6 Patents Filed · Built by a Halborn-Audited Team

Quantum-ready compliance
starts with visibility.

PQCAT scans your infrastructure for quantum-vulnerable cryptography, scores your compliance against CNSA 2.0, NIST SP 800-131A, and 11 regulatory frameworks — then proves it with evidence your auditors will accept.

Linux curl -sSL https://install.pqcat.io | sh

Windows irm https://install.pqcat.io/windows | iex

Download View Source

Scanner Modules

Frameworks

Dependencies*

AMI

FedRAMP Ready

Capabilities

Ten scanner modules. Four domains.

Every scan produces a normalized 0–100 compliance score, CBOM inventory, and actionable remediation plan.

Map every cryptographic
asset on your perimeter

Deep protocol analysis across TLS, SSH, and DNS endpoints. Full cipher suite enumeration, certificate chain validation, and quantum-risk classification — covering every exposed service in your network.

TLS Deep Scan

SSL Labs-grade assessment: cipher enumeration, protocol probing (TLS 1.0–1.3), certificate chain analysis, ML-KEM detection, DNSSEC/DANE validation — 90× faster.

SSH Key Audit

Inventories authorized_keys, server host keys, and key exchange algorithms. Flags DSA, RSA-1024, and ECDSA keys for rotation.

Network & CIDR Discovery

Scans entire subnets. Discovers SSH, TLS, IPsec, and DNS endpoints. Maps every cryptographic asset on your network perimeter.

Find vulnerable crypto
in your code before it ships

Static analysis across 40+ languages, dependency scanning against 183 known-vulnerable libraries, and container image inspection — catching quantum-vulnerable patterns from source to deployment.

Source Code Analysis

Regex + AST scanning across 40+ languages. Finds hardcoded keys, weak algorithms, and deprecated crypto patterns in your repos.

SBOM & Supply Chain

Parses CycloneDX and SPDX BOMs. Cross-references 183 library signatures against known quantum-vulnerable dependencies.

Container Image Scanner

Scans Docker and OCI container images for embedded cryptographic libraries, certificates, and key material with quantum-vulnerability classification.

Audit your infrastructure
configuration end-to-end

Analyze server configurations, certificate stores, Java keystores, and SCAP benchmark results — ensuring every infrastructure component aligns with quantum-readiness requirements.

Config Analysis

Scans nginx, Apache, OpenSSL, and SSH configuration files for weak cipher selections, deprecated protocols, and non-compliant crypto settings.

PKI & X.509 Estate

Crawls certificate stores, Java keystores, and PEM directories. Full chain validation with quantum-risk classification per asset.

SCAP Compliance

Ingests SCAP/XCCDF benchmark results and cross-references crypto policy findings against quantum readiness requirements.

Assess your cloud crypto
posture before Q-Day

Discover and classify every cryptographic asset across AWS cloud services — then quantify the risk of "harvest now, decrypt later" attacks with the patent-pending HNDL Risk Engine.

Cloud CSP Scanner

AWS KMS, ACM, ELB, S3, Route 53, and IAM scanning. Auto-detect credentials via IAM roles. Zero write permissions required.

HNDL Risk Engine

Patent-pending per-asset exposure scoring. Calculates "harvest now, decrypt later" risk based on data sensitivity, retention period, and regulatory quantum timeline.

Patent Pending · Shipped

Prove compliance without revealing your infrastructure.

The Confidential Compliance Engine produces cryptographic attestations that regulators verify — without ever seeing your asset inventory, hostnames, or topology. Run pqcat scan --confidential and the report proves readiness without exposing a single hostname.

The dilemma

A CISO at a financial institution has 50,000 cryptographic assets. She must prove to regulators that 94% are quantum-ready — but the detailed scan report is itself a roadmap for attackers.

How do you prove compliance without proving how you're compliant?

Asset Anonymization

BLAKE2b-salted asset IDs. Regulators see cryptographic hashes — never hostnames, IPs, or network topology.

Aggregate-Only Reporting

Reports contain only statistical summaries — pass rates, framework scores, drift deltas. Zero individual asset details leave the building.

zk-STARK Proof of Compliance

A zero-knowledge proof that the scan was complete, the scoring algorithm was applied correctly, and the result is authentic — mathematically verifiable without seeing any input data.

HNDL Risk Engine (patent pending)

Not all vulnerabilities are equal. A banking system processing data with 25-year retention has exponentially more "harvest now, decrypt later" exposure than a marketing website. The HNDL multiplier weights each asset's quantum risk by data sensitivity, retention period, and regulatory timeline — so your score reflects actual exposure, not just algorithm counts.

Standard Report

TARGET   trading-engine-prod:443
ALGO     ECDSA-P256  ▮ PQ VULNERABLE
CERT     CN=*.acmebank.com
ISSUER   DigiCert Global G2
EXPIRES  2027-03-15
HNDL     3.2× (25yr retention)

→

Confidential Report

TARGET   a7f3e2…d1c8  (BLAKE2b)
ALGO     ECDSA-P256  ▮ PQ VULNERABLE
CERT     b891ca…0f3a  (BLAKE2b)
ISSUER   4e72d1…8b9c  (BLAKE2b)
EXPIRES  2027-03-15
HNDL     3.2× (25yr retention)
SCOPE    50,000 assets · 3 zones
PROOF    zk-STARK:0xb94a…f7e2 ✓ valid

Editions

Three editions. Zero compromises.

Single static binaries. No Docker, no Java, no Python runtime, no shared libraries. Copy it, run it.

Enclave Free & Open Source

Air-Gapped Scanner · Apache 2.0

Download Latest

For SCIFs, classified networks, and any environment where zero outbound traffic is mandatory.

Scanning

All 10 scanner modules

TLS, SSH, PKI, SBOM, Code, Config, HSM, SCAP, Image, CIDR

Q-Day risk simulation

Reporting

PDF, HTML, JSON, CBOM outputs

Compliance scoring — all 11 frameworks

TUI dashboard (terminal-based)

Architecture

Zero CGO — pure static binary

Zero outbound network code compiled in

Linux, macOS, Windows — amd64 + arm64

Pro Licensed · ML-DSA-65 Signed

Team Compliance Platform

View Pricing

REST API, web dashboard, multi-user RBAC, SIEM forwarding, and executive reporting for SOC teams.

PQCAT Pro Dashboard — risk overview, compliance scoring, and drift monitoring

Dashboard Overview

PQCAT Pro Scanner — grouped scan type selector with TLS/SSL selected

Scan Interface

Scan History

Everything in Enclave, plus:

Dashboard & API

Web dashboard with 4 persona views

REST API — 22 endpoints

Multi-user RBAC (admin / auditor / viewer)

Prometheus /metrics endpoint

Enterprise Integration

SIEM forwarding (Splunk, Sentinel, syslog)

Continuous drift monitoring with webhooks

Scan comparison and trend analysis

Reporting

Executive briefing PDF with cover page

Section 508 / WCAG 2.1 AA accessible

Cloud New

GovCloud & CSP Scanner

View Pricing

Scan AWS cloud-native cryptographic assets — KMS keys, ACM certificates, ALB/ELB TLS policies, S3 encryption, and IAM signing certificates.

FedRAMP-Ready AWS AMI Deploy PQCAT directly into AWS GovCloud via a pre-built Marketplace AMI. Zero-configuration, zero-write-permission scanning.

Everything in Pro, plus:

Cloud Scanning

AWS KMS, ACM, ELB, S3, Route 53, IAM

Azure Key Vault, App Gateway, Front Door (roadmap)

Auto-detect CSP via IAM roles / env credentials

ReadOnlyAccess — zero write permissions required

Risk Analysis

Cloud-native quantum risk classification

HNDL exposure scoring per cloud resource

Quantum-ready compliancestarts with visibility.