before the clock runs out.
PQC Scanner inventories cryptography across endpoints, code and configs; maps gaps to CNSA 2.0 (ML‑KEM‑1024, ML‑DSA‑87, SHA‑384/512, LMS/XMSS); and gives you step‑by‑step playbooks to migrate safely.
Everything you need to get PQC‑ready
Audit TLS endpoints, APIs, VPNs, containers, OS images. Detect OpenSSL 3.x & OQS provider registration. Flag legacy RSA/ECC and weak params automatically.
Align with CNSA 2.0, FIPS 203/204, NIST SP 800‑208. Deadline tags and impact scoring for each finding. Executive report + technical backlog.
Playbooks for TLS, IPsec, boot chain, PKI, code signing. Hybrid guidance where protocols require it. Validated parameter sets and config snippets.
GitHub Actions, GitLab CI, Terraform Cloud. Kubernetes/Helm, ingress controllers, service mesh. SIEM export (JSON), PDF reports, ticketing hooks.
OpenSSL/OQS provider, PQC ciphersuites, key sizes. Firmware/UEFI/TPM presence; LMS/XMSS readiness. IPsec/IKEv2, WireGuard, VPN gateways and clients.
Crypto‑BOM (CBOM) for systems and software. Risk‑prioritized remediation roadmap. Before/after posture snapshots for auditors.
Agent & CLI enumerate crypto use, libraries, protocols, and firmware trust roots.
Findings mapped to CNSA 2.0 with risk, dependency, and timeline annotations.
Apply guided playbooks. Gate builds and infra changes to keep posture green.
New acquisitions CNSA 2.0‑compliant by 2027. Phase‑out non‑CNSA 2.0 by 2030; mandate by 2031. Reporting continues until all components are QR.
Data stolen today can be decrypted once CRQC arrives. Firmware roots of trust are long‑lived—act early. Crypto‑agility now avoids costly retrofits later.