In mid‑April 2025, staff across the Cybersecurity and Infrastructure Security Agency (CISA) received unexpected news: two of their core cyber threat‑hunting tools were being phased out. An internal notification, dated April 16, explained that CISA’s threat hunting division would retire Google’s VirusTotal on April 20 and had already stopped using the Censys intelligence platform the previous month. With more than 500 dedicated threat hunters affected, the announcement underscored the broader challenges CISA faces as it navigates budget cuts, shifting leadership priorities, and political scrutiny. This article breaks down what these tool retirements mean for CISA’s operations, explores the capabilities and alternatives of VirusTotal and Censys, examines the wider agency workforce reductions, and considers CISA’s path forward in safeguarding federal networks.
Background on CISA and Its Mission
Since its creation in November 2018, CISA has served as the U.S. Department of Homeland Security’s lead component for defending federal networks, critical infrastructure, and the nation’s cyber ecosystem. Born out of the reorganization of DHS’s National Protection and Programs Directorate, CISA’s mandate spans threat detection, incident response, information sharing, and infrastructure resilience. Under its first director, Chris Krebs, the agency earned praise for securing the 2020 election, with Krebs famously declaring the vote “the most secure in American history.” However, the subsequent shift in political winds led to his removal and precipitated CISA’s deeper entanglement in debates over online disinformation, censorship, and the proper scope of its authority.
As cyber threats have grown more sophisticated—from state‑sponsored espionage to ransomware assaults on hospitals—CISA has expanded its use of automated scanning, open‑source intelligence, and third‑party platforms to detect malicious activity. Central to these efforts is the “threat hunting” division, which combines human analysts with specialized tools to proactively search for indicators of compromise (IOCs) that automated defenses might miss. VirusTotal and Censys have long featured in this toolkit, providing rapid malware analysis and global device‑scan data. Therefore, the decision to retire these services raises essential questions about CISA’s continued ability to spot and disrupt threats before they breach federal systems.
Recent Tool Retirements: VirusTotal and Censys
On April 16, an internal email, confirmed by multiple sources familiar with the matter, told CISA’s cyber threat hunters that Google’s VirusTotal would cease to be supported as of April 20. The message also noted that the agency had already halted using Censys in late March. Although the notice assured staff that “we are actively exploring alternative tools to ensure minimal disruption,” the sudden timing left many analysts scrambling to adjust workflows and validate new threat intelligence sources.
What Is VirusTotal?
VirusTotal, acquired by Google in 2012, aggregates malware‑scanning engines from dozens of antivirus vendors and sandboxing tools into a single, web‑based interface. Users can submit suspicious files, URLs, or domains to receive a comprehensive report on whether any scanners flag the sample as malicious. Beyond simple detection, VirusTotal provides detailed behavioral analyses observing how files execute in virtual machines and uncovering embedded callbacks, dropped payloads, or evasive techniques. For threat hunters, this centralized visibility accelerates the initial triage of potential threats, enabling rapid prioritization of incidents and informed decision‑making during an unfolding intrusion.
Key strengths of VirusTotal include its extensive vendor coverage, ease of integration via public APIs, and robust community features (such as crowdsourced tagging of IOCs). Analysts often use it to verify whether a suspicious binary has been previously observed in the wild, cross‑reference benign‑versus‑malicious classifications, and export IOC lists for automated blocking. Losing access to VirusTotal’s unified platform thus represents more than removing convenience—it eliminates a primary source of real‑time malware intelligence that underpins many detection pipelines.
What Is Censys?
Censys, developed by University of Michigan researchers and later spun out as a commercial service, continuously scans the IPv4 Internet to catalog exposed devices, open services, SSL/TLS certificates, and their associated metadata. By querying Censys’s richly indexed database, threat hunters can identify public‑facing assets that match vulnerable configurations, track the deployment of malicious web shells, or trace connections between attacker command‑and‑control domains and targeted hosts. Unlike traditional port‑scan tools, Censys maintains historical records of how Internet assets evolve. This lets analysts observe shifts in hosting providers, certificate changes, or sudden spikes in unusual service banners.
For CISA, Censys has been instrumental in mapping out the attack surface of federal agencies, critical infrastructure operators, and essential supply‑chain partners. This visibility allows proactive outreach to network owners when outdated protocols or exposed management interfaces are detected. The loss of Censys, therefore, creates an immediate gap in CISA’s external perimeter monitoring and complicates the task of rapid asset discovery during incident investigations.
Impacts on CISA Operations
The retirement of VirusTotal and Censys tools directly affects how CISA’s threat hunters identify, analyze, and prioritize cyber risks. While the agency assured staff that alternative solutions are under review, any transition introduces potential slowdowns in detection, increased manual validation, and temporary blind spots.
Role of Threat Hunting in Cybersecurity
Threat hunting combines proactive human inquiry with automated data‑gathering to locate sophisticated adversaries that evade standard defenses. Unlike reactive security measures such as firewall logs or intrusion‑detection alerts, threat hunting focuses on anomaly detection, hypothesis‑driven investigations, and behavior analysis. Hunters sift through network telemetry, endpoint traces, and third‑party intelligence feeds to correlate seemingly innocuous events. This approach is critical for identifying advanced persistent threats (APTs), lateral movement within networks, and malware variants engineered to slip past antivirus signatures.
Without premier tools like VirusTotal and Censys, threat hunters lose vital accelerators for hypothesis testing and IOC enrichment. Analysts may need to cobble together multiple, less integrated services, increasing the time required to build a coherent picture of an attacker’s infrastructure.
Potential Disruptions and Mitigation Efforts
In the short term, CISA must ensure continuity by licensing or developing replacements that match or exceed the capabilities of the retired platforms. Potential mitigation strategies include:
- Commercial intelligence platforms like Recorded Future or Palo Alto Networks’ AutoFocus offer broad malware databases and active threat feeds.
- Open‑source scanners like Hybrid Analysis or Maltrieu, combined with self‑hosted sandbox environments (e.g., Cuckoo Sandbox), can replicate VirusTotal’s file‑analysis functions.
- Alternative Internet census services, including Shodan or Zoomeye, provide device scanning and service‑discovery data comparable to Censys.
- Cross‑agency partnerships, leveraging shared platforms managed by other federal entities (e.g., the National Security Agency’s Cybersecurity Directorate) to minimize duplication of effort.
Each substitute requires thorough validation to confirm data accuracy, API stability, and compatibility with existing security orchestration workflows. CISA’s internal teams must dedicate resources to integration, tuning, and training efforts that could temporarily divert attention from active threat responses.
Broader Workforce Reductions and Contractor Cuts
The tool retirements coincide with wider personnel and contract reductions across CISA. According to insider accounts, contractors from firms such as Nightwing Solutions and Peraton were instructed to surrender government‑issued devices on Thursday, marking the end of their assignments. Earlier, Axios reported imminent cuts to these vendors, which have supplied skilled cybersecurity professionals on government projects.
Nightwing and Peraton Contractor Reductions
Nightwing Solutions, a boutique cybersecurity services provider, and Peraton, a significant defense contractor, supported CISA’s specialized cyber hunting and incident response teams. With staff being asked to relinquish phones, agency leaders signal a rapid contraction of contractor‑based operations. For contractors, this abrupt separation underscores the uncertain environment within which CISA now operates, potentially hampering institutional knowledge transfer and continuity in long‑term investigations.
Effects on Capacity and Morale
Mass contractor departures risk degrading CISA’s ability to maintain around‑the‑clock monitoring and rapid response. Contractual staff often fill critical roles in log analysis, threat intelligence correlation, and vulnerability assessments. Their removal reduces head count and can erode morale among remaining federal employees, who may face heavier workloads and increased pressure to cover gaps. Additionally, the departure of specialized contractors complicates knowledge retention as unique insights into threat actor methodologies leave the organization.
Political and Leadership Context
Underlying the operational shake‑up is a political narrative shaped by the Trump administration and Secretary Kristi Noem’s determination to “resize” CISA. The agency’s public efforts to flag online misinformation, especially content deemed to target conservative audiences, drew sharp rebukes from partisan actors who accused CISA of censorship and ideological bias.
Disinformation Oversight and Free Speech Concerns
During the COVID‑19 pandemic and the contentious 2020 election, CISA worked closely with social media platforms to identify and label misleading content, attributing specific campaigns to foreign or domestic threat actors. However, a July 2023 lawsuit alleged that such actions amounted to government overreach and violated First Amendment protections. In response to these legal and political pressures, CISA scaled back its public disinformation efforts and redirected staff resources. Even before her confirmation, Secretary Noem called for a comprehensive review of CISA’s budget and scope, arguing that the agency should focus narrowly on its core cybersecurity mission rather than content moderation.
Congressional Oversight and CIA’s Mission Focus
Last week, a senior House lawmaker cautioned Noem’s office to preserve CISA’s essential functions, emphasizing the agency’s duty to “oversee our critical infrastructure and make sure the bad guys aren’t getting in.” This statement reflects a bipartisan consensus that while concerns about censorship warrant review, any restructuring must protect CISA’s capacity to detect and defend against network intrusions, ransomware, and supply‑chain threats. Balancing these competing priorities—operational readiness versus fiscal restraint—remains a central challenge for CISA’s leadership.
Other Recent Controversies: The CVE Program Memo
Amid the tool retirements, the cybersecurity community was briefly rattled by a leaked MITRE memo suggesting CISA would end support for its flagship Common Vulnerabilities and Exposures (CVE) Program. The CVE list, maintained in partnership with MITRE since 1999, provides a universal catalog of publicly known software and hardware vulnerabilities, forming the backbone for patch management, risk assessments, and vulnerability scanning tools worldwide.
Significance of the CVE Program
CVE identifiers allow security teams to unambiguously reference specific flaws (for example, CVE‑2024‑12345) when prioritizing patches or sharing threat intelligence. The program’s global adoption ensures vendors, defenders, and researchers use a common language when discussing vulnerabilities. Losing CISA’s sponsorship of the CVE Program would have sent shockwaves through the software industry, potentially fracturing the unified approach to tracking and mitigating cybersecurity risks.
Agency Reversal and Temporary Stability
Just hours after the leak spread on social media, CISA issued a statement reversing course and extending its CVE contract by 11 months. The swift backtrack demonstrated the agency’s responsiveness to community concerns and the fragility of stakeholder trust. It also illustrated how unverified internal communications can have significant ripple effects across the cybersecurity ecosystem.
Future Outlook and Alternative Tools
With VirusTotal and Censys no longer available, CISA’s priority is ensuring that threat hunters remain equipped to spot and disrupt sophisticated adversaries. The agency’s leadership has pledged to identify and deploy alternative platforms “soon,” but the path ahead requires strategic planning, contracting agility, and robust vendor evaluation.
Open‑Source and Commercial Alternatives
Potential replacements for the retired services include:
- Malicious‑file analysis: Self‑hosted Cuckoo Sandbox clusters, Hybrid Analysis, Joe Sandbox, or commercial offerings like ReversingLabs. Each provides dynamic execution reports and static unpacking for complex binaries.
- Internet asset discovery: Shodan, Zoomeye, GreyNoise, or Rapid7’s Project Sonar—platforms that scan public networks to reveal exposed services and unusual device banners.
- Integrated threat intelligence: Solutions such as Recorded Future, Anomali, and ThreatConnect aggregate threat feeds, malware indicators, and adversary profiles into cohesive dashboards.
Selecting among these requires evaluating data freshness, API limits, licensing costs, and compatibility with CISA’s Security Information and Event Management (SIEM) tools, such as Splunk or Elastic Stack.
Integration Strategies and Training
Beyond procurement, CISA must integrate new tools into its existing security orchestration workflows. This includes:
- API development to automate IOC ingestion and enrichment.
- Standard operating procedures (SOPs) outline how analysts verify, escalate, and remediate threats using the new platforms.
- Training programs to ensure staff can maximize advanced features, such as custom query languages or automated playbooks, thereby avoiding steep learning curves.
CISA can mitigate transitional disruptions and maintain its threat‑hunting edge by embedding these capabilities into routine operations.
Conclusion
CISA’s decision to retire VirusTotal and Censys marks a significant inflection point for the agency’s cyber threat‑hunting capacity. While the retirements reflect broader organizational downsizing, they also underscore the importance of agile tool acquisition and vendor diversification in an era of constrained budgets and intense political scrutiny. As CISA evaluates replacements—balancing open‑source innovation with commercial robustness—the agency’s future effectiveness will hinge on rapid integration, analyst training, and a steadfast commitment to its core mission: protecting federal networks and critical infrastructure from ever‑evolving cyber threats. In the months ahead, CISA’s ability to adapt its toolkit while preserving institutional knowledge will determine whether it can continue to outpace sophisticated adversaries and safeguard the nation’s digital resilience.
Sources: NextGov
