The US Cybersecurity and Infrastructure Security Agency (CISA) has released Thorium, a high-throughput open-source platform for automated malware and forensic file analysis. Developed in partnership with Sandia National Laboratories, Thorium is built to support software analysts, digital forensics teams, and incident responders. 

The platform would enable cyber defenders to integrate commercial, open-source, and custom tools into a unified system for orchestrating large-scale, automated analysis workflows.

Teams that frequently engage in file analysis would be able to leverage Thorium to bring scalable automation and results indexing into a single, unified platform. The platform would allow seamless integration of command-line tools packaged as Docker images, whether they are open-source, commercial off-the-shelf, or custom-built. With additional configuration, even more complex tools that operate on virtual machines or bare-metal environments can be incorporated, CISA said.

Engineered for modern cyber workflows

Thorium is designed to enable analysts to filter tool outputs using tags and full-text search. It will also enforce strict group-based permission controls, ensuring that submissions, tools, and results remain secure. Users can define automated workflows through event triggers and tool execution sequences. Thorium will provide full control via a RESTful API, and would work through a web browser or a command-line tool, CISA claimed.

The platform can scale with Kubernetes and ScyllaDB to meet workload demands. Thorium is designed to scale with infrastructure, capable of ingesting over 10 million files per hour per permission group and scheduling more than 1,700 jobs per second, while maintaining fast query performance.

“Thorium shifts the decision axis from feature accumulation to stack control. Its open plugin model lets CISOs tailor analysis flows for different threat profiles, integrating open-source tools, custom scripts, or commercial modules as needed. This flexibility is valuable in regulated sectors where forensic compliance or localisation is non-negotiable,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.

Rethinking malware analysis at scale

Enterprise-grade malware analysis tools and platforms have been widely used in the security community. But many of them require paid licenses, lack orchestration at scale, or are difficult to integrate with enterprise workflows. Experts view Thorium as a significant democratization of advanced malware analysis technology.

“It is a big deal as it democratizes access to a robust, scalable analysis framework previously reserved for national security use. Thorium is a major advance for the cybersecurity community. Its ability to automate and orchestrate complex analysis workflows gives cyber defenders across public and private sectors access to capabilities that were previously only available in expensive or proprietary commercial solutions,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. 

Jain added that it offers CIOs and CSOs centralized, automated workflows that unify tools and reduce complexity. It enables scalable, data-driven incident response — shifting from manual, team-based processes to faster, organization-wide analysis previously limited to large SOCs.

Gogia added that Thorium challenges the cost structure and control trade-offs of commercial malware analysis platforms. By providing high-throughput analysis, open plugin architecture, and local data retention, it enables organisations to regain visibility without forfeiting budget or sovereignty.

Although the platform can be downloaded from CISA’s official GitHub repository, deploying Thorium requires a pre-configured Kubernetes cluster, along with access to a block store and object store. A working knowledge of Docker containers and cluster management is also essential for successful setup.

Jain noted that Thorium’s release may accelerate the adoption of open, modular cybersecurity architectures as organizations look to avoid vendor lock-in, reduce costs, and tap into the power of community-driven innovation. However, he also cautioned that enterprises may face barriers such as limited DevOps skills, integration challenges with legacy systems, and the need for strong governance frameworks to address security, privacy, and compliance risks in open-source deployments.