PostQ — Post-Quantum Cryptography Readiness Scanner — PostQ
PQC readiness scanning & cryptographic inventoryFind quantum-vulnerable cryptography before your customers and auditors ask.<br>PostQ scans your public TLS endpoints, certificates, and key-exchange posture, then generates a shareable post-quantum readiness report with prioritized migration steps for ML-KEM and future PQ signature rollout.
Scan DomainNo signup required for the basic TLS scan. We only inspect public metadata.
View a sample report →Join the private preview →<br>Free public TLS scan · No signup · No private keys · Public metadata only
PQC readiness score<br>example-bank.com
High risk<br>52/ 100
Readiness indicator, not a security guarantee<br>Higher score = more PQC-ready<br>Based on TLS, certificate & key-exchange posture
Sample readiness score · see the full report
Member ofPKI ConsortiumThe PKI Consortium is an industry group of CAs, vendors, and researchers advancing PKI and post-quantum migration standards.
Scanner-firstA report you can actually share<br>Every scan produces a shareable readiness report: a 0–100 score, prioritized findings, a certificate chain breakdown, an algorithm inventory, and concrete migration steps. Send the link to your security reviewer or export it as a PDF.<br>TLS version support, cipher, and negotiated key exchange<br>Certificate public-key + signature algorithm posture<br>RSA / ECDSA / DH / ECDH exposure called out explicitly<br>Hybrid / PQ TLS support detected when present<br>Plain-language "what this means" + "how to fix" for every finding<br>View Sample ReportHow TLS scanning works
PQC readiness score<br>example-bank.com
High risk<br>52/ 100
Classical key exchange negotiated (X25519)HIGH<br>Certificate public key uses RSA-2048HIGH<br>Certificate signed with sha256WithRSAEncryptionMEDIUM
What PostQ can scan todayLive now, in preview, and on the roadmap<br>The free TLS scan works right now. Deeper cryptographic inventory is rolling out through a private preview, and the broader platform is on a public roadmap — so you always know exactly what you’re getting.
Available nowPublic TLS endpoint scan<br>Certificate chain algorithm analysis<br>PQ / hybrid TLS detection<br>Shareable readiness report<br>Free, no signup — only public metadata is inspected.<br>See a sample report →<br>Private previewKubernetes crypto inventory<br>Cloud KMS / Key Vault inventory<br>GitHub / IaC config scanning<br>JWT / code-signing workflow scan<br>Authenticated integrations read key metadata and usage — never private key material.<br>Request preview access →<br>RoadmapHybrid signing API<br>Policy engine<br>Transparency log<br>Self-hosted deployments<br>Planned as the platform matures toward general availability.
Why PQC readiness mattersStart your PQC migration with a cryptographic inventory
Harvest-now, decrypt-later is happening today<br>Traffic protected by classical key exchange (RSA, ECDH, X25519) can be recorded now and decrypted once a cryptographically relevant quantum computer exists. Long-lived data is exposed first.
Auditors are starting to ask<br>Cryptographic inventory and migration planning are appearing in security questionnaires, NIST guidance, and government mandates. A readiness report is becoming audit evidence.
You can't migrate what you can't see<br>Most teams have no inventory of where RSA, ECDSA, and DH live. Discovery and prioritization come before any migration work.
Built for cloud-native security teamsExtend the scan into a full inventory<br>These deeper inventory scanners are rolling out in private preview — request access to try them on your own environment.
Private previewKubernetes agentScan clusters from the inside<br>An in-cluster agent inventories TLS Secrets, cert-manager Certificates, Issuers, Ingress TLS, embedded PEMs, and Istio / Linkerd mTLS — then reports findings to PostQ.<br>Kubernetes scanner →<br>Private previewCloud KMS / HSM inventorySee every cloud key<br>Inventory RSA and EC keys, certificates, expiry, and signing usage across AWS KMS / CloudHSM / ACM and Azure Key Vault — focused on readiness, not replacement.<br>Cloud key visibility →<br>Private previewCode-signing & JWT riskFind signing workflow risk<br>Flag quantum-vulnerable JWT algorithms (RS256, ES256, EdDSA) and code-signing certificates across your CI/CD pipelines and release workflows.<br>JWT risk checker →
Works with your existing cloud-native stack<br>KubernetesAWSAzureGCPHashiCorp VaultGitHubDocker
How we handle your dataBuilt to be trusted by security teams
No private keys are ever collected.<br>External scans use standard TLS handshakes only.<br>Authenticated integrations collect metadata only.<br>Reports are readiness indicators, not security certifications.
The 0–100 readiness score is fully transparent — see exactly how it’s calculated, and where an external scan stops, in our scoring methodology. More detail on data handling lives on our security & privacy page.
Frequently asked questions<br>What does the free PostQ scan check?The free scan runs a real TLS handshake against your public domain and inspects the negotiated TLS versions,...