Quantum-Safe Assurance

Measure your TLS crypto posture and PQC readiness

On-premises scanner that produces auditable evidence packs. Detect configuration drift. Quantify post-quantum coverage. No data leaves your network.

  • Discover cipher suite, key exchange, and protocol posture across your TLS endpoints
  • Detect PQC-capable handshakes and quantify your coverage gap
  • Generate repeatable evidence packs and diffs to track configuration drift
Request a pilot How it works
The problem

Crypto posture is invisible until you measure it

NIST has set 2035 as the deadline to disallow classical key exchange (IR 8547, November 2024). NSA CNSA 2.0 requires PQC in network protocols by 2030. Before you plan a migration, you need to know where you stand.

Inventories are incomplete

Endpoints sprawl across cloud, on-prem, and partner connections. Most teams cannot produce a current list of what cipher suites and key exchange methods are actually negotiated in production.

Configurations drift

Certificate rotations, vendor updates, and infrastructure changes silently reintroduce weak defaults. A configuration that was strong last quarter may not be strong today.

Audit evidence is manual

Point-in-time checks with browser tools or ad-hoc scripts produce results that are hard to compare, hard to version, and hard to defend in a review.

Scope

What QSA does — and does not do

QSA focuses on TLS perimeter assessment. The scope is deliberately narrow to keep results actionable.

In scope

  • Scan host:port targets from your environment
  • Capture negotiated TLS parameters: protocol version, cipher suite, key exchange group (including PQC hybrid signals)
  • Classify crypto hygiene and PQC readiness; produce machine-readable JSON output and an HTML report
  • Diff successive scans: improved, degraded, or neutral — with reasons per endpoint

Not in scope

  • Not a TLS proxy, VPN, or WAF — QSA is not inline with traffic
  • Not a PQC migration service — QSA measures readiness; it does not deploy PQC algorithms
  • Not SaaS — runs on your infrastructure with no telemetry
Why it matters

What happens when you don't measure

You can't prioritize

Without a baseline scan, remediation planning and PQC roadmaps rely on assumptions. QSA gives you the inventory to make those calls with evidence.

Drift goes unnoticed

Configuration changes silently downgrade your posture. Periodic scans with drift diffs make regressions visible before they become audit findings.

Audits are expensive

Manual checks are slow, subjective, and hard to compare across time. Repeatable scans with hash-chain integrity turn posture assessment into a routine operation.

Our approach

How QSA is built

On-prem by design

Static Go binary (~10 MB) or Docker container. Runs on your network. No data leaves your environment. Suited for air-gapped and sensitive infrastructure.

Vendor-neutral posture

Scans any TLS endpoint regardless of the underlying stack. Mixed environments get a single consistent assessment with the same scoring methodology.

Evidence-first reporting

JSON output with SHA-256 hash-chain integrity. Each evidence pack is reproducible, verifiable, and structured for auditor consumption.

PQC detection enabled

Drift diffs

Compare scans to track what changed, in which direction, and why it matters. Built for change advisory boards and continuous posture monitoring.

How it works

Three commands cover the workflow

qsa — terminal
# 1. Scan endpoints from a target list
$ qsa scan --targets endpoints.txt --output ./results

# 2. Compare scans to track drift
$ qsa diff baseline.json current.json

# 3. Verify evidence pack integrity
$ qsa verify evidence-pack.json

Each scan produces two scores and an evidence pack:

79
Crypto Hygiene
0 – 100
40
PQC Readiness
0 – 100

Scores from a scan of 5 public endpoints, February 2026. Hygiene reflects cipher suite and protocol health. PQC Readiness reflects the share of endpoints negotiating post-quantum key exchange.

Output includes a self-contained HTML report with endpoint inventory, per-endpoint findings, scoring rationale, and classification details. The JSON evidence pack preserves hash-chain integrity for audit trails.

Pilot program

Two-week engagement, no cost

Baseline scan plus one follow-up diff. Passive scanning only. All data stays on your infrastructure.

What you provide

  • A list of TLS endpoints to scan (host:port)
  • A Docker-capable host on your network (or we provide a static binary)
  • ~30 minutes with your security or GRC team for kickoff and results review

What you receive

  • Baseline scan with evidence pack (JSON + HTML report)
  • Follow-up scan with drift comparison
  • Prioritized findings and posture scorecards
  • All data stays on your infrastructure
Passive scanning only. QSA performs standard TLS handshakes (ClientHello + ServerHello analysis). No traffic interception, no exploitation, no active probing beyond TLS negotiation.
Get started

Request a pilot

Find out where your TLS infrastructure stands on crypto hygiene and PQC readiness. No cost, no commitment, no data leaves your network.

Contact us jcano@cainmani.com