CISA Threat Hunting Staff Censys & VirusTotal

Hundreds of Cybersecurity and Infrastructure Security Agency (CISA) staff were notified this week that the organization is discontinuing critical cybersecurity tools used for threat hunting operations.

Amid broader reductions across the cyber defense agency, CISA’s threat hunting division plans to cease use of Google-owned VirusTotal on April 20. The division already halted use of Censys, a cyber threat intelligence service, in late March.

“We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption,” said the April 16-dated notification sent to more than 500 CISA cyber threat hunters. “We are confident that we will find suitable alternatives soon.”

Google News

Loss of Key Threat Hunting Capabilities

VirusTotal, a crucial malware analysis platform, aggregates findings from dozens of antivirus engines to identify malicious files and URLs. 

Threat hunters rely on its API for automated malware detection through code like with virustotal_python.Virustotal(“<API_KEY>”) as vtotal: to rapidly analyze suspicious binaries.

Meanwhile, Censys continuously scans the IPv4 internet to catalog exposed devices and services, providing visibility into vulnerable configurations across federal networks through its Python SDK with commands such as c = censys.ipv4.CensysIPv4().

Nextgov/FCW reports that the disruption extends beyond software tools. Nightwing and Peraton contractors had to surrender their phones on Thursday. 

These contractors supported CISA’s threat hunting operations, which proactively search for indicators of compromise (IOCs) across civilian federal networks.

Industry experts worry these cuts will significantly impair CISA’s cyber defense capabilities. For threat hunters, these centralized tools accelerate the initial triage of potential threats, enabling rapid prioritization of incidents.

This comes after another controversy where CISA briefly indicated it would no longer support the CVE Program for tracking cybersecurity vulnerabilities, before reversing course and extending the contract.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin