Find quantum-vulnerable cryptography before your customers and auditors ask.
PostQ scans your public TLS endpoints, certificates, and key-exchange posture, then generates a shareable post-quantum readiness report with prioritized migration steps for ML-KEM and future PQ signature rollout.
No signup required for the basic TLS scan. We only inspect public metadata.
Free public TLS scan · No signup · No private keys · Public metadata only
The PKI Consortium is an industry group of CAs, vendors, and researchers advancing PKI and post-quantum migration standards.
A report you can actually share
Every scan produces a shareable readiness report: a 0–100 score, prioritized findings, a certificate chain breakdown, an algorithm inventory, and concrete migration steps. Send the link to your security reviewer or export it as a PDF.
- TLS version support, cipher, and negotiated key exchange
- Certificate public-key + signature algorithm posture
- RSA / ECDSA / DH / ECDH exposure called out explicitly
- Hybrid / PQ TLS support detected when present
- Plain-language "what this means" + "how to fix" for every finding
PQC readiness score
example-bank.com
Live now, in preview, and on the roadmap
The free TLS scan works right now. Deeper cryptographic inventory is rolling out through a private preview, and the broader platform is on a public roadmap — so you always know exactly what you’re getting.
- Public TLS endpoint scan
- Certificate chain algorithm analysis
- PQ / hybrid TLS detection
- Shareable readiness report
Free, no signup — only public metadata is inspected.
See a sample report →- Kubernetes crypto inventory
- Cloud KMS / Key Vault inventory
- GitHub / IaC config scanning
- JWT / code-signing workflow scan
Authenticated integrations read key metadata and usage — never private key material.
Request preview access →- Hybrid signing API
- Policy engine
- Transparency log
- Self-hosted deployments
Planned as the platform matures toward general availability.
Start your PQC migration with a cryptographic inventory
Harvest-now, decrypt-later is happening today
Traffic protected by classical key exchange (RSA, ECDH, X25519) can be recorded now and decrypted once a cryptographically relevant quantum computer exists. Long-lived data is exposed first.
Auditors are starting to ask
Cryptographic inventory and migration planning are appearing in security questionnaires, NIST guidance, and government mandates. A readiness report is becoming audit evidence.
You can't migrate what you can't see
Most teams have no inventory of where RSA, ECDSA, and DH live. Discovery and prioritization come before any migration work.
Extend the scan into a full inventory
These deeper inventory scanners are rolling out in private preview — request access to try them on your own environment.
Scan clusters from the inside
An in-cluster agent inventories TLS Secrets, cert-manager Certificates, Issuers, Ingress TLS, embedded PEMs, and Istio / Linkerd mTLS — then reports findings to PostQ.
Kubernetes scanner →See every cloud key
Inventory RSA and EC keys, certificates, expiry, and signing usage across AWS KMS / CloudHSM / ACM and Azure Key Vault — focused on readiness, not replacement.
Cloud key visibility →Find signing workflow risk
Flag quantum-vulnerable JWT algorithms (RS256, ES256, EdDSA) and code-signing certificates across your CI/CD pipelines and release workflows.
JWT risk checker →Works with your existing cloud-native stack
Built to be trusted by security teams
The 0–100 readiness score is fully transparent — see exactly how it’s calculated, and where an external scan stops, in our scoring methodology. More detail on data handling lives on our security & privacy page.
Frequently asked questions
What does the free PostQ scan check?
The free scan runs a real TLS handshake against your public domain and inspects the negotiated TLS versions, cipher, and key exchange, plus the certificate chain's public-key and signature algorithms. It produces a 0–100 PQC readiness score with prioritized findings. No signup or private keys are required.
Is the readiness score a guarantee that I'm secure?
No. The score is a readiness indicator based on externally observable cryptography. It is intended to help you prioritize a post-quantum migration, not to certify the overall security of your systems. A complete inventory also covers internal services, cloud KMS/HSM keys, JWTs, and code-signing.
Which algorithms are considered quantum-vulnerable?
Public-key algorithms based on factoring or discrete logs — RSA, ECDSA, DH, ECDH, X25519, Ed25519, and JWT signatures like RS256 and ES256 — can be broken by Shor's algorithm on a future quantum computer. Symmetric algorithms (AES) and hashes are a different, lower-risk category.
What are the post-quantum target algorithms?
NIST has standardized ML-KEM (FIPS 203) for key establishment, ML-DSA (FIPS 204) for signatures, and SLH-DSA (FIPS 205) for hash-based signatures. PostQ reports where vulnerable algorithms are used and which targets apply; we don't claim a target is deployed in your stack unless detection confirms it.
Does PostQ upload my private keys?
No. The external scanner only inspects public metadata exposed during a normal TLS handshake. Private keys are never collected. Authenticated integrations (cloud KMS, Kubernetes) read key metadata and usage, not private key material.
Can I share or export a report?
Yes. Every scan has a shareable report URL, and you can export it as a PDF from the report page. The full report (PDF + internal asset coverage) can also be emailed to you.
Find quantum-vulnerable cryptography before your customers and auditors ask
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.
Need cloud, Kubernetes, or signing-workflow coverage? Join the private preview →