FACT SHEET

Thorium

A Scalable Platform for Automated File Analysis and Result Aggregation

Thorium is a highly scalable, distributed file analysis and result aggregation platform that enables workflow automation using commercial, open source, and custom tools. The goal of Thorium is to enable cyber defenders to bring automation to their existing analysis workflows through simple tool integration and intuitive event-driven triggers. 

Thorium can be used to support cybersecurity teams across mission functions—from software analysis to digital forensics to incident response.

Why Thorium?

Teams whose workflows require frequent file analysis can use Thorium to bring scalable automation and results indexing into a unified platform. Analysts can use Thorium for: 

  • Easy Tool Integration: Integrate command-line tools as docker images (free and open source software [FOSS], commercial off-the-shelf [COTS], custom, etc.). With additional configuration, integrate virtual machine (VM) and bare-metal tools.
  • Filtering: Filter tool results using tags and full-text search.
  • Security: Control how submissions, tools, and results are accessible through strict group-based permissions.
  • Scalability: Scale with hardware using the power of Kubernetes and ScyllaDB to meet workload requirements. Out of the box, Thorium is configured to ingest over 10 million files per hour per permission group and schedule over 1,700 jobs per second, while maintaining fast results query.
  • Pipelining: Define event triggers and tool execution sequences to automate workflows.
  • Workflow Integration: Fully control Thorium via RESTful API and quickly get started using either a web browser or a command line utility.
  • Result Aggregation: Aggregate and index tool outputs for further analysis or ingestion by downstream processes and external platforms.
  • Tool Sharing: Import and export tools for ease of sharing across cyber defense teams.

Example Use Cases

Malware Analysis: Triage files using static and dynamic analysis tools. Aggregate results from multiple tools to trigger further analysis and outputs.

Host Forensics: Automatically process forensic artifact files (emails, memory images, disk images, etc.) and generate intermediate analysis results.

Scaled Tool Testing: Assess tool performance on your benchmark datasets to speed up development and troubleshooting.

Prerequisites and Instructions

Thorium requires a deployed Kubernetes cluster, block store, and object store. Familiarity with Docker containers and compute cluster management is also necessary for successful deployment. 

To get your own copy of Thorium and for more detailed installation instructions, see https://github.com/cisagov/thorium.