CISA Thorium Malware Analysis Tool

CISA’s Thorium is an open-source, automated, and highly scalable platform purpose-built to enhance malware and forensic analysis at scale. It was developed through a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories, reflecting a joint effort to provide the cybersecurity community with a powerful and flexible tool for modern threat analysis.

Core Architecture and Scalability

Thorium is architected as a distributed file analysis and result aggregation platform that is designed to handle massive workloads. Key components include:

Containerization: Command-line tools (commercial, custom, or open source) are integrated as Docker images. This modular container approach ensures consistent and isolated environments for each analysis tool, improving reliability and simplifying deployment across different infrastructures. With additional configuration, virtual machine (VM) and bare-metal tools can also be integrated.
Orchestration: Kubernetes is used to orchestrate these containerized tools across a cluster of hardware resources. This enables seamless scaling horizontally — as demand increases, more compute nodes can be added to increase throughput.
Distributed Data Management: Thorium employs ScyllaDB, a high-performance, distributed NoSQL database, to manage enormous volumes of data from file ingestions and analysis outputs. This allows the system to ingest over 10 million files per hour per permission group and schedule over 1,700 analysis jobs per second while maintaining fast query performance.

Automation and Workflow Flexibility

One of Thorium’s standout features is its ability to automate complex analysis workflows using event-driven triggers and tool execution pipelines:

Analysts can define event triggers that cause specific tools or sequences of tools to run automatically when particular conditions or input files are detected.
This automation removes the need for manual intervention at each step, greatly accelerating malware triage, forensic artifact processing, and large-scale tool testing.
Results from multiple tools can be aggregated and indexed, facilitating comprehensive and correlated threat assessments.

Security and Access Control

Thorium incorporates strict group-based permissions to enforce operational security:

Access to file submissions, analysis tools, and results is controlled carefully to ensure multi-tenant environments remain isolated and secure.
Analysts can filter tool outputs using tag-based systems and perform full-text search across indexed results, enabling efficient navigation through vast datasets.

Usability and Integration

Thorium is designed for ease of use and integration:

Users can interact with Thorium via a web browser interface or command-line utilities.
Full control is available through a comprehensive RESTful API, allowing seamless integration with existing cybersecurity infrastructure, SIEMs, SOAR platforms, or custom automation scripts.
Tools can be imported and exported, making it easy to share analysis methods across teams or organizations.

Use Cases

Thorium supports various mission-critical tasks including:

Malware analysis: Static and dynamic malware triaging by combining different analysis tools in automated sequences.
Digital forensics: Processing and analyzing forensic artifacts such as emails, memory dumps, and disk images at scale.
Incident response and threat hunting: Rapid assessment of suspicious files and automation of forensic workflows.
Tool benchmarking: Running large-scale performance and functionality tests of analysis tools using standard datasets.

Deployment Requirements

To deploy Thorium successfully, organizations need: