Cryptographic Intelligence

Discovery, Tracking and Reporting

A probe scans every protocol surface that negotiates cryptography—TLS, SSH, SMTP, IMAP, RDP, database protocols, healthcare protocols, message brokers, filesystem sharing. Over twenty protocols across roughly thirty port variations. Each scan is graded A through F against CNSA 2.0 compliance timelines, and every result feeds a temporal trajectory—IMPROVING, DEGRADING, or STABLE—so you always know whether your migration is on pace. Seven discovery methods feed one cryptographic inventory. Pick the one that fits your workflow, or use them all.

Discovery

Source code, dependencies, filesystems, networks, endpoints. Each method feeds the same inventory.

Find cryptographic usage in source code before it ships. Block weak crypto in CI/CD with exit-code gating.

Languages
Go, Python, Java, C/C++, JS, TS, Rust, Ruby, PHP, C#
Patterns
160+ — RSA, ECC, DH, weak ciphers, insecure random, deprecated algos
Configs
nginx, Apache, Cloudflare, YAML, JSON
Output
SARIF, JSON, text — CI/CD gate on critical/high
pqprobe-static reference →

Which dependencies use cryptography, whether they're quantum-safe, and the minimum version to upgrade to.

Ecosystems
Go, npm, PyPI, Cargo, Maven, RubyGems, Composer, NuGet
Detects
RSA, ECDSA, DH, X25519, Ed25519, AES, JWT libs, TLS libs
PQC Readiness
Per-library PQC support status with upgrade version
Depth
Transitive deps — flags crypto in indirect dependencies
dep-audit reference →

Scan filesystems for certificates, keys, and crypto configs. Know what's stored where.

Certificates
.pem, .crt, .cer, .der, .p12, .pfx
Keys
RSA, ECDSA, Ed25519, SSH, GPG/PGP — encrypted or not
Keystores
Java JKS, PKCS#12, system stores
Platforms
Linux, macOS, Windows
scan-local reference →

Find every cryptographic service on your network. 80+ service types across 20+ protocols, graded A–F.

Web & Access
TLS/HTTPS, SSH, RDP
Email
SMTP, IMAP, POP3
Infrastructure
LDAP, SMB/NTLM, MySQL, PostgreSQL, MongoDB, Redis
Specialized
Kafka, RabbitMQ, XMPP, FHIR, HL7/MLLP, DICOM +60 more
Full protocol list →

Analyze captured traffic from SPAN ports or network taps. 13-protocol detection. No agents, no active connections. Ideal for medical devices, SCADA, and OT networks.

Input
pcap, pcapng — from tcpdump, Wireshark, SPAN ports
Protocols
TLS, SSH, SMTP, IMAP, POP3, FTP, PostgreSQL, MySQL, RDP, LDAP, XMPP, HL7/MLLP, DICOM
Extracts
Handshakes, cipher suites, certificates, STARTTLS upgrades, server banners, PQC indicators
Output
Same A–F scoring — feeds into trajectory, compliance, CBOM
passive analyze reference →

Audit local machine crypto configuration. Registry settings, security policies, NTLM authentication.

NTLM
LmCompatibilityLevel, NTLMv1/v2 policy, auth events
Registry
Crypto settings, security policies, protocol config
Event Logs
NTLM auth events, security audit trail
Output
Same A–F scoring as network scans
audit-windows reference →

Import Microsoft Defender for Endpoint software inventory exports. Zero-deployment crypto library census across large fleets.

Input
CSV, JSON — KQL Advanced Hunting exports
Tables
DeviceTvmSoftwareInventory, DeviceFileCertificateInfo
Crypto Map
15 libraries — OpenSSL, GnuTLS, NSS, BouncyCastle, wolfSSL, Go, Rust, .NET, Java
Output
Same A–F scoring — per-device PQC readiness, trajectory tracking
import mde reference →

Tracking

Every scan adds to the history. Trends emerge automatically.

Trending

See grades improve or regress across your inventory.

History

Full scan history for every asset, every method.

Diff

What changed between scans — new findings, resolved issues, grade shifts.

Prioritize

Focus on what matters most for your deadlines.

Project

At your current rate, will you hit CNSA 2027? 2030? 2035? Extrapolate compliance trajectory against real deadlines.

Reporting

Standards-based outputs. Fits into existing workflows.

Compliance

  • CNSA 2.0 2027 / 2030 / 2035
  • PCI DSS 4.0 / NIS2 gap analysis
  • BSI TR-02102 / FIPS 140 hybrid PQC
  • HIPAA / DORA / CISA sector-specific
  • CBOM CycloneDX 1.6
  • CSV / JSON CMDB, SIEM export

Integration

  • Jira issues, auto-close, reopen
  • GitHub / GitLab SARIF, PR annotations
  • Microsoft Defender MDE software inventory import
  • nmap import existing scans
  • Database SQLite or PostgreSQL
  • REST API all scan data

Deployment

Single binary. Zero external dependencies. No data leaves your network.

Distribution Package

Tarball with binaries, systemd unit, config template, and step-by-step install guide. Extract, configure, start.

Auth Enforcement

Set PQPROBE_REQUIRE_AUTH to gate all non-public routes behind API key or OAuth. Bootstrap admin key generated on first run.

Docker

Container images for server, CLI, and static analyzer. Single-container deployment with embedded workers and SQLite.

Air-Gapped

No telemetry, no license server, no update checks. The only outbound connections are to the targets you scan.

See what's in your environment

We assess your cryptographic posture, deploy PQProbe on your infrastructure, and leave you with continuous monitoring that runs on your network.

Book an assessment Email us