Patent Pending · U.S. Application #63/999,796

Know your
quantum risk
before it knows you.

PQCAT scans your infrastructure for quantum-vulnerable cryptography, scores your compliance against CNSA 2.0, NIST SP 800-131A, and 11 regulatory frameworks — then proves it with evidence your auditors will accept.

Linux curl -sSL https://install.pqcat.io | sh
Windows irm https://install.pqcat.io/windows | iex
Download View Source
10
Scanner Modules
11
Frameworks
0
Dependencies*
0
Outbound Calls†
Capabilities

Ten scanner modules. Four domains.

Every scan produces a normalized 0–100 compliance score, CBOM inventory, and actionable remediation plan.

Map every cryptographic
asset on your perimeter

Deep protocol analysis across TLS, SSH, and DNS endpoints. Full cipher suite enumeration, certificate chain validation, and quantum-risk classification — covering every exposed service in your network.

TLS Deep Scan

SSL Labs-grade assessment: cipher enumeration, protocol probing (TLS 1.0–1.3), certificate chain analysis, ML-KEM detection, DNSSEC/DANE validation — 90× faster.

SSH Key Audit

Inventories authorized_keys, server host keys, and key exchange algorithms. Flags DSA, RSA-1024, and ECDSA keys for rotation.

Network & CIDR Discovery

Scans entire subnets. Discovers SSH, TLS, IPsec, and DNS endpoints. Maps every cryptographic asset on your network perimeter.

Find vulnerable crypto
in your code before it ships

Static analysis across 40+ languages, dependency scanning against 183 known-vulnerable libraries, and container image inspection — catching quantum-vulnerable patterns from source to deployment.

Source Code Analysis

Regex + AST scanning across 40+ languages. Finds hardcoded keys, weak algorithms, and deprecated crypto patterns in your repos.

SBOM & Supply Chain

Parses CycloneDX and SPDX BOMs. Cross-references 183 library signatures against known quantum-vulnerable dependencies.

Container Image Scanner

Scans Docker and OCI container images for embedded cryptographic libraries, certificates, and key material with quantum-vulnerability classification.

Audit your infrastructure
configuration end-to-end

Analyze server configurations, certificate stores, Java keystores, and SCAP benchmark results — ensuring every infrastructure component aligns with quantum-readiness requirements.

Config Analysis

Scans nginx, Apache, OpenSSL, and SSH configuration files for weak cipher selections, deprecated protocols, and non-compliant crypto settings.

PKI & X.509 Estate

Crawls certificate stores, Java keystores, and PEM directories. Full chain validation with quantum-risk classification per asset.

SCAP Compliance

Ingests SCAP/XCCDF benchmark results and cross-references crypto policy findings against quantum readiness requirements.

Assess your cloud crypto
posture before Q-Day

Discover and classify every cryptographic asset across AWS cloud services — then quantify the risk of "harvest now, decrypt later" attacks with the patent-pending HNDL Risk Engine.

Cloud CSP Scanner

AWS KMS, ACM, ELB, S3, Route 53, and IAM scanning. Auto-detect credentials via IAM roles. Zero write permissions required.

HNDL Risk Engine

Patent-pending per-asset exposure scoring. Calculates "harvest now, decrypt later" risk based on data sensitivity, retention period, and regulatory quantum timeline.

Regulatory Coverage

Eleven frameworks. One normalized score.

Every scan maps findings to your regulatory obligations. One command, one score, one report your auditor signs off on.

CNSA 2.0 NIST SP 800-131A NSM-10 FISMA FedRAMP PCI DSS 4.0 SOX HIPAA NYDFS 500 SWIFT CSP CMMC
Editions

Three editions. Zero compromises.

Single static binaries. No Docker, no Java, no Python runtime, no shared libraries. Copy it, run it.

Enclave
Air-Gapped Scanner
For SCIFs, classified networks, and any environment where zero outbound traffic is mandatory.
  • All 10 scanner modules
  • PDF, HTML, JSON, CBOM reports
  • Compliance scoring (all 11 frameworks)
  • TUI dashboard (terminal-based)
  • Q-Day risk simulation
  • Zero CGO — pure static binary
  • Zero outbound network code compiled in
Free & open source / Apache 2.0
Download Latest Release
Pro
Team Compliance Platform
REST API, web dashboard, multi-user RBAC, SIEM forwarding, and executive reporting for SOC teams.
  • Everything in Enclave, plus:
  • Web dashboard with 4 persona views
  • REST API (22 endpoints)
  • Multi-user RBAC (admin / auditor / viewer)
  • SIEM integration (Splunk, Sentinel, syslog)
  • Continuous drift monitoring with webhooks
  • Executive briefing PDF with cover page
  • Scan comparison and trend analysis
  • Prometheus /metrics endpoint
  • Section 508 / WCAG 2.1 AA accessible
Licensed / ML-DSA-65 signed
View Pricing & Purchase
New
Cloud
GovCloud & CSP Scanner
Scan AWS cloud-native cryptographic assets — KMS keys, ACM certificates, ALB/ELB TLS policies, S3 encryption, and IAM signing certificates.
  • Everything in Pro, plus:
  • AWS KMS, ACM, ELB, S3, Route 53, IAM scanning
  • Azure Key Vault, App Gateway, Front Door (roadmap)
  • Auto-detect CSP via IAM roles / env credentials
  • Cloud-native quantum risk classification
  • HNDL exposure per cloud resource
  • AWS Marketplace AMI deployment
  • ReadOnlyAccess — zero write permissions required
Licensed / ML-DSA-65 signed
View Pricing & Purchase