
Live domain scan
TLS handshake inventory with algorithm and key-size classification — the evidence your security team needs for CMMC and PCI audits.
Q-Day readiness
Run a sample report in 30 seconds, try a live scan on the Open Quantum Safe test server, or authorize your own domains for a production baseline.
Scenarios autorun with fixture data — methodology
Run scan
Fixture scenarios, OQS demo scans, and authorized production workspaces run in the scanner below.
Learn before you scan
Harvest-now-decrypt-later exposure is a planning problem, not a broken-crypto alarm. Use Mosca's inequality to see if your data outlives your migration runway — then run a live assessment.
Mosca calculator
If X + Y > Z, harvest-now-decrypt-later exposure requires action now.
10 + 5 = 15 vs Z = 8
Inequality holds — HNDL exposure today.
Syncs moscaX/moscaY/moscaZ URL params for your assessment.
Example Mosca timeline
Illustrative 10-year retention · 5-year migration · 8-year quantum horizon (regional bank scenario).
Mosca inequality: X + Y > Z
10-year data retention plus a 5-year migration runway exceeds an 8-year quantum timeline — act now on HNDL exposure.
ROI & evidence
Compare spreadsheet programs and consulting baselines to continuous Monitor — or preview the signed report pack your GRC team receives after every assessment.
Your path
Pick a role — we'll open the results tab that matches your workflow after your first scan.
Developer API
Start inventory with POST /pqc/scan, poll GET /pqc/scan/{scanId}, and export signed PDF or CycloneDX CBOM for your GRC pipeline.
{
"target": "api.example.com",
"scan_type": "tls_inventory",
"options": {
"include_cbom": true,
"mosca_data_lifetime_years": 10
}
}{
"status": "completed",
"readiness_score": 62,
"findings": {
"quantum_vulnerable": 47,
"transitional": 12,
"quantum_safe": 8
},
"mosca": {
"hndl_risk": "elevated",
"data_lifetime_years": 10,
"quantum_timeline_years": 8
},
"exports": {
"cbom": "cyclonedx-json",
"report_url": "/r/sample-token",
"verify_url": "/verify?token=sample-token"
},
"method": "pqc_scanner"
}How it works
Step 1
Choose your path
Sample report (no setup), OQS live demo, or authorized workspace for your domain.
Go to scannerStep 2
Run baseline
Fixture scenarios offline, or live TLS/JWKS/SSH discovery on test.openquantumsafe.org or your allowlisted domain.
Go to scannerStep 3
Review findings
Readiness score, Mosca HNDL timeline, framework mapping, and remediation backlog.
Q-Day readiness (endpoint-scoped)
Mosca inequality: X + Y > Z
10-year retention plus 5-year migration exceeds an 8-year quantum timeline.
Step 4
Export evidence
PDF, CycloneDX CBOM, and public verify link for auditors and the board.
Preview deliverablesDeliverables
Deliverable preview — illustrative
Click a PDF outline item to highlight the matching CBOM field — every assessment exports board-ready PDF, CycloneDX CBOM, and a verify receipt auditors can check independently.
Executive summary
Framework mapping
Remediation backlog
Selected item syncs with the CBOM tab — illustrative sample only.
Why teams choose Qtangl
Signed evidence
Every report ships with a content hash and signature — auditors verify at /verify without trusting Qtangl alone.
Continuous drift
Monitor diffs each scan against the last baseline so regressions surface before the next audit cycle.
Honest scope
Inventory aid and prioritization — not a formal attestation. We say what we do and do not claim.
Minutes, not months
Live fixture scan in under ten minutes. Compare that to spreadsheet programs that decay on first deploy.
Live today: Fixture + OQS live demo scans · Signed PDF + CycloneDX CBOM · Public /verify for auditors
What you get

TLS handshake inventory with algorithm and key-size classification — the evidence your security team needs for CMMC and PCI audits.

Harvest-now-decrypt-later exposure scored against your data retention horizon — board-ready context, not alarmism.

Multi-method discovery
No single discovery method covers your full estate. Qtangl combines TLS, JWKS, SSH, and upload paths — illustrative coverage for Assess tier.
| Method | Assess coverage |
|---|---|
| TLS handshake | full |
| JWKS / JWT | full |
| SSH host keys | full |
| STARTTLS | partial |
| PEM upload | full |
What Monitor adds
Assess is a one-session snapshot. Monitor schedules re-scans, detects drift, and alerts when new quantum-vulnerable endpoints appear.
Two new quantum-vulnerable TLS endpoints and one RSA-2048 certificate downgrade detected since last week's scan.
Scenarios
Pre-loaded fixture targets for banking, government, and healthcare readiness workflows — no domain required.
Standards & frameworks
Every assessment maps your quantum-vulnerable findings to the frameworks driving your program — NSM-10, CNSA 2.0, NIST IR 8547, PCI-DSS 4.0, and CMMC — with control themes, deadlines, and a signed report your auditors can verify independently.
Sample artifact
30-second preview
Email-gated mini-assessment shows readiness score, coverage confidence, and top findings — no domain required.
Why Qtangl
Many tools inventory TLS endpoints. Qtangl adds framework mapping, Mosca HNDL scoring, and PQ-signed reports your auditors verify at /verify — without claiming formal attestation.
| Capability | Qtangl | Typical discovery tool |
|---|---|---|
| Signed report + public verify | Yes | Rare |
| Framework mapping (NSM-10, CMMC, PCI) | Yes | Partial |
Next steps
Run a free Q-Day scan, download the full vendor comparison guide, or talk with our team about your shortlist.
Assess → Monitor → Convert
Stage 1 — Baseline
Assess is a one-session baseline. Monitor tracks drift until Q-Day. Convert plans remediation with signed evidence.
What Convert adds
After your baseline, Convert tracks remediation waves, what-if score projections, and verify-fix loops — illustrative preview below.
Case study
FAQ
No. Assess is an inventory aid that maps quantum-vulnerable cryptography to frameworks your auditors cite. Export signed PDF and CBOM evidence — auditors verify independently at /verify.
Q-Day readiness
Self-serve Assess workspace includes 5 scans per month and domain allowlisting. Sales-led pilots cover multi-domain estates and Monitor onboarding.
Machine-readable crypto bill of materials for your CMDB and GRC tools — import into ServiceNow, Archer, or your SIEM.

Board-ready summary with an independent verify link — auditors confirm signing integrity at /verify.
NIST IR 8547 primer
Transitioning to post-quantum cryptography standards
Control mappings are an inventory aid to accelerate audit preparation — not a formal attestation. We say what we do and do not claim.
Ops note: Sample scenarios use offline fixtures. Live demos target approved hosts only. Production domains require an authorized workspace at /assess/start. Methodology & rate limits.
Loading assessment scanner…