Documentation

Grade	Score	Meaning
A	90–100	PQC deployed (hybrid or pure). Clean classical config. On track for CNSA 2.0.
B	80–89	PQC deployed with some classical issues to resolve.
C	70–79	Good classical config, zero PQC. Most competent servers today. SSL Labs says A. We say: start migrating.
D	50–69	No PQC plus classical problems — CBC ciphers, legacy protocols, certificate issues.
F	0–49	Multiple serious issues or fatal conditions (SSL 3.0, RC4, expired certs). Fix the foundation before thinking about PQC.

Category	Condition	Base Points
Protocol	TLS 1.0/1.1 supported	-20
Protocol	No TLS 1.3 (1.2 only)	-8
Cipher	CBC mode ciphers	-15
Key Exchange	RSA key exchange (no forward secrecy)	-25
Key Exchange	DHE < 2048 bits	-20
Certificate	RSA < 2048 bits	-25
Certificate	Self-signed	-20
Certificate	SHA-1 signature	-30
Certificate	Expiring < 30 days	-10
Certificate	Expired	-50
Certificate	Validity > 398 days	-5

PQC Status	Max Score	Best Possible Grade
No PQC	79	C
Hybrid PQC (classical + PQC)	95	A
Pure PQC	100	A

Code Analysis

Analyze source code for cryptographic usage with pqprobe-static.

pqprobe-static scan . Scan current directory for crypto usage

pqprobe-static scan . --languages go,python Scan only Go and Python files

pqprobe-static scan . --severity high Only report high+ severity findings

pqprobe-static scan . --output json JSON output for automation

pqprobe-static scan . --output sarif SARIF output for GitHub/GitLab Code Scanning

160+ detection patterns across Go, Python, Java, C/C++, JavaScript, TypeScript, Rust, C#, Ruby, PHP. Detects insecure random, deprecated algorithms (MD5, SHA-1, DES, RC4, Blowfish), weak KDFs, hardcoded IVs/nonces, insecure TLS config, weak key sizes, and certificate pinning. Also scans config files (nginx, Apache, YAML, JSON) and certificates.

Dependency Audit

Audit dependency manifests for crypto library usage and PQC readiness.

pqprobe dep-audit . Audit current project for crypto dependencies

pqprobe dep-audit /path/to/project Audit a specific project directory

pqprobe dep-audit . --output json JSON output for automation

Parses go.mod, package.json, requirements.txt, Pipfile, pyproject.toml, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, and *.csproj. Reports algorithms used, PQC readiness, and minimum versions needed for PQC support across 8 ecosystems.

MDE Import

Import Microsoft Defender for Endpoint Advanced Hunting exports and map software inventory to PQC readiness assessments. Zero-deployment crypto library census across large fleets.

pqprobe import mde --source export.csv Import a single CSV export

pqprobe import mde --source ./mde-exports/ Import a directory of exports

pqprobe import mde --source export.csv --dry-run Preview without database writes

pqprobe import mde --source export.csv --output json JSON output for automation

pqprobe import mde --source export.csv --crypto-map custom.json Use custom crypto mapping file

Supports DeviceTvmSoftwareInventory and DeviceFileCertificateInfo table exports (CSV and JSON). Deduplicates by (device, software, version). Maps 15 crypto libraries (OpenSSL, GnuTLS, NSS, LibreSSL, BouncyCastle, wolfSSL, libssh, libssh2, .NET, Java/OpenJDK, Go, rustls, AWS-LC, BoringSSL, mbedTLS) to PQC capability assessments with version-range matching. Each device becomes a scan result with the same A–F scoring, trajectory tracking, and compliance export as active probes. Unrecognized software is tagged as “unknown” for inventory visibility. The --crypto-map flag accepts a custom JSON mapping file to extend coverage without recompiling.

KQL Query

Export from MDE Advanced Hunting:

DeviceTvmSoftwareInventory
| project DeviceId, DeviceName, SoftwareName, SoftwareVersion, SoftwareVendor, OSPlatform, OSVersion

Local Discovery

Find cryptographic artifacts on local filesystems.

pqprobe scan-local Scan default paths for crypto files

sudo pqprobe scan-local --system Scan system paths (requires root)

pqprobe scan-local /etc/ssl ~/.ssh Scan specific directories

pqprobe scan-local --sensitivity 2 Critical data sensitivity (affects scoring)

pqprobe scan-local --output json JSON output for automation

Finds certificates (.pem, .crt, .cer, .der, .p12, .pfx), private keys, Java keystores, SSH keys, GPG keyrings, and crypto config files. Works on Linux, macOS, and Windows.

Protocol Probing

Probe individual hosts for cryptographic configuration across multiple protocols.

Web & TLS

pqprobe scan example.com TLS/HTTPS - versions, ciphers, certificates, PQC detection

Remote Access

pqprobe scan-ssh server.example.com SSH - key exchange, host keys, ciphers, MACs

pqprobe scan-rdp server.example.com RDP - TLS, NLA, CredSSP, security protocol

Email

pqprobe scan-smtp mail.example.com SMTP - STARTTLS, TLS config, certificates

pqprobe scan-imap imap.example.com IMAP - STARTTLS, implicit TLS (993)

pqprobe scan-pop3 mail.example.com POP3 - STLS, POP3S (995)

Directory & Authentication

pqprobe scan-ldap ldap.example.com LDAP - STARTTLS, LDAPS (636)

pqprobe scan-smb fileserver.example.com SMB/NTLM - NTLMv1/v2, signing, encryption, ESS

Databases

pqprobe scan-mysql db.example.com MySQL - SSL/TLS capability, auth plugins, ciphers

pqprobe scan-postgres db.example.com PostgreSQL - SSL mode, TLS version, ciphers

pqprobe scan-mongodb mongo.example.com MongoDB - TLS mode, server version, auth

pqprobe scan-redis redis.example.com Redis - TLS (Redis 6+), version, auth

pqprobe scan-cassandra cassandra.example.com Cassandra - CQL TLS (9142), version, auth

Message Queues

pqprobe scan-kafka kafka.example.com Kafka - SSL/SASL_SSL (9093/9094), API versions

pqprobe scan-amqp rabbitmq.example.com RabbitMQ/AMQP - AMQPS (5671), protocol version

pqprobe scan-xmpp xmpp.example.com XMPP - STARTTLS, implicit TLS (5223), SASL

Healthcare

pqprobe scan-fhir fhir.hospital.org FHIR - R4/R5, SMART on FHIR, TLS, HIPAA

pqprobe scan-hl7 hl7.hospital.org HL7/MLLP - HL7v2, secure MLLP, PHI protection

pqprobe scan-dicom pacs.hospital.org DICOM - Medical imaging, DICOM-TLS, AE titles

File Transfer

pqprobe scan-ftp ftp.example.com FTP - AUTH TLS, FTPS (990), explicit/implicit

Passive Analysis

Analyze captured network traffic across 13 protocols. No active connections to targets.

pqprobe passive analyze capture.pcap Analyze pcap/pcapng file — 13-protocol detection

pqprobe passive analyze capture.pcap --sensitivity 2 PHI-level sensitivity for healthcare captures

pqprobe passive analyze capture.pcap --output json JSON output for automation

pqprobe passive analyze capture.pcap --verbose Detailed output with per-connection info

Reads pcap and pcapng files from SPAN ports, network taps, or tcpdump. Detects 13 protocols: TLS (ClientHello/ServerHello, cipher suites, certificates, PQC indicators), SSH (version strings, key exchange algorithms), SMTP/IMAP/POP3/FTP STARTTLS upgrades, PostgreSQL SSL and MySQL SSL negotiation, RDP security protocol detection (TLS, CredSSP, NLA), LDAP STARTTLS, XMPP STARTTLS, HL7v2 MLLP (message type, facility — CRITICAL finding for unencrypted medical data), and DICOM (AE Titles, Implementation UID — CRITICAL finding for unencrypted imaging data). Scores each observed host using the same A–F grading as active probes. Results feed into trajectory tracking, change detection, and compliance exports. TLS 1.3 certificates are encrypted and not available in passive mode — scoring uses cipher suite and key exchange data.

Network Discovery

Discover cryptographic services across entire networks.

pqprobe discover --cidr 10.0.0.0/24 Discover all crypto services in a subnet

pqprobe discover --cidr 10.0.0.0/24 --concurrency 50 Parallel probing with 50 concurrent connections

Automatically detects 80+ service types including TLS, SSH, SMTP, IMAP, databases, message queues, healthcare protocols, and more.

Endpoint Auditing

Audit local machine cryptographic configuration.

Windows

pqprobe audit-windows Audit Windows NTLM and crypto configuration

pqprobe audit-windows --output json JSON output for automation

Checks LmCompatibilityLevel registry settings, NTLMv1/v2 policy, NTLM authentication events, and security configuration. Must be run locally on the Windows host.

Analysis

Analyze cryptographic posture and track changes over time.

pqprobe analyze example.com --days 90 Analyze crypto trends over the last 90 days

pqprobe priorities --tier EMERGENCY Show highest-priority migration targets

pqprobe efficiency example.com Analyze cryptographic efficiency

pqprobe history example.com View probe history for a target

Inventory

Manage your cryptographic asset inventory.

pqprobe certificates --expiring 30 List certificates expiring within 30 days

pqprobe software List detected software and versions

pqprobe targets List all probe targets

pqprobe stats Show inventory statistics

Export & Integration

Export data and integrate with existing tools.

Compliance Assessment

pqprobe compliance --list-profiles List available compliance profiles (CNSA, PCI, NIS2, BSI, FIPS, HIPAA, DORA, CISA)

pqprobe compliance --profile cnsa2 --scan-id latest Run CNSA 2.0 compliance assessment

pqprobe compliance --profile pci-dss-4 --scan-id latest -o json Compliance assessment with JSON output

Export Formats

pqprobe export --output inventory.csv Export full inventory to CSV

pqprobe export-certificates Export certificate inventory

pqprobe export-cbom output.json Export CycloneDX Cryptographic Bill of Materials

pqprobe report example.com Generate detailed report for a target

pqprobe scan example.com -o json JSON output for automation

Jira Integration

pqprobe jira test Test Jira connection and validate project

pqprobe jira export --scan-id latest Export findings to Jira as trackable issues

pqprobe jira export --scan-id latest --project KEY Export with explicit project key override

Requires PQPROBE_JIRA_URL, PQPROBE_JIRA_EMAIL, PQPROBE_JIRA_API_TOKEN, PQPROBE_JIRA_PROJECT environment variables. Re-scans automatically sync ticket status (close on resolution, reopen on regression).

Tool Integration

pqprobe import mde --source export.csv Import MDE software inventory for PQC assessment

pqprobe analyze-nmap scan.xml Import and analyze nmap results

pqprobe --db inventory.db scan ... Use SQLite for persistent storage

pqprobe --db postgres://... scan ... Use PostgreSQL for persistent storage

Environment Variable	Flag	Default	Description
`PQPROBE_REQUIRE_AUTH`	`--require-auth`	false	Require JWT or API key for non-public routes
`PQPROBE_JWT_SECRET`	`--jwt-secret`	ephemeral	Secret for signing JWT tokens
`PQPROBE_GITHUB_CLIENT_ID`	`--github-client-id`		GitHub OAuth App client ID
`PQPROBE_GITHUB_CLIENT_SECRET`	`--github-client-secret`		GitHub OAuth App client secret
`PQPROBE_GITHUB_CALLBACK_URL`	`--github-callback-url`	auto	OAuth callback URL
`PQPROBE_AUTO_SCAN_TARGETS`	`--auto-scan-targets`		Path to JSON file with probe targets
`PQPROBE_AUTO_SCAN_INTERVAL`	`--auto-scan-interval`	24	Hours between automated probe cycles
`PQPROBE_JIRA_URL`			Jira instance URL (e.g. https://company.atlassian.net)
`PQPROBE_JIRA_EMAIL`			Jira account email for API auth
`PQPROBE_JIRA_API_TOKEN`			Jira API token
`PQPROBE_JIRA_PROJECT`	`--project`		Default Jira project key for issue export
	`--port`	8080	Server port
	`--db`	pqprobe.db	Database path
	`--workers`	16	Background worker count
	`--queue-size`	5000	Maximum queued probes
	`--rate-limit`	60	Max requests per IP per window
	`--rate-window`	60	Rate limit window (seconds)
	`--secure-cookies`	false	Set Secure flag on cookies (use behind HTTPS)

Getting Started

Step 1: Probe a domain

Step 2: Analyze your code

Step 3: Check your dependencies

Step 4: Track your trajectory

Export

Grades

Deductions

PQC Cap

Fatal Conditions