Audit

Post-quantum readiness, certified.

A senior cryptographer maps every place asymmetric cryptography lives in your systems, ranks your exposure, and gives you a roadmap — and a certificate you can show investors, customers, and regulators.

Secure my organization

Engagements

Three tiers, one standard of rigour

Every engagement begins with a paid scoping & discovery call. From there, choose the depth that fits.

Tier I≈ 4 weeks

Crypto-Agility Readiness

For · SMBs, crypto-native startups, consultancies

A focused readiness assessment: self-assessment questionnaire, document review, and a working session to establish your exposure and a crypto-agility baseline.

from €8,000· Annual renewal €3,000 / year

Structured readiness questionnaire & review
Crypto-agility baseline report
One guided workshop with your engineers
Readiness badge on completion

Start with discovery

Tier II8–12 weeks

Standard Audit

For · Mid-market, fintech, regulated industries

A full crypto inventory and migration roadmap, with staff training. We map every place asymmetric cryptography is used and order the migration against your threat model.

from €25,000· Annual renewal €8,000 / year

Complete cryptographic inventory
Threat-model-ordered migration roadmap
Hybrid & primitive selection guidance
Three workshops + staff training
quantakrypto certificate + annual renewal

Start with discovery

Tier III3–6 months

Enterprise / Regulated

For · Banks, insurance, telco, government

Everything in the Standard Audit, plus a board-level report and regulatory alignment mapping across ISO 27001, DORA, and NIS2, with quarterly check-ins.

Custom· Annual renewal from €20,000 / year

Everything in Tier II
Board report & executive briefing
Regulatory alignment mapping (27001 · DORA · NIS2)
Quarterly check-ins for the renewal year
Named senior cryptographer throughout

Start with discovery

Methodology

How an audit runs

Open, repeatable, and ordered against your threat model — not a checklist.

Scoping & discovery

Always first, always a paid engagement. We agree the scope, map your systems at a high level, and deliver a scope document with indicative pricing before any deeper work begins.

Cryptographic inventory

We find every place asymmetric cryptography is used — TLS, PKI, signing pipelines, identity keys, prekeys, backups, multi-device sync. There is no single switch; each location is its own decision.

Exposure analysis

We assess harvest-now-decrypt-later exposure, select primitives and hybrid constructions, evaluate library fitness, and map findings against the regulatory regimes that apply to you.

Migration roadmap

A prioritised, threat-model-ordered plan — including a rollout strategy from dark launch through gradual ramp to default-on and hardening, with explicit rollback paths.

Certification & renewal

A point-in-time quantakrypto certificate you can show investors, customers, and regulators, with an annual renewal that keeps your posture current as the standards and library landscape move.

From the audit floor

The bug-class gallery

Recurring post-quantum defects, classified by type — the ones we have found in audits, and the ones we actively watch for but have not yet seen.

Classes catalogued

Found in audits

Total observations

Watched (findable)

AF-01

Operational & key-mgmt

high

Replay-attackable post-quantum prekeys

One-time ML-KEM prekeys served from a pool but never retired after use, so the same encapsulation can be replayed — defeating forward secrecy.

af-01.pq

prekey = pool.fetch(user)          // returns the SAME prekey twice
shared = ML_KEM.decapsulate(sk, ct)
// BUG: prekey is never consumed -> attacker replays ct
// FIX: pool.consume(user, prekey)   // atomic, single-use

Seen in 4 auditsRead the audit report

AF-02

Primitive-level

critical

Variable-time decapsulation (KyberSlash)

A decapsulation path that branches on a secret-dependent comparison, making accept-vs-reject distinguishable by timing.

af-02.pq

for i in 0..n:
    if poly[i] == bound:           // BUG: secret-dependent branch
        return reject()
// timing distinguishes implicit rejection -> KyberSlash
// FIX: r = ct_select(mask, a, b)  // constant-time, no branch

Seen in 3 auditsRead the audit report

AF-03

Primitive-level

critical

Weak randomness in key generation

ML-KEM/ML-DSA keygen drawing from a non-cryptographic or unseeded RNG. The scheme is correct; the entropy source is not.

af-03.pq

seed = prng.bytes(32)              // BUG: non-CSPRNG / unseeded
(pk, sk) = ML_KEM.keygen(seed)
// a working round-trip does NOT prove the RNG is sound
// FIX: seed = csprng.bytes(32)     // OS CSPRNG, freshly seeded

Seen in 2 audits

AF-04

Library & dependency

high

Constant-time, undone by the compiler

Source written to be constant-time but compiled into branchy code by the optimiser. The property must hold in the binary, not the source.

af-04.pq

mask = -(a == b)                   // intended constant-time
sel  = (a & mask) | (b & ~mask)
// BUG: -O2 re-introduces a branch -> timing leak in the binary
// FIX: verify with ctgrind / dudect; pin codegen flags

Seen in 3 auditsRead the audit report

AF-05

Protocol-integration

high

Missing encapsulation-key range check

An out-of-range encapsulation key accepted without validation, so two peers can derive different shared secrets from the same key.

af-05.pq

ek = recv()                        // BUG: no modulus / length check
ct = ML_KEM.encapsulate(ek)
// malformed ek -> peers disagree on the shared secret
// FIX: assert valid_range(ek); else reject before use

Seen in 2 auditsRead the audit report

AF-06

Protocol-integration

high

Post-quantum as a single switch

A system uses asymmetric crypto in ten places — identity keys, prekeys, ratchets, backups, attestation — but 'going PQ' flips one global flag.

af-06.pq

if config.pq_enabled:              // BUG: one switch for ten call-sites
    handshake.use_pq()
// identity keys, signed prekeys, backups... still classical
// FIX: inventory each site; migrate in threat-model order

Seen in 5 auditsRead the audit report

AF-07

Protocol-integration

high

Hybrid KDF without domain separation

A hybrid combiner concatenates the two shared secrets without labels or transcript binding, leaving the construction ambiguous.

af-07.pq

ss = KDF(ss_classical || ss_pq)    // BUG: no labels, order ambiguous
// downgrade / re-ordering can go unnoticed
// FIX: ss = KDF(label || ss_classical || ss_pq || transcript)

Seen in 2 auditsRead the audit report

AF-08

Library & dependency

medium

Mixing reference and optimised builds

Key generation from the reference implementation paired with decapsulation from an AVX2 build — subtly incompatible code paths.

af-08.pq

keygen     = ref.keygen            // BUG: two implementations, one keypair
decapsulate = avx2.decapsulate
// edge-case divergence -> interop and correctness failures
// FIX: one audited implementation end-to-end

Seen in 2 audits

AF-09

Primitive-level

critical

Fault-injection forgery on ML-DSA

A glitch during rejection sampling can leak secret data or yield a forgeable signature on fault-prone hardware.

af-09.pq

sig = ML_DSA.sign(sk, m)           // glitch during rejection sampling
// WATCH: faulted signature may leak sk or be forgeable
// FIX: self-verify(sig, pk, m) before releasing the signature

Not yet observed — actively checked

AF-10

Primitive-level

high

Cache-timing in the NTT

Secret-dependent memory access patterns in the number-theoretic transform expose a cache side-channel.

af-10.pq

acc = twiddle[secret_index]        // secret-dependent memory access
// WATCH: cache-timing leak of secret coefficients
// FIX: linear sweeps / scatter-gather independent of secrets

Not yet observed — actively checked

AF-11

Primitive-level

high

Low-entropy hedged signatures

On embedded targets, a weak per-signature RNG undermines the hedged-randomness assumption of ML-DSA.

af-11.pq

rnd = device_rng()                 // low entropy on embedded
sig = ML_DSA.sign(sk, m, rnd)
// WATCH: predictable rnd weakens hedged signing
// FIX: use deterministic variant or a vetted CSPRNG

Not yet observed — actively checked

AF-12

Protocol-integration

critical

Unauthenticated downgrade to classical

A negotiation that silently falls back to classical key exchange lets an active attacker strip the post-quantum protection.

af-12.pq

if !peer.supports_pq:
    use_classical()                // WATCH: MITM forces the fallback
// FIX: bind the negotiated groups into the authenticated transcript

Not yet observed — actively checked

AF-13

Operational & key-mgmt

high

Post-quantum in transit, classical at rest

Transport is hybridised but backups and archives stay RSA-wrapped — exactly the long-lived data harvest-now-decrypt-later targets.

af-13.pq

transport = hybrid_pq()            // good
backup    = RSA_wrap(data_key)     // WATCH: HNDL on long-lived data
// FIX: extend PQ to storage, backups and key escrow

Not yet observed — actively checked

AF-14

Protocol-integration

high

One key for KEM and signature

Reusing a single keypair across a KEM and a signature scheme opens the door to cross-protocol attacks.

af-14.pq

k = keygen()
use_as_kem(k); use_as_signature(k) // WATCH: cross-protocol interaction
// FIX: separate keys per purpose, with domain separation

Not yet observed — actively checked

AF-15

Library & dependency

medium

Abandoned / unaudited PQC dependency

Shipping a post-quantum library with no recent maintenance and no published audit — a supply-chain and patch-latency risk.

af-15.pq

import pqc_lib v0.0.3              // last release 18 months ago, no audit
// WATCH: unpatched defects, no security response process
// FIX: choose on maintenance + audit posture, not feature count

Not yet observed — actively checked

Conformance & compliance

Standards & regulation we map against

We assess against the standards as written and align findings to the regime that governs you.

FIPS 203/204/205US · Global

NIST PQC Standards

The finalised ML-KEM, ML-DSA, and SLH-DSA standards. We audit against the standards as written — not earlier round-3 candidates.

CNSA 2.0US

NSA Commercial National Security Algorithm Suite

The NSA's algorithm suite and migration timeline for national-security systems and their suppliers.

DORAEU

Digital Operational Resilience Act

Operational resilience obligations for EU financial entities — including the cryptographic posture of critical systems.

NIS2EU

Network & Information Security Directive 2

Expanded cybersecurity obligations across essential and important entities, with state-of-the-art cryptography expectations.

ISO/IEC 27001Global

Information Security Management

We align findings to the 27001 family so your PQC work slots into an existing certification cycle rather than running beside it.

BSI TR-02102 · ANSSIEU

National guidance (DE · FR)

Germany's BSI and France's ANSSI publish their own migration guidance and timelines; we map exposure to the regime that governs you.

Questions

Before you book

Do you certify the company or the product?

The organisation. The quantakrypto certificate attests to your post-quantum readiness posture at a point in time, scoped to the systems we assessed.

Is the discovery call really paid?

Yes. Scoping & discovery is always a separate, paid engagement. It delivers a scope document and indicative pricing so you can decide on the full audit with real information.

What if no PQC standard exists for our exact case?

We assess against the finalised NIST standards and align to the ISO 27001 family, DORA, and NIS2. You get credibility today without waiting for a dedicated PQC accreditation scheme.

Is a certificate a guarantee?

No — and we say so on every certificate. An assessment is point-in-time. The annual renewal keeps your posture current as standards and libraries move.

Engagements

Find out where you stand.

Book a paid discovery call and leave with a scope and indicative pricing.

Secure my organization