Cryptographic posture, end-to-end
Discover every key, cert, and signing identity in your stack. Migrate to safer primitives — hybrid PQ today, AI-resistant tomorrow — without rewriting the apps that depend on them.
How PostQ fits into your stack
PostQ sits between your applications and key management systems, intercepting cryptographic operations and layering in safer primitives — hybrid PQ, agile rotation, AI-resistant defaults — transparently.
Quantum Risk Scanner
PostQ scans your entire cloud environment to build a comprehensive map of cryptographic algorithm usage. It identifies every instance of RSA, ECC, and other quantum-vulnerable algorithms, then calculates a risk score and generates a prioritized migration plan.
- TLS certificate inventory across all endpoints
- Signing key algorithm analysis
- Encrypted storage cipher detection
- "Harvest now, decrypt later" risk assessment
- Prioritized remediation roadmap
72% of cryptographic operations use quantum-vulnerable algorithms
// Verify a hybrid signature
const result = await fetch("https://api.postq.dev/v1/verify", {
method: "POST",
headers: {
"Authorization": "Bearer pq_live_...",
"Content-Type": "application/json"
},
body: JSON.stringify({
payload: "SGVsbG8gUXVhbnR1bSBXb3JsZA==",
signature: sig.combined,
key_id: "vault://signing/production"
})
});
const { valid, classical_valid, pq_valid } = await result.json();
// → valid: true (both components verified)Classical + post-quantum, combined
PostQ’s hybrid signing layer combines classical algorithms (Ed25519, ECDSA) with post-quantum algorithms (Dilithium, Falcon) in a single composite signature. If either algorithm is compromised, the other still protects your data.
PostQ Ledger
Every key creation, signature, rotation, and policy change is hash-chained into a per-org append-only log. Periodically the log is sealed into an RFC 6962 Merkle tree head and signed with your own hybrid ML-DSA + Ed25519 key. Verify any historical entry offline with a single Go binary.
- Hash-chained, tamper-evident audit log per organization
- Hybrid-signed Merkle tree heads (RFC 6962)
- O(log n) inclusion proofs for any historical entry
- Add custom events from the dashboard or POST /v1/ledger/entries
- One-shot offline verifier: postq ledger verify bundle.json
# Anyone can verify your audit log offline
curl -H "Authorization: Bearer $POSTQ_API_KEY" \
https://api.postq.dev/v1/ledger/bundle | jq .data > bundle.json
postq ledger verify bundle.json
# ✓ hash chain intact (1842 entries)
# ✓ all 17 checkpoints' merkle roots match the entry chainPolicy as code for cryptography
Define cryptographic policies in YAML and apply them across your entire infrastructure. Enforce rules like “no classical-only signatures in production” and get alerts when services deviate.
- Declarative YAML-based policy definitions
- Enforce, warn, or audit modes per rule
- Per-environment and per-service granularity
- Integration with Slack, PagerDuty, and webhooks
- Compliance reports for NIST SP 800-208
# postq-policy.yaml
apiVersion: postq.dev/v1
kind: CryptoPolicy
metadata:
name: production-enforcement
spec:
environments:
- production
- staging
rules:
- name: require-hybrid-signing
action: enforce
match:
operation: sign
require:
algorithm_class: hybrid
- name: block-rsa-1024
action: deny
match:
algorithm: "RSA-1024"
- name: warn-classical-only
action: warn
match:
algorithm_class: classical
notify:
channel: "#security-alerts"Full visibility into your cryptographic posture
Track PQ adoption, monitor algorithm usage, and detect insecure patterns in real time across all your systems.
Ready to get started?
Run your first quantum risk scan and see exactly where your infrastructure is vulnerable.