PQC readiness scanning & cryptographic inventory

Find quantum-vulnerable cryptography before your customers and auditors ask.

PostQ scans your public TLS endpoints, certificates, and key-exchange posture, then generates a shareable post-quantum readiness report with prioritized migration steps for ML-KEM and future PQ signature rollout.

No signup required for the basic TLS scan. We only inspect public metadata.

Free public TLS scan · No signup · No private keys · Public metadata only

Member ofPKI Consortium

The PKI Consortium is an industry group of CAs, vendors, and researchers advancing PKI and post-quantum migration standards.

Scanner-first

A report you can actually share

Every scan produces a shareable readiness report: a 0–100 score, prioritized findings, a certificate chain breakdown, an algorithm inventory, and concrete migration steps. Send the link to your security reviewer or export it as a PDF.

  • TLS version support, cipher, and negotiated key exchange
  • Certificate public-key + signature algorithm posture
  • RSA / ECDSA / DH / ECDH exposure called out explicitly
  • Hybrid / PQ TLS support detected when present
  • Plain-language "what this means" + "how to fix" for every finding

PQC readiness score

example-bank.com

High risk
52/ 100
Classical key exchange negotiated (X25519)HIGH
Certificate public key uses RSA-2048HIGH
Certificate signed with sha256WithRSAEncryptionMEDIUM
What PostQ can scan today

Live now, in preview, and on the roadmap

The free TLS scan works right now. Deeper cryptographic inventory is rolling out through a private preview, and the broader platform is on a public roadmap — so you always know exactly what you’re getting.

Available now
  • Public TLS endpoint scan
  • Certificate chain algorithm analysis
  • PQ / hybrid TLS detection
  • Shareable readiness report

Free, no signup — only public metadata is inspected.

See a sample report
Private preview
  • Kubernetes crypto inventory
  • Cloud KMS / Key Vault inventory
  • GitHub / IaC config scanning
  • JWT / code-signing workflow scan

Authenticated integrations read key metadata and usage — never private key material.

Request preview access
Roadmap
  • Hybrid signing API
  • Policy engine
  • Transparency log
  • Self-hosted deployments

Planned as the platform matures toward general availability.

Why PQC readiness matters

Start your PQC migration with a cryptographic inventory

Harvest-now, decrypt-later is happening today

Traffic protected by classical key exchange (RSA, ECDH, X25519) can be recorded now and decrypted once a cryptographically relevant quantum computer exists. Long-lived data is exposed first.

Auditors are starting to ask

Cryptographic inventory and migration planning are appearing in security questionnaires, NIST guidance, and government mandates. A readiness report is becoming audit evidence.

You can't migrate what you can't see

Most teams have no inventory of where RSA, ECDSA, and DH live. Discovery and prioritization come before any migration work.

Built for cloud-native security teams

Extend the scan into a full inventory

These deeper inventory scanners are rolling out in private preview — request access to try them on your own environment.

Private previewKubernetes agent

Scan clusters from the inside

An in-cluster agent inventories TLS Secrets, cert-manager Certificates, Issuers, Ingress TLS, embedded PEMs, and Istio / Linkerd mTLS — then reports findings to PostQ.

Kubernetes scanner
Private previewCloud KMS / HSM inventory

See every cloud key

Inventory RSA and EC keys, certificates, expiry, and signing usage across AWS KMS / CloudHSM / ACM and Azure Key Vault — focused on readiness, not replacement.

Cloud key visibility
Private previewCode-signing & JWT risk

Find signing workflow risk

Flag quantum-vulnerable JWT algorithms (RS256, ES256, EdDSA) and code-signing certificates across your CI/CD pipelines and release workflows.

JWT risk checker

Works with your existing cloud-native stack

KubernetesAWSAzureGCPHashiCorp VaultGitHubDocker
How we handle your data

Built to be trusted by security teams

No private keys are ever collected.
External scans use standard TLS handshakes only.
Authenticated integrations collect metadata only.
Reports are readiness indicators, not security certifications.

The 0–100 readiness score is fully transparent — see exactly how it’s calculated, and where an external scan stops, in our scoring methodology. More detail on data handling lives on our security & privacy page.

Frequently asked questions

What does the free PostQ scan check?

The free scan runs a real TLS handshake against your public domain and inspects the negotiated TLS versions, cipher, and key exchange, plus the certificate chain's public-key and signature algorithms. It produces a 0–100 PQC readiness score with prioritized findings. No signup or private keys are required.

Is the readiness score a guarantee that I'm secure?

No. The score is a readiness indicator based on externally observable cryptography. It is intended to help you prioritize a post-quantum migration, not to certify the overall security of your systems. A complete inventory also covers internal services, cloud KMS/HSM keys, JWTs, and code-signing.

Which algorithms are considered quantum-vulnerable?

Public-key algorithms based on factoring or discrete logs — RSA, ECDSA, DH, ECDH, X25519, Ed25519, and JWT signatures like RS256 and ES256 — can be broken by Shor's algorithm on a future quantum computer. Symmetric algorithms (AES) and hashes are a different, lower-risk category.

What are the post-quantum target algorithms?

NIST has standardized ML-KEM (FIPS 203) for key establishment, ML-DSA (FIPS 204) for signatures, and SLH-DSA (FIPS 205) for hash-based signatures. PostQ reports where vulnerable algorithms are used and which targets apply; we don't claim a target is deployed in your stack unless detection confirms it.

Does PostQ upload my private keys?

No. The external scanner only inspects public metadata exposed during a normal TLS handshake. Private keys are never collected. Authenticated integrations (cloud KMS, Kubernetes) read key metadata and usage, not private key material.

Can I share or export a report?

Yes. Every scan has a shareable report URL, and you can export it as a PDF from the report page. The full report (PDF + internal asset coverage) can also be emailed to you.

Find quantum-vulnerable cryptography before your customers and auditors ask

Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.

No signup required for the basic TLS scan. We only inspect public metadata.

Need cloud, Kubernetes, or signing-workflow coverage? Join the private preview →