QSIEVE Request a demo

Cryptography survey · self-hosted appliance

You cannot migrate what you cannot see.

QSieve surveys every TLS endpoint, SSH host, certificate, and private key across your enterprise, classifies each one by quantum risk, and gives you the inventory, the deadlines, and the certificate authority to migrate before the classical era closes.

Runs entirely inside your network. Nothing leaves it.

qsieve · appliance console SCANNING

$ qsieve scan --target 10.0.0.0/22

discovery 214 hosts up · 1,847 services probed

10.0.4.31:443 TLS 1.2

key exchange ECDHE-P256 QUANTUM-VULNERABLE

certificate RSA-2048 · SHA-256 QUANTUM-VULNERABLE

10.0.4.57:22 SSH 2.0

host key ssh-ed25519 QUANTUM-VULNERABLE

kex sntrup761x25519 QUANTUM-SAFE

10.0.6.12:8443 TLS 1.3

key exchange X25519MLKEM768 QUANTUM-SAFE

certificate ML-DSA-65 PQC-READY

10.0.7.240:993 TLS 1.0

cipher 3DES-EDE-CBC BROKEN

1,847 assets classified · 312 findings · CBOM ready

PQC readiness 38%

NIST IR 8547 · CNSA 2.0 — the migration window

  1. 2026 You are here

    Adversaries record encrypted traffic today to decrypt it later. Long-lived secrets under RSA and ECC key exchange are already exposed.

  2. 2030 Key establishment

    RSA and ECDH key establishment deprecated. Every TLS handshake and SSH KEX in your estate must have a quantum-safe path.

  3. 2033 Signatures

    RSA and ECDSA signatures deprecated. Certificate chains, code signing, and host keys move to ML-DSA and SLH-DSA.

  4. 2035 Disallowed

    Classical public-key cryptography disallowed — including legacy interop. The inventory you build now decides how this decade goes.

Discovery

Three sources. One inventory.

Every asset lands in the same dashboard with a source badge, a quantum status, and a finding you can act on.

NETWORK

Active scanning, no agent required

Host discovery and concurrent port scanning, then deep probes: TLS protocol versions and cipher suites, negotiated groups and curves, full X.509 chains, SSH host keys and KEX/cipher/MAC negotiation.

discovery → portscan → TLS/SSH probe → classify

AGENT

At-rest keys on every endpoint

A single static binary walks key directories, parses PEM and DER, and reads the macOS Keychain and Windows certificate stores. Six platforms, zero runtime dependencies, a -dry-run flag before anything is sent.

windows · linux · macos — amd64 & arm64

ISSUED

Certificates you mint yourself

Certificates issued by the built-in CA join the same inventory, tracked through a seven-state lifecycle. When a scan observes one deployed in the wild, it flips to active on its own.

pre_creation → … → active → revoked / expired

Classification

Every algorithm answers to a deadline.

The classification engine is pure and table-driven — each rule maps an algorithm to a quantum status, a severity, and the CNSA 2.0 reference it will be judged against. Here is an excerpt of the actual rules.

DetectedQuantum statusSeverityWhy
RSA-2048 key exchange quantum_vulnerable high Shor breaks it; harvest-now-decrypt-later applies today
ECDSA-P256 signature quantum_vulnerable medium Forgeable once a quantum computer exists — deadline 2033
AES-128-GCM cipher quantum_reduced medium Grover halves effective strength; move to 256-bit keys
RC4 · SSLv3 legacy broken critical Broken classically — fix regardless of the quantum timeline
X25519MLKEM768 key exchange quantum_safe info Hybrid PQC protects confidentiality even against a future attacker
ML-DSA-65 signature quantum_safe info FIPS 204 — recorded as a positive, PQC-ready finding
38%

One number for the board

PQC readiness is the share of quantum-relevant assets that are already safe. It is computed from the live inventory, not a questionnaire — and it climbs as you migrate.

Issuance

Don’t just find quantum-safe certificates. Issue them.

QSieve operates as an internal certificate authority. Create a new root or import your institutional CA, then issue classical and post-quantum certificates from the same console that found the vulnerable ones.

Classical and PQC signatures

RSA-3072/4096, ECDSA, Ed25519 — and ML-DSA-65/87 (FIPS 204) and SLH-DSA-SHA2 (FIPS 205). One-click renewal defaults to ML-DSA-65.

A lifecycle with a memory

Seven states from pre_creation to revoked, with every issuance, renewal, revocation, and download recorded as an audit event.

Revocation that propagates

Revoking a certificate regenerates its CA’s CRL immediately; an OCSP responder answers for classical-keyed CAs.

Warnings before expiry

cert.expiring webhooks fire at 30, 14, and 7 days — alongside issued, renewed, and revoked events for your pipelines.

Export

Hand auditors a CBOM, not a guess.

Export the full inventory as a CycloneDX cryptographic bill of materials or a CSV — per scan or all-time. Everything the dashboard shows is available over the same REST API it uses itself, behind role-based access for admins, analysts, and viewers.

  • GET /api/export/cbom — CycloneDX JSON
  • GET /api/export/csv — flat inventory

Deployment

Your inventory never leaves your network.

QSieve is a self-hosted, single-tenant appliance: a Docker Compose stack with a Go backend, PostgreSQL, and a web dashboard. No SaaS, no call-home, no third party holding the map of your weakest crypto.

$ docker compose up -d
→ dashboard on :8080 · admin seeded · 4 scan workers ready

Begin the survey

The deadline doesn’t move.
Your inventory can.