CISA And Sandia Open-Source Thorium For Malware And Forensic Analysis
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories released Thorium as an open‑source forensic analysis platform on July 31, 2025. The platform supports government, critical infrastructure, and private‑sector teams.
According to officials, Thorium automates malware and forensic analysis at scale. Analysts can incorporate commercial, open‑source, and custom tools into unified workflows via Docker containers.
Thorium handles over 10 million files per hour per permission group and can schedule more than 1,700 jobs per second, all while maintaining fast search and access performance.
CISA Associate Director for Threat Hunting Jermaine Roebuck emphasized that Thorium enhances teams' capabilities by automating workflows that previously required manual coordination, enabling faster threat detection and response.
Thorium offers analysts powerful capabilities:
- Easy integration of preferred command‑line tools such as Docker images, with support for open‑source, commercial, or custom software, plus VMs or bare metal when configured.
- Filtering of results through full‑text search and tag‑based metadata.
- Controlled access using strict group‑based permissions.
- Scalability via industry‑standard infrastructure like Kubernetes and ScyllaDB.
- Export/import of tools for easy sharing across cyber defense teams.
- Workflow automation using event triggers and defined sequencing.
- API‑based control (RESTful interfaces) for scripting and browser or CLI access.
- Aggregation and indexing of tool outputs for downstream analysis or integration.
Sandia National Laboratories has built and refined Thorium through years of research dating back to 2017. Originally part of the Threat‑Focused Reverse Engineering (TFRE) initiative, the platform is the central nervous system for hundreds of malware analysis tools.
Sandia's lead developer, Michael Carson, described Thorium as "almost infinitely scalable," capable of automated customization at massive scale. The platform builds on Sandia's long‑running FARM database, which currently holds nearly 300 million malware samples and uses Thorium to process them.
By releasing Thorium as open‑source software on GitHub, CISA and Sandia aim to standardize malware analysis infrastructure, reduce integration friction, and foster collaboration across organizations. They encourage cybersecurity teams to adopt the platform and contribute improvements.
Thorium's Development
Sandia engineers, collaborating with federal partners for nearly a decade, developed a cybersecurity suite centering on Thorium, which went into active deployment in 2023. The platform automates the most time‑consuming aspects of cyberattack investigations, freeing expert analysts to focus on advanced persistent threats, according to Sandia.
Sandia recognized in 2017 that malware volume and complexity were rapidly growing. The Threat‑Focused Reverse Engineering project addressed that by automating malware reverse‑engineering tasks traditionally done by hand. According to project lead Evan Roncevich, automation became essential because adversaries now develop highly sophisticated malware in much greater volume and at speed. Analysts must understand how malware works, what artifacts it leaves, and how best to block it, and they must do so quickly.
Sandia and its partners designed Thorium to streamline triage and prioritization by supporting workflows that analyze binaries, memory dumps, disk images, and forensic artifacts across tools and datasets. Analysts can focus on interpretation rather than manually handling tool coordination.
These tools aim to combat advanced persistent threats, state‑sponsored or well‑resourced actors whose malware often targets government networks, infrastructure providers, or critical services. As one example, Sandia analysts had to dissect the SolarWinds supply chain attack that breached over 16,000 systems globally.
Thorium does come with several caveats that are important to consider. CISA's official Thorium fact sheet describes the platform as a scalable, distributed file analysis and result aggregation tool for cybersecurity workflows, covering software analysis, digital forensics, incident response, and more.
It explains how Thorium integrates tools, filters outputs, secures access, scales hardware, and automates pipelines. Analysts can control the entire platform via RESTful APIs and choose between browser or command‑line interaction.
The fact sheet highlights case uses such as:
- Malware analysis: triaging files with static and dynamic tools, aggregating results, and triggering follow‑on action.
- Host forensics: automating artifact extraction from emails, memory, and disk images.
- Tool benchmarking: running tools across datasets to assess performance and reliability.
The resource further clarifies certain prerequisites, namely, that users need to be familiar with Kubernetes, block and object storage, Docker containers, and cluster management skills. The fact sheet links to detailed installation instructions on GitHub for those interested in using Thorium.
Thorium addresses the current reality faced by IT infrastructure defenders and cybersecurity teams, whether in government, private firms, or critical infrastructure, who must manage growing volumes of malware and forensic data. Traditional manual workflows, juggling different analysis tools, result in a struggle to keep up.
Thorium solves this conundrum by combining automation, scalability, and tool integration into one platform. It allows analysts to run high volumes of analysis jobs, ingest millions of files per hour, search results quickly, and share tools across teams. At the same time, strict permissions and infrastructure standards keep operations secure.
Sandia Labs built Thorium through years of research and large‑scale malware database work. CISA partnered on the project to make the platform widely available for free. The open‑source release enables broader adoption and collaboration.
In summary, Thorium can empower cybersecurity teams as:
- It dramatically speeds up malware and forensic analysis.
- Analysts gain more time to focus on complex threat hunting and decision‑making.
- Organizations can standardize workflows and share tools easily.
- The community can contribute improvements, making the platform evolve.
Thorium represents a major shift in how cybersecurity teams, whether in government or the private sphere, handle ever‑escalating threats. They move from manual, tool‑specific processes to an automated, flexible, and shareable system that delivers rapid insights at scale.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion