What is a cryptographic bill of materials (CBOM)?

A CBOM is a structured inventory of every cryptographic asset across an organization — algorithms, key sizes, certificates, libraries, and protocols — mapped to the systems that depend on them. It is the foundation of any post-quantum migration program because you cannot migrate what you have not inventoried.

Which cryptographic algorithms are quantum-vulnerable?

Public-key algorithms based on integer factorization (RSA) or discrete logarithms (ECC, DH, ECDH, ECDSA, DSA) are broken by Shor algorithm running on a sufficiently large quantum computer. Symmetric algorithms (AES, SHA-2, SHA-3) are weakened by Grover algorithm but remain usable with doubled key sizes. ML-KEM, ML-DSA, and SLH-DSA are NIST-standardized post-quantum replacements.

How does QuantumSecure Discovery find cryptographic assets?

Discovery uses three complementary scanners: network scanning of TLS endpoints and certificates, static analysis of source code and dependencies for cryptographic API calls, and infrastructure scanning of HSMs, key vaults, and PKI for stored keys and policies. Results are deduplicated and risk-scored.

How long does a typical Discovery scan take?

A first-pass scan of a mid-sized enterprise estate (1,000–5,000 endpoints, 50 repositories) completes in 4–24 hours. Continuous scanning runs in the background and refreshes the CBOM whenever new assets appear.

Does Discovery integrate with existing CMDBs and SBOM tools?

Yes. Discovery exports CBOM data in CycloneDX 1.6 format (which includes cryptographic component support) and integrates with ServiceNow CMDB, Snyk, and Dependency-Track. CBOM entries cross-reference SBOM components so you can trace cryptographic risk to specific software builds.

L2Inventory — Layer 2 of the platform

Cryptographic Asset Discovery

Find every certificate, key, algorithm, and protocol in your estate. Tag what is quantum-vulnerable. Aggregate by system, by data classification, by source. Without the inventory, no migration plan stands up to scrutiny.

Network scanCloud APIs (AWS / GCP / Azure)Host agentCSV / JSON uploadCode scan

Sample artefact

Total assets

412

% HIGH risk

37.4%

% SAFE

12.1%

System	Algorithm	Risk
payments	RSA-2048	HIGH
edge-api	X25519MLKEM768	SAFE
data-warehouse	AES-128	MEDIUM
admin	ECDSA-P256	HIGH

Who it's for

Security teams who need a live inventory, not a one-shot audit
Architects scoping which systems to migrate first
Compliance / GRC functions answering "where are our weak primitives?"
Anyone whose CMDB has nothing under "cryptographic algorithm"

What you get

Unified asset catalogue across cloud, on-prem, and code
Algorithm → quantum-risk classifier (HIGH / MEDIUM / LOW / SAFE)
Heatmap by risk, type, source, system
Per-system dossier (every key, every cert, every protocol)
API + dashboard, multi-tenant out of the gate

How it works

Step 1

Ingest from anywhere

TLS scanner reports, AWS ACM / GCP CM / Azure KV APIs, lightweight host agent, code scan via ripgrep + AST sweep, and bulk CSV/JSON upload.

Step 2

Classify automatically

Every algorithm — by name or OID — is mapped to a quantum-risk band. Composite signatures and hybrid KEMs are auto-promoted to SAFE.

Step 3

Aggregate and dispatch

Heatmaps, per-system dossiers, and API queries feed Layer 3 (Migration) so prioritisation runs on the same numbers your team can audit.