Generate a PQC readiness report for security reviews
A PQC readiness assessment scores how exposed your cryptography is to a future quantum adversary and turns that into a migration plan you can prioritize by asset criticality and exposure.
No signup required for the basic TLS scan. We only inspect public metadata.
- Readiness score from 0–100 with Critical/High/Medium/Low labels
- Category breakdown across exposure, certificate, signature, key exchange
- PQ-ready / Hybrid-ready labels when detected
- Exportable as audit evidence
How the score works
The score is a weighted average of readiness categories. It is a readiness indicator, not a guarantee of security.
- External TLS exposure — are deprecated versions disabled and TLS 1.3 available?
- Certificate algorithm risk — quantum posture of the leaf public key
- Signature algorithm risk — quantum posture of the certificate signature
- Key exchange risk — is hybrid key exchange protecting confidentiality?
- Long-lived certificate risk — shorter lifetimes improve crypto-agility
- Inventory completeness — an external scan sees public endpoints only
- Migration readiness — how ready is the endpoint to adopt hybrid/PQ crypto?
From assessment to roadmap
Prioritize migration based on exposure and asset criticality rather than migrating everything at once. The report's recommended steps order the highest-impact, lowest-risk changes first.
Get your PQC readiness score
Run a scan in the PostQ dashboard to generate a 0–100 readiness score with category breakdowns and a prioritized migration roadmap.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
What is a PQC readiness assessment?
It's an evaluation of how prepared your cryptography is for the transition to post-quantum algorithms. PostQ produces a 0–100 score with category breakdowns and a prioritized migration roadmap.
Is the readiness score a compliance certification?
No. The score is a readiness indicator to help you prioritize migration. PostQ does not issue compliance certifications; use the report as supporting evidence within your own program.
How often should I re-assess?
Re-assess whenever you change TLS configuration, rotate certificates, or adopt hybrid key exchange — and on a recurring schedule so you can track improvement over time.
Does the assessment cover internal systems?
The external scan covers public endpoints. To assess internal services, cloud KMS/HSM keys, JWTs, and code-signing, connect the Kubernetes agent and cloud integrations.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.