Your 2019 backups are the breach of 2033.
qScan now reads the platform around your code — CI/CD signing, secrets at rest, Kubernetes PKI, message brokers, databases, IaC, and token encryption. Same CLI, same GitHub Action, same MCP server. No new install.
The exposure you cannot patch in hindsight
A source-code fix moves you forward from today. It does nothing for the encrypted secret already sitting in your git history, or the broker traffic an adversary recorded last quarter. Harvest-now-decrypt-later means the ciphertext is captured today and opened the day a cryptographically-relevant quantum computer exists — so the backup you took in 2019 is a breach waiting on a date. qScan ranks these retroactive, un-fixable surfaces first, because they are the ones a code review will never catch.
Where classical crypto hides in your platform
Seven surfaces, one scan. Each detector is tuned to a real place infrastructure pins itself to pre-quantum cryptography — with harvest-now-decrypt-later exposure ranked ahead of forgeability and weak configuration.
Secrets at rest
GitOps secrets
Ciphertext committed to git is un-fixable in hindsight. Rotate the key all you like — the encrypted blob already in your history was captured the moment it was pushed, and it decrypts the day a quantum computer arrives.
Detects
- SOPS + age X25519 recipients
- PGP-encrypted secret files in the tree
- Sealed Secrets RSA controller keys
- age identities checked into history
Message brokers
Event streaming
Broker traffic is long-lived and trivial to tap. A classical ECDHE handshake protecting a Kafka or MQTT stream is a harvestable session key — recorded now, opened later.
Detects
- Kafka listener TLS version & cipher floors
- MQTT broker legacy TLS configuration
- Classical-only ECDHE cipher suites
- Inter-broker mTLS key algorithms
Databases
Data layer
Public-key encryption inside the database, and weak transport to reach it, are both quantum-exposed — and the rows they protect carry the longest confidentiality lifetime you own.
Detects
- pgcrypto pgp_pub_encrypt public-key usage
- libpq sslmode below verify-full
- Classical-only TLS to the database endpoint
- Column-encryption key algorithms
JOSE / JWE key management
Token encryption
Encrypted tokens pin their security to the key-management algorithm in the header. A captured JWE — or a JWK with a classical curve — is decryptable later if that algorithm is classical.
Detects
- JWE alg RSA-OAEP / RSA1_5
- ECDH-ES key agreement
- JSON Web Keys with classical kty / crv
- Static key-wrap for long-lived tokens
CI/CD signing
Supply chain
A signature is only as future-proof as its algorithm. Every classical signature you ship today becomes forgeable the day a quantum computer exists — and a forged release signature is a supply-chain compromise.
Detects
- cosign / Sigstore ECDSA & RSA keys
- GPG / PGP release signing keys
- jarsigner & Android signing algorithms
- codesign / minisign key algorithms
Kubernetes PKI
Kubernetes
cert-manager mints the certificates that hold your mesh together. If the issuer's key algorithm is classical, so is every leaf it signs — and the mesh negotiates down to match.
Detects
- cert-manager Certificate / Issuer key algorithms
- Istio PeerAuthentication legacy TLS floors
- mTLS negotiating classical-only groups
- ACME account key algorithms
Terraform / OpenTofu IaC
Infrastructure as code
The keys your infrastructure code generates, and the KMS aliases it wires up, decide the crypto posture of everything downstream — provisioned before a single workload runs.
Detects
- tls_private_key RSA / ECDSA resources
- KMS key spec & signing algorithms
- Provisioned SSH & TLS key algorithms
- State-embedded key material
One zero-dependency repo · Apache-2.0 · npm @quantakrypto/*
Surfaced by the tools you already run
The infrastructure detectors ship inside the same qscan CLI, GitHub Action, and MCP server. Nothing new to add to your toolchain — point it at a repository and it reads code and infrastructure together.
Scan a repository
$ npx @quantakrypto/qscan ./Gate every pull request
$ uses: quantakrypto/pqc-tools/packages/action@v1Inside your AI coding agent
$ claude mcp add quantakrypto npx @quantakrypto/mcpqprobe
Active probe · opt-inOwnership-gated · read-onlyqprobe — active probe
Confirm what your live endpoints actually negotiate
Static scanners read configuration. qprobe reads reality — a separate, opt-in package that handshakes the TLS and SSH endpoints you own and reports whether they negotiate a post-quantum hybrid key exchange.
Opt-in install
$ npx @quantakrypto/qprobe --attest-owner example.comDetects
- TLS 1.3 hybrid group X25519MLKEM768
- SSH KEX offers (sntrup761x25519)
- Hybrid vs classical-only endpoints
- Silent downgrade to classical groups
Ownership-gated · read-only
qprobe is a separate, opt-in install — never bundled with qscan. It runs only against endpoints you explicitly attest you own, sends nothing beyond a key-exchange handshake, and never modifies a target. No attestation, no probe.
Find the crypto your infrastructure forgot.
Run the scan across your platform, then book a discovery call for a senior read on what to migrate first.