Skip to content
Qtangl logo mark
Qtangl
Q-Day Readiness
PlatformAssessMonitorConvertPricingDocs
Run Q-Day scan
Qtangl logo mark

Qtangl

Assess. Monitor. Convert.

Assess quantum-vulnerable crypto. Monitor drift until Q-Day. Convert with signed evidence your auditors can verify.

charley@qtangl.com

New York City, NY

LinkedInYouTube

Platform

PlatformAssessMonitorConvertPricingDocs

More

Command CenterAssess startAccessJourneyResourcesCompareMini-assessmentQ-Day hubSolutionsPartnersTrustStatusVerifyLearnQuantum crypto curriculumBlogAbout

Legal

PrivacyTermsTrustSecuritySub-processors
© 2026 Qtangl. All rights reserved.PrivacyTermsTrustSecuritySub-processors

Q-Day readiness

Baseline your crypto in one session

Run a sample report in 30 seconds, try a live scan on the Open Quantum Safe test server, or authorize your own domains for a production baseline.

Run sample in 30sSee sample bank report
Try a scenario:

Scenarios autorun with fixture data — methodology

Run scan

  • Run scan
  • Why scan
  • Deliverables
  • Frameworks
  • Why Qtangl
  • FAQ

Honest caveat: Quantum-vulnerable does not mean broken today. Qtangl provides an inventory aid — not a formal audit or attestation. Sources last verified 2026-06-21.

PQ-signed reportsTransparency logOffline verifyMethodologyQ-Day hub

Fixture scenarios, OQS demo scans, and authorized production workspaces run in the scanner below.

Learn before you scan

Understand Q-Day risk in minutes

Harvest-now-decrypt-later exposure is a planning problem, not a broken-crypto alarm. Use Mosca's inequality to see if your data outlives your migration runway — then run a live assessment.

Mosca calculator

If X + Y > Z, harvest-now-decrypt-later exposure requires action now.

10 + 5 = 15 vs Z = 8

Inequality holds — HNDL exposure today.

Syncs moscaX/moscaY/moscaZ URL params for your assessment.

Example Mosca timeline

Illustrative 10-year retention · 5-year migration · 8-year quantum horizon (regional bank scenario).

Mosca inequality: X + Y > Z

X data shelf (10y)
Y migration (5y)
Z to Q-Day (8y)

10-year data retention plus a 5-year migration runway exceeds an 8-year quantum timeline — act now on HNDL exposure.

ROI & evidence

Compare spreadsheet programs and consulting baselines to continuous Monitor — or preview the signed report pack your GRC team receives after every assessment.

ROI calculatorSee a signed reportRun assessment

Your path

Pick a role — we'll open the results tab that matches your workflow after your first scan.

Developer API

Automate baseline scans in CI

Start inventory with POST /pqc/scan, poll GET /pqc/scan/{scanId}, and export signed PDF or CycloneDX CBOM for your GRC pipeline.

Request

{
  "target": "api.example.com",
  "scan_type": "tls_inventory",
  "options": {
    "include_cbom": true,
    "mosca_data_lifetime_years": 10
  }
}
Response

{
  "status": "completed",
  "readiness_score": 62,
  "findings": {
    "quantum_vulnerable": 47,
    "transitional": 12,
    "quantum_safe": 8
  },
  "mosca": {
    "hndl_risk": "elevated",
    "data_lifetime_years": 10,
    "quantum_timeline_years": 8
  },
  "exports": {
    "cbom": "cyclonedx-json",
    "report_url": "/r/sample-token",
    "verify_url": "/verify?token=sample-token"
  },
  "method": "pqc_scanner"
}
PQC API guide →

How it works

Three paths to your baseline

  1. ① Step 1

    Choose your path

    Sample report (no setup), OQS live demo, or authorized workspace for your domain.

    Go to scanner
  2. ② Step 2

    Run baseline

    Fixture scenarios offline, or live TLS/JWKS/SSH discovery on test.openquantumsafe.org or your allowlisted domain.

    Go to scanner
  3. ③ Step 3

    Review findings

    Readiness score, Mosca HNDL timeline, framework mapping, and remediation backlog.

    58.2

    Q-Day readiness (endpoint-scoped)

    Mosca inequality: X + Y > Z

    X data shelf (10y)
    Y migration (5y)
    Z to Q-Day (8y)

    10-year retention plus 5-year migration exceeds an 8-year quantum timeline.

  4. ④ Step 4

    Export evidence

    PDF, CycloneDX CBOM, and public verify link for auditors and the board.

    Preview deliverables

How scoring works

Deliverables

What every assessment exports

Available in your workspace:Lite scan (depth=lite)

Deliverable preview — illustrative

Click a PDF outline item to highlight the matching CBOM field — every assessment exports board-ready PDF, CycloneDX CBOM, and a verify receipt auditors can check independently.

Executive summary

Framework mapping

Remediation backlog

Selected item syncs with the CBOM tab — illustrative sample only.

Why teams choose Qtangl

Evidence, drift, and honest scope

Signed evidence

Every report ships with a content hash and signature — auditors verify at /verify without trusting Qtangl alone.

Continuous drift

Monitor diffs each scan against the last baseline so regressions surface before the next audit cycle.

Honest scope

Inventory aid and prioritization — not a formal attestation. We say what we do and do not claim.

Minutes, not months

Live fixture scan in under ten minutes. Compare that to spreadsheet programs that decay on first deploy.

Live today: Fixture + OQS live demo scans · Signed PDF + CycloneDX CBOM · Public /verify for auditors

What you get

Assessment deliverables

Black and white diagram of TLS handshake inventory across network endpoints.

Live domain scan

TLS handshake inventory with algorithm and key-size classification — the evidence your security team needs for CMMC and PCI audits.

Black and white timeline showing harvest-now-decrypt-later exposure horizon.

Mosca HNDL timeline

Harvest-now-decrypt-later exposure scored against your data retention horizon — board-ready context, not alarmism.

Black and white illustration of a structured document stack representing CBOM export.

Multi-method discovery

No single discovery method covers your full estate. Qtangl combines TLS, JWKS, SSH, and upload paths — illustrative coverage for Assess tier.

Qtangl discovery method coverage
MethodAssess coverage
TLS handshakefull
JWKS / JWTfull
SSH host keysfull
STARTTLSpartial
PEM uploadfull

What Monitor adds

Track drift after your baseline

Assess is a one-session snapshot. Monitor schedules re-scans, detects drift, and alerts when new quantum-vulnerable endpoints appear.

Readiness delta
-4.2 (66 → 61.8)
New Q-vulnerable
2
Certs expiring
3

Two new quantum-vulnerable TLS endpoints and one RSA-2048 certificate downgrade detected since last week's scan.

See Monitor previewDrift charts & alert previews →

Scenarios

Try a regulated scenario

Pre-loaded fixture targets for banking, government, and healthcare readiness workflows — no domain required.

Bank TLS inventoryGov contractor CMMCHealthcare HNDL

Standards & frameworks

Mapped to the mandates your auditors cite

Every assessment maps your quantum-vulnerable findings to the frameworks driving your program — NSM-10, CNSA 2.0, NIST IR 8547, PCI-DSS 4.0, and CMMC — with control themes, deadlines, and a signed report your auditors can verify independently.

  • Federal mandate2035

    NSM-10 compliance guide

    National Security Memorandum on post-quantum cryptography

  • NSA suite2030–2033

    CNSA 2.0 guide

    Commercial National Security Algorithm Suite 2.0

Sample artifact

30-second preview

Try a vertical fixture before you run a scan

Email-gated mini-assessment shows readiness score, coverage confidence, and top findings — no domain required.

Start mini-assessmentBanking previewHealthcare preview

Why Qtangl

Signed evidence, not discovery-only

Many tools inventory TLS endpoints. Qtangl adds framework mapping, Mosca HNDL scoring, and PQ-signed reports your auditors verify at /verify — without claiming formal attestation.

CapabilityQtanglTypical discovery tool
Signed report + public verifyYesRare
Framework mapping (NSM-10, CMMC, PCI)YesPartial
Full vendor comparisonSee positioning matrix →

Next steps

Validate Qtangl on your estate

Run a free Q-Day scan, download the full vendor comparison guide, or talk with our team about your shortlist.

Run a free Q-Day scanGet comparison guide (PDF)Compare with our team

Verify a signed report · Pricing

Assess → Monitor → Convert

Stage 1 — Baseline

You are here: establish your crypto inventory

Assess is a one-session baseline. Monitor tracks drift until Q-Day. Convert plans remediation with signed evidence.

Run baseline scan

What Convert adds

Remediation program with signed proof of fix

After your baseline, Convert tracks remediation waves, what-if score projections, and verify-fix loops — illustrative preview below.

Current score
61.8
Open items
2
In progress
1
See full Convert previewInteractive program simulator →

Case study

Dogfood — we scan ourselves

Qtangl runs daily live PQC scans of qtangl.com, www.qtangl.com, and api.qtangl.com in CI. Signed reports are publicly verifiable — we hold ourselves to the standard we sell.

Live self-scan badge is not yet available. Run your own scan at /assess or verify at /verify.

Full dogfood reportPlatform CBOMVerify spec

FAQ

Common questions

No. Assess is an inventory aid that maps quantum-vulnerable cryptography to frameworks your auditors cite. Export signed PDF and CBOM evidence — auditors verify independently at /verify.

Q-Day readiness

Ready for your own domains?

Self-serve Assess workspace includes 5 scans per month and domain allowlisting. Sales-led pilots cover multi-domain estates and Monitor onboarding.

Start authorized workspaceRequest pilot
Assessment API guide

CycloneDX CBOM

Machine-readable crypto bill of materials for your CMDB and GRC tools — import into ServiceNow, Archer, or your SIEM.

Black and white illustration of a signed report with seal and verify link chain.

Signed executive PDF

Board-ready summary with an independent verify link — auditors confirm signing integrity at /verify.

NIST transition
2030

NIST IR 8547 primer

Transitioning to post-quantum cryptography standards

  • Payments2025–ongoing

    PCI-DSS 4.0 crypto agility

    Cryptographic agility and key management requirements

  • Defense2026–2030

    CMMC crypto inventory

    Federal contractor cryptographic inventory expectations

  • FIPS 203Available 2024

    ML-KEM migration guide

    Module-Lattice-Based Key-Encapsulation Mechanism standard

  • HealthcareRisk analysis ongoing

    HIPAA & harvest-now-decrypt-later

    HIPAA Security Rule and long data shelf-life

  • BankingPCI-DSS 4.0 ongoing

    Banking & harvest-now-decrypt-later

    Financial data shelf-life and crypto agility

  • Defense2035 (NSM-10)

    Gov contractor & harvest-now-decrypt-later

    CMMC inventory and federal HNDL exposure

  • EnterprisePhased enforcement

    EU CRA & post-quantum readiness

    EU Cyber Resilience Act product security

  • Control mappings are an inventory aid to accelerate audit preparation — not a formal attestation. We say what we do and do not claim.

    Run a framework-mapped assessmentQ-Day education hub
    See full maturity model →
    Live product:

    Ops note: Sample scenarios use offline fixtures. Live demos target approved hosts only. Production domains require an authorized workspace at /assess/start. Methodology & rate limits.

    Loading assessment scanner…