Product walkthrough
PQC inventory in 10 minutes: what a live scan actually shows
Most enterprises cannot answer three basic questions: which systems still depend on RSA or ECDSA, which third-party libraries embed legacy crypto, and which teams own remediation. A live Qtangl scan answers them in one session.
Three questions enterprises fail
Security teams know post-quantum migration is coming. They struggle to prove what they have. Spreadsheets decay within weeks as new deployments ship, partner APIs change ciphers, and certificate rotations go untracked.
A PQC inventory scan enumerates external TLS endpoints, tags algorithms (RSA, ECDSA, hybrid ML-KEM), and classifies quantum vulnerability — the baseline artifact every migration program needs.
Step 1: Run the scanner
Open the Qtangl PQC demo at /demo/pqc or authorize a live domain scan through Assess. The scanner probes TLS handshakes, certificate chains, and cipher suites — mapping each endpoint to algorithm families and key sizes.
Results appear in minutes: endpoint list, severity-ranked findings, framework crosswalks (NSM-10, CNSA 2.0, NIST IR 8547), and a readiness score combining exposure, coverage, and deadline pressure.
Step 2: Export the CBOM
Export a CycloneDX Crypto Bill of Materials (CBOM) JSON — machine-readable inventory for ServiceNow, Archer, or custom GRC tools. Sample CBOM files are available for download before you run your own scan.
CBOM beats spreadsheets: it captures JWKS endpoints, STARTTLS configurations, and algorithm tags in a format your CMDB can ingest — not a one-time audit snapshot.
Step 3: Signed evidence and verify
Assess tier exports a signed PDF report with an independent verify link at /verify. Auditors check signatures without trusting Qtangl alone — evidence your board can reference, not a attestation claim.
Monitor tier schedules re-scans and diffs each baseline against the prior scan: new findings, resolved items, and readiness score trends. That is how you move from annual panic to operational crypto hygiene.
Continue on the Q-Day hub: CycloneDX CBOM guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- What Is Post-Quantum Cryptography?NIST · 2024Official overview of NIST's PQC project, finalized standards, and the harvest-now-decrypt-later threat model.
- FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)NIST · 2024-08Standardized post-quantum key encapsulation (formerly Kyber).
- What Is Q-Day? Quantum Computing and Cyber RiskPalo Alto Networks · 2026CRQC definition, HNDL threat model, and migration guidance for enterprise security teams.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.