What is CISA’s newly open-sourced Thorium?

CISA has open-sourced a new cybersecurity tool called Thorium – capable of ingesting thousands of files per second for malware analysis. 

Thorium is a file analysis and data platform for cyber incident response, triage, and file analysis in sandboxed environments. Users can upload potentially malicious files and run analysis on them via Web UI or CLI. 

“Designed to scale with hardware using Kubernetes and ScyllaDB, Thorium can ingest over 10 million files per hour per permission group while maintaining rapid query performance. It also allows users to define event triggers and tool execution sequences, control the platform via RESTful API, and aggregate outputs for further analysis or integration with downstream processes,” – CISA, July 31. 

Users can upload files, with formats including binary executables (PEs, ELFs, etc.), library files (DLLs), archives (zips), office documents (PDFs) and many more, as well as Git repositories, Thorium’s documentation shows.

For those curious, it uses a range of databases for different functions.

Thorium was developed with Honeywell’s research subsidiary, the National Technology & Engineering Solutions of Sandia (NTESS), CISA said. 

“Security teams can deploy workflows using Docker containers, virtual machines, or bare-metal executables. This means teams do not need to abandon their preferred tools—instead, they can containerize them and plug them into Thorium’s processing pipeline,” commented Rich Terani.

The technology commentator added: “Users can define a series of modular steps—such as static file analysis, dynamic sandboxing, hash verification, unpacking, or signature detection—and apply them across batches of samples. Each step in the workflow can be monitored, scaled independently, and customized for different security contexts…”

CISA has a page for the project here. 

See also: MongoDB open-sources “Kingfisher” secrets scanner