Skip to content
Infrastructure

Your 2019 backups are the breach of 2033.

qScan now reads the platform around your code — CI/CD signing, secrets at rest, Kubernetes PKI, message brokers, databases, IaC, and token encryption. Same CLI, same GitHub Action, same MCP server. No new install.

Harvest now, decrypt later

The exposure you cannot patch in hindsight

A source-code fix moves you forward from today. It does nothing for the encrypted secret already sitting in your git history, or the broker traffic an adversary recorded last quarter. Harvest-now-decrypt-later means the ciphertext is captured today and opened the day a cryptographically-relevant quantum computer exists — so the backup you took in 2019 is a breach waiting on a date. qScan ranks these retroactive, un-fixable surfaces first, because they are the ones a code review will never catch.

Infrastructure surfaces

Where classical crypto hides in your platform

Seven surfaces, one scan. Each detector is tuned to a real place infrastructure pins itself to pre-quantum cryptography — with harvest-now-decrypt-later exposure ranked ahead of forgeability and weak configuration.

Secrets at rest

GitOps secrets

Harvest now, decrypt later

Ciphertext committed to git is un-fixable in hindsight. Rotate the key all you like — the encrypted blob already in your history was captured the moment it was pushed, and it decrypts the day a quantum computer arrives.

Detects

  • SOPS + age X25519 recipients
  • PGP-encrypted secret files in the tree
  • Sealed Secrets RSA controller keys
  • age identities checked into history

Message brokers

Event streaming

Harvest now, decrypt later

Broker traffic is long-lived and trivial to tap. A classical ECDHE handshake protecting a Kafka or MQTT stream is a harvestable session key — recorded now, opened later.

Detects

  • Kafka listener TLS version & cipher floors
  • MQTT broker legacy TLS configuration
  • Classical-only ECDHE cipher suites
  • Inter-broker mTLS key algorithms

Databases

Data layer

Harvest now, decrypt later

Public-key encryption inside the database, and weak transport to reach it, are both quantum-exposed — and the rows they protect carry the longest confidentiality lifetime you own.

Detects

  • pgcrypto pgp_pub_encrypt public-key usage
  • libpq sslmode below verify-full
  • Classical-only TLS to the database endpoint
  • Column-encryption key algorithms

JOSE / JWE key management

Token encryption

Harvest now, decrypt laterShipped

Encrypted tokens pin their security to the key-management algorithm in the header. A captured JWE — or a JWK with a classical curve — is decryptable later if that algorithm is classical.

Detects

  • JWE alg RSA-OAEP / RSA1_5
  • ECDH-ES key agreement
  • JSON Web Keys with classical kty / crv
  • Static key-wrap for long-lived tokens

CI/CD signing

Supply chain

Forgeable at Q-day

A signature is only as future-proof as its algorithm. Every classical signature you ship today becomes forgeable the day a quantum computer exists — and a forged release signature is a supply-chain compromise.

Detects

  • cosign / Sigstore ECDSA & RSA keys
  • GPG / PGP release signing keys
  • jarsigner & Android signing algorithms
  • codesign / minisign key algorithms

Kubernetes PKI

Kubernetes

Weak key · legacy TLS floor

cert-manager mints the certificates that hold your mesh together. If the issuer's key algorithm is classical, so is every leaf it signs — and the mesh negotiates down to match.

Detects

  • cert-manager Certificate / Issuer key algorithms
  • Istio PeerAuthentication legacy TLS floors
  • mTLS negotiating classical-only groups
  • ACME account key algorithms

Terraform / OpenTofu IaC

Infrastructure as code

Weak key · legacy TLS floorShipped

The keys your infrastructure code generates, and the KMS aliases it wires up, decide the crypto posture of everything downstream — provisioned before a single workload runs.

Detects

  • tls_private_key RSA / ECDSA resources
  • KMS key spec & signing algorithms
  • Provisioned SSH & TLS key algorithms
  • State-embedded key material
Browse the monorepo

One zero-dependency repo · Apache-2.0 · npm @quantakrypto/*

No new install

Surfaced by the tools you already run

The infrastructure detectors ship inside the same qscan CLI, GitHub Action, and MCP server. Nothing new to add to your toolchain — point it at a repository and it reads code and infrastructure together.

Scan a repository

$ npx @quantakrypto/qscan ./

Gate every pull request

$ uses: quantakrypto/pqc-tools/packages/action@v1

Inside your AI coding agent

$ claude mcp add quantakrypto npx @quantakrypto/mcp

qprobe

Active probe · opt-inOwnership-gated · read-only

qprobe — active probe

Confirm what your live endpoints actually negotiate

Static scanners read configuration. qprobe reads reality — a separate, opt-in package that handshakes the TLS and SSH endpoints you own and reports whether they negotiate a post-quantum hybrid key exchange.

Opt-in install

$ npx @quantakrypto/qprobe --attest-owner example.com

Detects

  • TLS 1.3 hybrid group X25519MLKEM768
  • SSH KEX offers (sntrup761x25519)
  • Hybrid vs classical-only endpoints
  • Silent downgrade to classical groups

Ownership-gated · read-only

qprobe is a separate, opt-in install — never bundled with qscan. It runs only against endpoints you explicitly attest you own, sends nothing beyond a key-exchange handshake, and never modifies a target. No attestation, no probe.

Infrastructure

Find the crypto your infrastructure forgot.

Run the scan across your platform, then book a discovery call for a senior read on what to migrate first.