What gets checked
Four audit modules, NIST-aligned
TLS Algorithm Audit
- Protocol: TLSv1.3 / 1.2 / 1.1 / 1.0 detected
- Cipher suite: AEAD (forward secret) vs legacy RSA key exchange
- Key bit strength: 256-bit EC vs 2048–4096-bit RSA
- Classical vs post-quantum algorithm comparison
- ALPN negotiation: HTTP/2 vs HTTP/1.1
- HTTP/3 Alt-Svc header detection
Certificate Analysis
- Chain depth (leaf + intermediates + root)
- Self-signed certificate detection
- Subject Alternative Names (SAN) list
- Signature algorithm: SHA-256/384 with RSA or EC
- PQC algorithm flag (CRYSTALS-Kyber, Dilithium)
- Days to expiry: alert if < 30 days
DNSSEC Status
- RRSIG resource record presence
- DNSKEY record presence
- Authenticated Data (AD) flag from resolver
- Zone signing status per domain label
- CAA record count and issuer list
PQC Readiness Score
- TLSv1.3 adoption (prerequisite for Kyber KEM)
- Certificate key type in NIST PQC shortlist
- DNSSEC as a DNS integrity layer
- Multi-year certificate rotation risk
- Vendor NIST PQC migration timeline flags
NIST PQC timeline
The migration window is narrowing
2022
NIST finalised PQC algorithm candidates: CRYSTALS-Kyber (KEM), CRYSTALS-Dilithium, FALCON, SPHINCS+.
2024
FIPS 203, 204, 205 published. Google Chrome and Cloudflare began Kyber hybrid TLS trials.
2025–26
Browser and CDN adoption accelerates. TLS 1.2 retirement timelines announced by major vendors.
2030 target
NSA CNSA 2.0 requires PQC algorithms for all classified national security systems.
Live scanner
Check any domain's post-quantum readiness posture now.
Paste a URL above and hit Scan →
Quantum Readiness Scan · Instant scan returns in ~5 seconds
TLS · DMARC · DNSSECAI content detectionBlockchain intelligenceGEO / llms.txt