PostQ Blog
Notes from the trenches on post-quantum cryptography, migration strategies, and the tools we’re building along the way.
Hybrid TLS Rollover is live: turn an Azure scan finding into a hybrid-bound leaf cert in one click
PostQ now mints a real ECDSA-P256 leaf cert with a detached ML-DSA-65 sidecar signature, embedded as a non-critical X.509 extension, and walks Azure App Service through a four-stage rollover (planned → observation → cutover → completed). Bundled with az CLI scripts, Bicep, and a rollback path. PostQ never touches your subscription — you run the generated bundle yourself.
SDKs + CLI v0.5: Policies, Vault, and Ledger everywhere
v0.5 of @postq/sdk, postq-sdk, PostQ.Sdk, and the postq Go CLI ship full clients for the new Policies, Vault settings, and Ledger endpoints — plus rotate / audit on every hybrid key, BYOK fields on key creation, and three new ECDSA-P256 hybrid algorithms. Same surface in every language, one version bump.
PostQ Ledger is live: a per-org, hybrid-signed Merkle audit log for every key, signature, and policy event
Ledger turns the PostQ Vault audit trail into a tamper-evident transparency log: every key creation, signature, rotation, and policy change is hash-chained, snapshotted into RFC 6962 Merkle checkpoints, and signed by your own ML-DSA + Ed25519 hybrid key. Verify any historical entry offline with a 1.4 MB Go binary — `postq ledger verify bundle.json`.
PostQ Vault is live: hybrid signing as a product, with BYOK to AWS KMS and Azure Key Vault
Vault wraps the PostQ hybrid signer in a real product surface — a dashboard, an audit log, key rotation, revocation — and ships pluggable KMS providers so you can keep the master key in your own AWS or Azure account. Three integration tiers, one consistent signing API.
We turned PostQ into a real scanner this week
Seven days, fourteen commits, four repos. PostQ stopped being a PQ-only TLS checker and became a unified cryptographic + AppSec scanner: gitleaks-style secrets, 25+ OWASP code patterns, OSV-backed SCA across 7 ecosystems, CycloneDX 1.6 CBOM export, server-side URL scans, TLS hygiene + cert lifecycle, full SDK + CLI parity, bulk target lists. Same scanner, same dashboard, same five-line CI gate.
AWS + Azure customer-installable scanners are live
Push-mode is now end-to-end. Real Azure Key Vault scanner, rewired AWS Lambda, ARM + Bicep + CloudFormation templates, a /settings/clouds install dashboard, a new `postq scan cloud azure` CLI, and GitHub Actions to build the Azure container image automatically.
Push-mode cloud scanning is live: POST /v1/ingest/cloud
PostQ now accepts cloud crypto inventory from a scanner you deploy in your own AWS account or Azure subscription. No cross-account IAM role, no service principal trust extended to PostQ. The keystone endpoint is live; the AWS Lambda template, Azure Container Apps Job, and dashboard install UX land in the next four PRs.
Shipping the PostQ Hybrid Signer: ML-DSA + Ed25519 in three SDK calls
Hybrid signing is now live on the PostQ API. Mint a managed key, sign with one call, verify with another. Every signature is a NIST FIPS 204 ML-DSA signature AND a classical Ed25519 signature, combined under an AND verifier so a future break in either alone cannot forge.
Shipping the PostQ Kubernetes agent: TLS Secrets, Ingress, cert-manager, and mesh mTLS in one Helm install
v0.2.0 of the PostQ agent is live on GHCR as both a multi-arch image and an OCI Helm chart. One install gives you continuous, in-cluster discovery of every quantum-vulnerable algorithm hiding in your TLS Secrets, Ingresses, ConfigMaps, cert-manager Certificates, and Istio / Linkerd mTLS posture — reported back to your PostQ dashboard on a CronJob.
When the model finds the bug: Mythos, cryptographic exposure, and what PostQ does about it
Anthropic's Claude Mythos Preview is finding zero-days in cryptography libraries, kernels, and browsers at industrial scale. An honest look at what that means for the cryptography in your stack — and how PostQ's scanner, hybrid signing, and policy engine are built for exactly this moment.
Shipping the PostQ SDKs: JavaScript, Python, and .NET
We just published v0.2 of the official PostQ SDKs to npm, PyPI, and NuGet. Same surface, idiomatic in each language, with provenance attestations and a five-line CI gate. Here's what's in v0.2 and what comes next.
Introducing the PostQ CLI: quantum-risk scanning for your terminal
We shipped a single-binary Go CLI that does real TLS handshakes against any host on the internet and tells you, in under a second, exactly which crypto a quantum computer is going to break. Here's why we built it, what's in v0.1, and what's next.
More posts coming soon — PQC migration playbooks, real-world scan findings, and updates from the standards bodies. Get notified.