Post-quantum cryptography inventory & CycloneDX CBOM for regulated EU enterprises.
CRYPTAGION discovers every cryptographic asset in your codebase, certificates, and live TLS endpoints — then scores quantum-vulnerability risk, generates a CycloneDX 1.6 CBOM, and produces a board-ready PDF mapped to DORA, NIS2, and the EU Cyber Resilience Act.
A short walkthrough — discovery, CBOM, quantum-risk scoring and the migration roadmap.
Self-hosted — no YouTube, no third-party trackers.
Three independent forces have made cryptographic inventory a 2025 board topic.
FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) shipped in August 2024. The "we're waiting for standards" excuse expired.
DORA, NIS2, and the EU Cyber Resilience Act increase the need for demonstrable ICT resilience, cryptographic governance, and audit-ready evidence — that your existing GRC tooling can ingest.
Any data with a confidentiality requirement beyond seven years is already inside the harvest-now-decrypt-later window under the NIST 2032 CRQC consensus.
One pipeline, three deliverables — generated in seconds against a real customer codebase.
Static analysis across five languages, plus X.509 cert stores and live TLS endpoints.
0–100 score per asset, with reasoning. Tunable per data sensitivity and HNDL window.
.cryptagion.yamlA board-ready PDF, a standards-compliant CBOM, and a 4-wave migration roadmap — generated automatically.
CRYPTAGION scans code, certificates, and TLS endpoints inside your perimeter, normalizes cryptographic assets, scores quantum exposure, and generates audit-ready outputs for security, architecture, and compliance teams.
A recorded replay of an actual CRYPTAGION run against the public
pyca/cryptography repository — 60 cryptographic assets discovered,
scored, and reported. Click Run to play it through; to run it
against your code, the first call is free.
Want to see this against your code? The first call is free. Book 30 minutes →
Below: an unedited CRYPTAGION run against pyca/cryptography
on its main branch — the cryptographic library that ships in
almost every Python application in production today.
See the actual outputs. Real artifacts from the demo run above — no email required.
No ambiguity about what is supported today versus on the roadmap.
| Capability | Status | How |
|---|---|---|
| Python cryptography detection | Available | AST-based static analysis |
| JavaScript / TypeScript detection | Available | Static analysis (Semgrep) |
| Java detection | Available | Source-code analysis |
| Go detection | Available | Source-code analysis |
| C / C++ detection | Available | Source-code analysis |
| Certificate parsing | Available | PEM, DER, CRT, CER |
| TLS endpoint scan | Available | Live handshake inspection (sslyze) |
| Quantum risk scoring | Available | Per-asset, HNDL-aware |
| CycloneDX CBOM export | Available | Version 1.6, schema-validated |
| Executive PDF report | Available | Board & audit ready |
| CI/CD integration | Platform | API / pipeline integration |
| SOAR / GRC integration | Platform | API-driven outputs |
| Multi-cloud KMS scan | Platform | AWS KMS, Azure Key Vault, GCP KMS via API |
| SIEM export | Platform | Findings streamed to your SIEM via API |
| Container image analysis | Roadmap | Planned |
| Binary analysis | Roadmap | Planned |
Fixed-fee discovery, transparent platform pricing, optional migration advisory. Public so your CISO does not have to "talk to sales" to budget it.
For your procurement file: Download the CRYPTAGION security posture (PDF) →
You are inventorying your most sensitive cryptographic assets. You should know exactly who runs the tool, where it runs, and what happens if we disappear. Here are the answers your procurement team will ask for — before they ask.
Discovery runs inside your environment. Static analysis, cert parsing and TLS handshakes execute locally; only the findings are aggregated. The executive narrative is policy-generated; optional LLM assistance uses an EU-sovereign backend you can swap, or runs in a deterministic offline mode with no external call at all. Air-gapped runs are supported.
Every deliverable is an open standard: a CycloneDX 1.6 CBOM your GRC tooling already ingests, and a PDF your board can read without our platform. If you ever stop working with us, your inventory, your roadmap and your audit trail stay fully usable.
Source-code escrow available on Platform engagements, with a documented right-to-audit and a reversibility clause. The offline fallback means a run never depends on our availability. You are buying a deliverable and a method — not a dependency.
CRYPTAGION is built by a focused security-engineering practice — cybersecurity, data & AI specialists with 10 years across banking, luxury and industrial enterprises, where cryptographic risk and regulatory pressure are operational, not theoretical. The people who scope your engagement are the people who run the tool against your code.
No. Discovery runs inside your perimeter; only aggregated findings are produced. Air-gapped runs are supported.
CycloneDX 1.6 Crypto-BOM, validated against the strict schema, with reporting mapped to DORA, NIS2, the EU CRA and FIPS 203/204/205.
All outputs are open standards (CycloneDX CBOM, PDF) and remain fully usable without the platform. Source-code escrow is available on Platform engagements.
CRYPTAGION is a natural complement to the firms already trusted by regulated EU enterprises. Deliver post-quantum readiness to your clients without building a cryptographic-discovery engine in-house.
Extend your managed offering with cryptographic inventory, CBOM and risk scoring — under your delivery, on the client’s perimeter.
Generate CycloneDX CBOMs and board-ready reports for your DORA, NIS2 and CRA engagements — open-standard, defensible artefacts.
Pair discovery with wave-based migration roadmaps. Migration Advisory can be delivered directly or co-delivered with you.
Referral and co-delivery arrangements available. Become a partner →
Bring a representative repository (public, anonymised, or under NDA). You walk out with a real preview of your cryptographic posture. No payment until you've seen the tool work against your own codebase. No slides. No salesforce.
Book a free 30-minute call on CalendlyOr write directly: contact@cryptagion.io