Is this a formal attestation or audit?

No. Assess is an inventory aid that maps quantum-vulnerable cryptography to frameworks your auditors cite. Export signed PDF and CBOM evidence — auditors verify independently at /verify.

What domains can I scan?

Fixture scenarios run without outbound network access. Live scans require your authorization and target domains you own or have written permission to test.

How is evidence verified?

Every report is signed (PQ-capable). Share the verify link or use the offline qtangl-verify CLI. Transparency log receipts are listed on /trust.

What is the difference between Assess and Monitor?

Assess is a one-session baseline. Monitor schedules re-scans, detects drift, and tracks remediation until Q-Day.

Assess

Baseline your crypto in one session

Scan external-facing TLS, map algorithms to NSM-10 and NIST IR 8547, and export evidence your board can review.

Start assessment Request pilot

Live in product — run a baseline below or connect your tenant key on Dashboard.

PQ-signed reports Transparency log Offline verify Methodology

Loading assessment scanner…

How it works

Baseline in four steps

Step 1
Pick scenario
Bank, government CMMC, or healthcare HNDL fixture.
Step 2
Set target
Use scenario domain or authorize a live external scan.
Step 3
Run baseline
External TLS, JWKS, SSH, and email discovery.
Step 4
Export evidence
PDF, CycloneDX CBOM, and public verify link.

How scoring works

What you get

Assessment deliverables

Live domain scan

TLS handshake inventory with algorithm and key-size classification.

Mosca HNDL timeline

Harvest-now-decrypt-later exposure scored against your data retention horizon.

CycloneDX CBOM

Machine-readable crypto bill of materials for your CMDB and GRC tools.

Signed executive PDF

Board-ready summary with an independent verify link.

Scenarios

Try a regulated scenario

Pre-loaded targets for banking, government, and healthcare readiness workflows.

Bank TLS inventory Gov contractor CMMC Healthcare HNDL

Standards & frameworks

Mapped to the mandates your auditors cite

Every assessment maps your quantum-vulnerable findings to the frameworks driving your program — NSM-10, CNSA 2.0, NIST IR 8547, PCI-DSS 4.0, and CMMC — with control themes, deadlines, and a signed report your auditors can verify independently.

Sample artifact

Download a sample CycloneDX CBOM from a banking TLS scenario, verify a signed report, or run a live scan above to export your own.

Download sample CBOM See a signed report Free mini-assessment CBOM guide

Case study

Dogfood — we scan ourselves

Qtangl is enabling live self-scans of our own domains in production CI. Until live dogfood is configured, verify any scan at /verify or run your own assessment at /assess.

Loading latest self-scan…

Verify spec

FAQ

Common questions

Is this a formal attestation or audit?: No. Assess is an inventory aid that maps quantum-vulnerable cryptography to frameworks your auditors cite. Export signed PDF and CBOM evidence — auditors verify independently at /verify.
What domains can I scan?: Fixture scenarios run without outbound network access. Live scans require your authorization and target domains you own or have written permission to test.
How is evidence verified?: Every report is signed (PQ-capable). Share the verify link or use the offline qtangl-verify CLI. Transparency log receipts are listed on /trust.
What is the difference between Assess and Monitor?: Assess is a one-session baseline. Monitor schedules re-scans, detects drift, and tracks remediation until Q-Day.

Start with a live scan

No account required for the public scanner. Request pilot access for production domains.

Run Q-Day scan Request pilot