Free public PQC TLS scanner

Scan a TLS endpoint
in 30 seconds.

Find out whether any internet-facing endpoint negotiates a hybrid post-quantum KEM, carries an alt-signature extension, and has clean cert hygiene. No signup. Open source.

We'll email a summary of your scan. No spam, unsubscribe any time. Want it on-prem? Talk to us.

Sample report

api.example.com:443

Hybrid KEM Not negotiated

Cert signatureRSA-2048 (classical)

Alt-signature ext.absent

TLS 1.3

CAAadvisory

PQC Readiness28 / 100 — D

Hybrid KEM detection

Probes for X25519MLKEM768, SecP256r1MLKEM768 (IANA 0x11EC, 0x11EB), and the pre-standard Kyber draft groups.

Alt-signature extensions

Looks for draft-ietf-lamps-x509-alt extensions (2.5.29.72/73/74) and composite-signature OIDs from the Entrust arc.

Cert hygiene + CAA

Validity window, key strength, SAN coverage, OCSP-Must-Staple, CAA records that permit/limit PQC-aware CAs.

Want this for your whole estate?

The scanner is the first source for the L2 Discovery layer. Pair it with cloud APIs, host agents, and code scans, and you have a full crypto inventory.

Scan a TLS endpointin 30 seconds.

Hybrid KEM detection

Alt-signature extensions

Cert hygiene + CAA

Want this for your whole estate?

Scan a TLS endpoint
in 30 seconds.