Every Cryptographic Risk.
Discovered. Scored. Protected.
QSafe gives security teams complete PQC visibility across code, infrastructure, and live network — and protects traffic with quantum-safe TLS today.
Trusted by financial institutions across the GCC
The Cryptographic Crisis Is Already Here.
RSA and ECC — the algorithms protecting your data today — will be broken. The clock is running.
Harvest Now, Decrypt Later
Nation-state adversaries are capturing encrypted network traffic today. When quantum computers arrive, they'll decrypt it retroactively. Sensitive communications, financial records, and classified data are already at risk — even behind current encryption.
2030 Is Closer Than You Think
NIST formally deprecated RSA and ECC in 2024, with full disallowance by 2030 and mandatory removal by 2035. Most organizations have thousands of cryptographic touchpoints and no inventory of their exposure.
No Inventory, No Roadmap
You cannot migrate what you cannot see. Without a complete map of every algorithm, key size, and protocol in your environment, a PQC migration plan is impossible. Cryptographic assets are invisible to most security teams today.
One Platform. Complete Cryptographic Lifecycle.
QSafe doesn't just alert — it discovers, scores, and protects.
DISCOVER
- Scanner
- Network Discovery
Every algorithm across source code, network protocols, and Kubernetes infrastructure — mapped automatically.
SCORE & GOVERN
- Dashboard
Deterministic 5-factor risk scoring, CycloneDX CBOM export, and NIST IR 8547 milestone tracking toward 2030 and 2035.
PROTECT
- Proxy
Hybrid PQC TLS on live production traffic. X25519 + ML-KEM-768. FIPS 203/204/205. Zero code changes required.
One platform. Zero blind spots.
Four components covering the full cryptographic lifecycle — discover, score, and protect.
Cryptographic Code Analysis
QSafe Scanner statically analyses source code across your repositories, identifying every cryptographic primitive in use — algorithms, key sizes, deprecated patterns, and insecure configurations.
- 10+ languages: Python, Java, Go, Rust, C/C++, TypeScript, PHP, Ruby, Kotlin, Swift
- CycloneDX CBOM output: machine-readable inventory aligned with NIST IR 8547
- CI/CD integration: GitHub Actions, GitLab CI, Jenkins, Azure DevOps plugins
- Detects RSA, ECC, AES, SHA, and all deprecated NIST algorithms with severity rating
No existing tool covers the full cryptographic lifecycle. QSafe does.
Traditional vulnerability scanners and SIEM platforms were built for a different era. QSafe is built for the post-quantum transition.
| Dimension | Traditional Tools | QSafe |
|---|---|---|
| Scope | Isolated point tools — code OR network OR traffic | Unified: code + network + live traffic in one platform |
| Traffic Protection | No PQC traffic protection capability | Hybrid PQC TLS: X25519 + ML-KEM-768, live and in production |
| Output Format | Proprietary reports — not machine-readable | CycloneDX CBOM — referenced by NIST IR 8547 |
| Risk Scoring | Qualitative severity labels (Low / Medium / High) | Deterministic 5-factor model with per-asset explain panel |
| Crypto-Agility | Static algorithm configuration — requires redeploy | Hot-swappable algorithm registry via xDS — no restart |
| Air-Gap Support | Cloud-dependent — no offline mode | Full air-gapped deployment with graceful degradation |
| Deployment Options | SaaS only | SaaS, self-hosted (Docker/Helm), hybrid, and air-gapped |
Scope
Traditional Tools
Isolated point tools — code OR network OR trafficQSafe
Unified: code + network + live traffic in one platformTraffic Protection
Traditional Tools
No PQC traffic protection capabilityQSafe
Hybrid PQC TLS: X25519 + ML-KEM-768, live and in productionOutput Format
Traditional Tools
Proprietary reports — not machine-readableQSafe
CycloneDX CBOM — referenced by NIST IR 8547Risk Scoring
Traditional Tools
Qualitative severity labels (Low / Medium / High)QSafe
Deterministic 5-factor model with per-asset explain panelCrypto-Agility
Traditional Tools
Static algorithm configuration — requires redeployQSafe
Hot-swappable algorithm registry via xDS — no restartAir-Gap Support
Traditional Tools
Cloud-dependent — no offline modeQSafe
Full air-gapped deployment with graceful degradationDeployment Options
Traditional Tools
SaaS onlyQSafe
SaaS, self-hosted (Docker/Helm), hybrid, and air-gappedFrequently Asked Questions
No. QSafe is purpose-built for post-quantum cryptographic risk — a category that existing SIEM, CSPM, and vulnerability scanners were not designed to address. It integrates alongside your existing stack via CBOM export, SIEM forwarding, and ticketing integrations, adding a PQC-specific layer without replacing your current investments.
Harvest Now, Decrypt Later (HNDL) is a threat model where nation-state adversaries capture encrypted network traffic today and store it until a sufficiently powerful quantum computer becomes available to decrypt it retrospectively. Communications encrypted with RSA or ECC today are at risk of exposure in 5–15 years. HNDL means the quantum threat is not a future problem — it is an active risk on your network right now.
No. QSafe Proxy is a drop-in reverse proxy that sits in front of your existing services. Your backend applications require zero code changes, zero recompilation, and zero reconfiguration. The proxy negotiates hybrid PQC TLS with connecting clients on your behalf and forwards traffic to your backend over the existing connection. Algorithm configuration is managed centrally via the xDS control plane and takes effect without restarting the proxy.
Network Discovery maps the cryptographic posture of your live infrastructure across 15+ protocol surfaces — including TLS (all versions), SSH, QUIC, DNS (DNSSEC), IKEv1/v2, SNMP, LDAP, Kerberos, and RDP. Discovery can be initiated via five paths: active network scanning, import from Nessus or Qualys vulnerability reports, custom CSV/JSON/XML transformers for proprietary data sources, Kubernetes-native inspection of cert-manager, Istio, and Linkerd, and a unified scoring view that aggregates across all paths.
Yes. QSafe is available as a fully self-hosted deployment (Docker Compose or Helm chart) designed to operate without any external network connectivity. In air-gapped mode, signature updates and algorithm registry updates are applied via offline bundle import. The Dashboard, Scanner, and Proxy all function fully offline. Network Discovery active scanning operates within the air-gapped network perimeter. Cloud-dependent features (licence validation, telemetry) degrade gracefully and do not impact core functionality.
QSafe is built around the three NIST post-quantum standards finalized in August 2024: FIPS 203 (ML-KEM, used in the Proxy for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for stateless hash-based signatures). The Scanner flags all algorithm usage against the NIST IR 8547 deprecation schedule (deprecated 2030, disallowed 2035). The Dashboard tracks your migration progress against those milestones. CBOM output follows the CycloneDX format referenced by NIST IR 8547 as the standard inventory format.
Your Cryptographic Inventory Starts Here.
Request a demo and see QSafe running against a real environment in under an hour.
- Tailored to your environment
- Setup in under an hour
- No commitment required