CISA Halts Use of Censys and VirusTotal for Threat Hunting Operations

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed its threat hunting staff to cease using two of its core cyber threat intelligence platforms: Censys and VirusTotal.

The move, confirmed by internal communications, is part of a broader wave of reductions and restructuring within the agency.

According to Nextgov/FCW, on April 16 notificationwas sent to over 500 CISA cyber threat hunters. The division stopped using Censys, a service for mapping exposed devices and services, in late March, and will retire the use of Google-owned VirusTotal, a widely used malware analysis platform, effective April 20, 2025.

“We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption,” the agency stated in its internal email, emphasizing efforts to find suitable replacements soon.

The decision follows significant staff reductions, including contractors from Nightwing and Peraton, raising concerns about CISA’s operational capacity to proactively defend federal networks and critical infrastructure.

Impact on Threat Hunting Capabilities and Potential Alternatives

The retirement of VirusTotal and Censys marks a significant operational challenge for CISA’s threat hunters.

VirusTotal has long enabled analysts to scan suspicious files and URLs using multiple antivirus engines and sandbox tools, while Censys provided continuous internet-wide scanning to identify exposed assets and vulnerabilities.

The loss of these platforms could slow detection and response times, potentially creating temporary blind spots as staff adjust to new workflows and tools.

CISA has assured staff that it is evaluating alternative platforms to fill the gap. Potential substitutes include:

• Hybrid Analysis and Joe Sandbox for malware analysis, replicating some of VirusTotal’s capabilities.
• Shodan and Zoomeye for internet asset discovery, similar to Censys.
• Recorded Future and Anomali for integrated threat intelligence feeds.

However, integrating these alternatives will require development work, workflow adjustments, and retraining for analysts.

The agency faces the challenge of maintaining robust threat-hunting operations while managing reduced resources and political scrutiny over its mission and scope.

Comparison Table: Retired Tools vs. Potential Alternatives

Functionality	Retired Tool	Potential Alternatives
Malware Analysis	VirusTotal	Hybrid Analysis, Joe Sandbox
Internet Asset Discovery	Censys	Shodan, Zoomeye
Threat Intelligence Feeds	VirusTotal	Recorded Future, Anomali

As CISA navigates this transition, its ability to quickly deploy effective replacements and maintain its threat-hunting edge will be crucial for safeguarding federal networks against increasingly sophisticated cyber threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post CISA Halts Use of Censys and VirusTotal for Threat Hunting Operations appeared first on Cyber Security News.