Cryptographic posture, end-to-end
Discover every key, cert, and signing identity in your stack. Migrate to safer primitives — hybrid PQ today, AI-resistant tomorrow — without rewriting the apps that depend on them.
How PostQ fits into your stack
PostQ sits between your applications and key management systems, intercepting cryptographic operations and layering in safer primitives — hybrid PQ, agile rotation, AI-resistant defaults — transparently.
Quantum Risk Scanner
PostQ scans your entire cloud environment to build a comprehensive map of cryptographic algorithm usage. It identifies every instance of RSA, ECC, and other quantum-vulnerable algorithms, then calculates a risk score and generates a prioritized migration plan.
- TLS certificate inventory across all endpoints
- Signing key algorithm analysis
- Encrypted storage cipher detection
- "Harvest now, decrypt later" risk assessment
- Prioritized remediation roadmap
72% of cryptographic operations use quantum-vulnerable algorithms
// Verify a hybrid signature
const result = await fetch("https://api.postq.dev/v1/verify", {
method: "POST",
headers: {
"Authorization": "Bearer pq_live_...",
"Content-Type": "application/json"
},
body: JSON.stringify({
payload: "SGVsbG8gUXVhbnR1bSBXb3JsZA==",
signature: sig.combined,
key_id: "vault://signing/production"
})
});
const { valid, classical_valid, pq_valid } = await result.json();
// → valid: true (both components verified)Classical + post-quantum, combined
PostQ’s hybrid signing layer combines classical algorithms (Ed25519, ECDSA) with post-quantum algorithms (Dilithium, Falcon) in a single composite signature. If either algorithm is compromised, the other still protects your data.
PostQ Ledger
Every key creation, signature, rotation, and policy change is hash-chained into a per-org append-only log. Periodically the log is sealed into an RFC 6962 Merkle tree head and signed with your own hybrid ML-DSA + Ed25519 key. Verify any historical entry offline with a single Go binary.
- Hash-chained, tamper-evident audit log per organization
- Hybrid-signed Merkle tree heads (RFC 6962)
- O(log n) inclusion proofs for any historical entry
- Add custom events from the dashboard or POST /v1/ledger/entries
- One-shot offline verifier: postq ledger verify bundle.json
# Anyone can verify your audit log offline
curl -H "Authorization: Bearer $POSTQ_API_KEY" \
https://api.postq.dev/v1/ledger/bundle | jq .data > bundle.json
postq ledger verify bundle.json
# ✓ hash chain intact (1842 entries)
# ✓ all 17 checkpoints' merkle roots match the entry chainPolicy as code for cryptography
Define cryptographic policies in YAML and apply them across your entire infrastructure. Enforce rules like “no classical-only signatures in production” and get alerts when services deviate.
- Declarative YAML-based policy definitions
- Enforce, warn, or audit modes per rule
- Per-environment and per-service granularity
- Integration with Slack, PagerDuty, and webhooks
- Compliance reports for NIST SP 800-208
# postq-policy.yaml
apiVersion: postq.dev/v1
kind: CryptoPolicy
metadata:
name: production-enforcement
spec:
environments:
- production
- staging
rules:
- name: require-hybrid-signing
action: enforce
match:
operation: sign
require:
algorithm_class: hybrid
- name: block-rsa-1024
action: deny
match:
algorithm: "RSA-1024"
- name: warn-classical-only
action: warn
match:
algorithm_class: classical
notify:
channel: "#security-alerts"Full visibility into your cryptographic posture
Every scan, signature, key rotation, policy decision, and attestation outcome lands in the same per-org audit ledger — hash-chained, hybrid-signed, and exportable for offline forensic review.
Audit ledger
RFC 6962-style Merkle log of every key, signature, policy, and attestation event in your org. Verify any historical entry offline with the postq CLI.
Cryptographic asset inventory
Continuous scans of TLS endpoints, source repos, AWS KMS, Azure Key Vault, and live Kubernetes clusters — results stream into a single dashboard view.
Per-key audit trails
Every hybrid key has its own timeline of creates, rotations, signs, revocations, and policy violations. Filterable, exportable, and surface in the dashboard.
Attestation verdicts
When a key is bound to an attestation policy, every sign call records the enclave image hash, monotonic counter, and verifier verdict alongside the signature.
Ready to get started?
Run your first quantum risk scan and see exactly where your infrastructure is vulnerable.