labs, Thorium has broader applications across industries:
- Enterprises can automate malware triage and correlate results across business units.
- Incident responders can scale forensics operations in ransomware or data breach scenarios.
- Academia and research groups can test hypotheses about malware evolution or build new analysis modules.
- National security organizations can deploy it internally or share standardized workflows across trusted partners.
Jermaine Roebuck, Associate Director at CISA, emphasized the platform’s role in enabling collective defense. “Thorium is more than a tool—it’s a community-driven platform for shared malware analysis and threat discovery. We’re encouraging teams to contribute and make this stronger together.”
Encouraging Contributions from the Community
Thorium’s release marks a shift in how federal tools are being shared with the public. Rather than providing compiled binaries or closed-access systems, CISA is inviting the community to fork, modify, and extend the platform. The goal is to allow defenders at every level to tailor the system to their unique needs, while contributing improvements back to a shared resource pool.
Documentation and sample workflows are included in the GitHub repository, and future updates will include training modules and integration blueprints. CISA’s long-term vision includes using Thorium to drive new standards for automated analysis while strengthening collaboration between public and private sectors.
Strategic Implications
As the cybersecurity threat environment becomes more automated, scalable, and AI-driven, defenders need tools that can match adversary speed without sacrificing visibility. Thorium delivers on that need by:
- Removing the friction of managing dozens of siloed tools.
- Enabling consistent workflows that scale horizontally.
- Centralizing malware analysis into a search-friendly, API-accessible environment.
- Supporting modular deployments that suit any environment—from air-gapped labs to cloud-native SOCs.
While its open-source nature provides transparency, the platform’s extensibility is what will likely make it a mainstay for advanced security teams over time.
Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.
If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.
Don’t forget the collocated MSP Expo – just for managed service providers!
Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.
The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.
Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing






