Post-quantum cryptography scanner

Scan your stack for post-quantum cryptography risk

PostQ is a developer-first scanner that maps where quantum-vulnerable cryptography is used across TLS, certificates, cloud KMS/HSM keys, Kubernetes, JWTs, and code-signing — then turns it into a prioritized PQC readiness report.

No signup required for the basic TLS scan. We only inspect public metadata.

Real TLS handshake analysis, no signup required
0–100 readiness score with severity labels
RSA / ECDSA / DH / ECDH exposure called out explicitly
Shareable report URL and PDF export

Discovery before migration

You can't migrate cryptography you can't see. PostQ starts with an external TLS scan and extends — via the Kubernetes agent and cloud integrations — into a full cryptographic inventory you can prioritize and track.

What the scanner reports

TLS version support and negotiated key exchange
Certificate public-key and signature algorithms
Hybrid / post-quantum TLS support when detectable
An algorithm inventory with suggested PQC targets
Recommended migration steps ranked by exposure

Built for audit evidence

Use the readiness report as supporting evidence for cryptographic-inventory and migration-planning expectations in security reviews. PostQ does not assert compliance certification on your behalf.

Quantum-vulnerable

Algorithms that need a migration plan

RSA	Integer factorisation — broken by Shor's algorithm.
ECDSA	Elliptic-curve discrete log — broken by Shor's algorithm.
DH	Finite-field Diffie-Hellman — quantum-vulnerable key exchange.
ECDH	Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange.
X25519	Modern ECDH curve, still classical and quantum-vulnerable.
Ed25519	Modern EdDSA signature, still classical and quantum-vulnerable.
RS256	JWT RSA-SHA256 signature — quantum-vulnerable public-key signature.
ES256	JWT ECDSA-P256 signature — quantum-vulnerable public-key signature.

PQC targets

NIST-standardised replacements

ML-KEM (FIPS 203)	Key encapsulation / key exchange (formerly Kyber).
ML-DSA (FIPS 204)	Digital signatures (formerly Dilithium).
SLH-DSA (FIPS 205)	Stateless hash-based signatures (formerly SPHINCS+).

PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.

Post-Quantum TLS Scanner

Inspect TLS versions, key exchange, and cipher posture.

Certificate Quantum Risk Scanner

Analyze certificate public-key and signature algorithms.

Cryptographic Inventory

Build a complete inventory across your environment.

Kubernetes PQC Scanner

Scan clusters from the inside with the agent.

PQC Readiness Assessment

Turn findings into a migration roadmap.

Sample Report

See an example readiness report end to end.

Frequently asked questions

What is a post-quantum cryptography scanner?

It's a tool that discovers where quantum-vulnerable algorithms (RSA, ECDSA, DH, ECDH) are used and reports the post-quantum readiness of those assets. PostQ scans TLS endpoints externally and, with integrations, internal services, cloud KMS, Kubernetes, JWTs, and code-signing.

Do I need to install anything to scan a domain?

No. The external TLS scan runs entirely server-side. Paste a domain and PostQ performs a real TLS handshake and certificate analysis. The Kubernetes agent and cloud integrations are optional and only needed for internal inventory.

Which post-quantum algorithms does PostQ reference?

ML-KEM (FIPS 203) for key establishment, ML-DSA (FIPS 204) for signatures, and SLH-DSA (FIPS 205) for hash-based signatures. PostQ reports vulnerable algorithms and applicable targets without claiming a target is deployed unless detection confirms it.

Is the scan safe to run against production?

Yes. It performs a standard TLS handshake and reads public certificate metadata only. It does not send traffic that would affect your application and never collects private keys.

Run a free PQC readiness scan

Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.