For CAC40 · DAX40 · IBEX35 · AEX25 security teams

Inventory your cryptography
before quantum breaks it.

Post-quantum cryptography inventory & CycloneDX CBOM for regulated EU enterprises.

CRYPTAGION discovers every cryptographic asset in your codebase, certificates, and live TLS endpoints — then scores quantum-vulnerability risk, generates a CycloneDX 1.6 CBOM, and produces a board-ready PDF mapped to DORA, NIS2, and the EU Cyber Resilience Act.

Built in the EU · Deployable on-prem · Demo-able in 4 minutes
Watch

See CRYPTAGION in action.

A short walkthrough — discovery, CBOM, quantum-risk scoring and the migration roadmap.

Self-hosted — no YouTube, no third-party trackers.

Why now

The post-quantum migration window is open.

Three independent forces have made cryptographic inventory a 2025 board topic.

01

NIST standards are final.

FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) shipped in August 2024. The "we're waiting for standards" excuse expired.

02

EU regulation is live.

DORA, NIS2, and the EU Cyber Resilience Act increase the need for demonstrable ICT resilience, cryptographic governance, and audit-ready evidence — that your existing GRC tooling can ingest.

03

HNDL exposure is now.

Any data with a confidentiality requirement beyond seven years is already inside the harvest-now-decrypt-later window under the NIST 2032 CRQC consensus.

The platform

Discover. Score. Deliver.

One pipeline, three deliverables — generated in seconds against a real customer codebase.

Discover

Find every key, hash and cert.

Static analysis across five languages, plus X.509 cert stores and live TLS endpoints.

  • Python (AST), JavaScript / TypeScript, Java, Go, C / C++
  • X.509 PEM / DER / CRT / CER, with validity + signature hash
  • Live TLS handshake inventory via sslyze
  • Source code never leaves your perimeter
Score

Risk anyone can defend.

0–100 score per asset, with reasoning. Tunable per data sensitivity and HNDL window.

  • Anchored to NIST IR 8413, BSI TR-02102-1, CNSA 2.0
  • Lifecycle signals: expired certs, aged keys
  • Per-asset sensitivity policy via .cryptagion.yaml
  • YAML-tunable weights — no forking required
Deliver

What your CISO sends the board.

A board-ready PDF, a standards-compliant CBOM, and a 4-wave migration roadmap — generated automatically.

  • CycloneDX 1.6 Crypto-BOM (validated against the strict schema)
  • Executive PDF mapped to DORA, NIS2, EU CRA, FIPS 203/204/205
  • 4-wave migration plan with effort estimates
  • Policy-generated executive narrative — optional EU-sovereign LLM assistance, deterministic offline mode by default
How it works

From hidden cryptography to a migration-ready CBOM

CRYPTAGION scans code, certificates, and TLS endpoints inside your perimeter, normalizes cryptographic assets, scores quantum exposure, and generates audit-ready outputs for security, architecture, and compliance teams.

CRYPTAGION pipeline: source code, certificates, TLS endpoints and keys/secrets flow into a local analysis engine, producing a CycloneDX 1.6 CBOM, executive report, quantum risk score and migration roadmap — on-prem or air-gapped
Interactive demo

No slides. Real output from a real run.

A recorded replay of an actual CRYPTAGION run against the public pyca/cryptography repository — 60 cryptographic assets discovered, scored, and reported. Click Run to play it through; to run it against your code, the first call is free.

cryptagion ~ recorded run
Bar chart of 60 cryptographic assets by algorithm family
Donut chart of risk distribution: 30 critical, 11 medium, 19 low
Scatter plot of risk score against harvest-now-decrypt-later exposure

Want to see this against your code? The first call is free. Book 30 minutes →

Sample output

Real numbers from a real public codebase.

Below: an unedited CRYPTAGION run against pyca/cryptography on its main branch — the cryptographic library that ships in almost every Python application in production today.

Bar chart: 60 cryptographic assets discovered across families
60 cryptographic assets across 7 algorithm families — MD5 and SHA-1 highlighted.
Donut chart: risk distribution across critical/high/medium/low
Risk distribution under a "confidential / 10-year secrecy" baseline.
Scatter plot: risk score against HNDL exposure window
Each finding plotted against its harvest-now-decrypt-later exposure.

See the actual outputs. Real artifacts from the demo run above — no email required.

Download sample CBOM (CycloneDX 1.6) Download sample executive report (PDF) Sample .cryptagion.yaml
What it detects

Detection coverage, stated explicitly.

No ambiguity about what is supported today versus on the roadmap.

CapabilityStatusHow
Python cryptography detectionAvailableAST-based static analysis
JavaScript / TypeScript detectionAvailableStatic analysis (Semgrep)
Java detectionAvailableSource-code analysis
Go detectionAvailableSource-code analysis
C / C++ detectionAvailableSource-code analysis
Certificate parsingAvailablePEM, DER, CRT, CER
TLS endpoint scanAvailableLive handshake inspection (sslyze)
Quantum risk scoringAvailablePer-asset, HNDL-aware
CycloneDX CBOM exportAvailableVersion 1.6, schema-validated
Executive PDF reportAvailableBoard & audit ready
CI/CD integrationPlatformAPI / pipeline integration
SOAR / GRC integrationPlatformAPI-driven outputs
Multi-cloud KMS scanPlatformAWS KMS, Azure Key Vault, GCP KMS via API
SIEM exportPlatformFindings streamed to your SIEM via API
Container image analysisRoadmapPlanned
Binary analysisRoadmapPlanned
Pricing

Built for procurement.

Fixed-fee discovery, transparent platform pricing, optional migration advisory. Public so your CISO does not have to "talk to sales" to budget it.

Q4 REFERENCE PROGRAMME — 3 spots remain

PQC Readiness Pilot — €18,000

A focused, fixed-scope engagement to baseline one critical domain: 3–5 repositories and up to 20 TLS endpoints — producing a sample CycloneDX CBOM, a quantum-risk summary and an executive overview. The natural first step before a full Discovery, at a reference-programme rate in exchange for a public reference and a 30-minute case-study interview. Open to the first 5 reference customers only.

€18,000
first step → full Discovery (€45k)
Apply for a pilot →
Discovery
€45,000
Fixed-fee · 60 days
Scope: up to 50 repositories · 100 TLS endpoints · certificate stores · 1 results workshop · on-prem or air-gapped
  • Full discovery across code + certs + TLS
  • CycloneDX 1.6 Crypto-BOM
  • Board-ready PDF executive report
  • 4-wave migration roadmap
  • Regulatory mapping (DORA, NIS2, CRA)
Migration advisory
Custom
Billed separately
Scope: tailored to your estate · migration waves · crypto-agility design · governance support
  • Hands-on migration support
  • Cryptographic-agility design review
  • Delivered directly or through your security integrator
  • Reference architectures for ML-KEM, ML-DSA, SLH-DSA

For your procurement file: Download the CRYPTAGION security posture (PDF) →

Why a focused practice

Small team. Engineered for procurement.

You are inventorying your most sensitive cryptographic assets. You should know exactly who runs the tool, where it runs, and what happens if we disappear. Here are the answers your procurement team will ask for — before they ask.

Your code never leaves your perimeter.

Discovery runs inside your environment. Static analysis, cert parsing and TLS handshakes execute locally; only the findings are aggregated. The executive narrative is policy-generated; optional LLM assistance uses an EU-sovereign backend you can swap, or runs in a deterministic offline mode with no external call at all. Air-gapped runs are supported.

No lock-in. Outputs outlive the vendor.

Every deliverable is an open standard: a CycloneDX 1.6 CBOM your GRC tooling already ingests, and a PDF your board can read without our platform. If you ever stop working with us, your inventory, your roadmap and your audit trail stay fully usable.

Continuity is contractual, not a promise.

Source-code escrow available on Platform engagements, with a documented right-to-audit and a reversibility clause. The offline fallback means a run never depends on our availability. You are buying a deliverable and a method — not a dependency.

Built by practitioners, not a sales org.

CRYPTAGION is built by a focused security-engineering practice — cybersecurity, data & AI specialists with 10 years across banking, luxury and industrial enterprises, where cryptographic risk and regulatory pressure are operational, not theoretical. The people who scope your engagement are the people who run the tool against your code.

FAQ

Questions procurement always asks.

Does my source code leave my environment?

No. Discovery runs inside your perimeter; only aggregated findings are produced. Air-gapped runs are supported.

What standards does the CBOM comply with?

CycloneDX 1.6 Crypto-BOM, validated against the strict schema, with reporting mapped to DORA, NIS2, the EU CRA and FIPS 203/204/205.

What happens to my deliverables if I stop using CRYPTAGION?

All outputs are open standards (CycloneDX CBOM, PDF) and remain fully usable without the platform. Source-code escrow is available on Platform engagements.

Partners & integrators

Built to work alongside your security partners.

CRYPTAGION is a natural complement to the firms already trusted by regulated EU enterprises. Deliver post-quantum readiness to your clients without building a cryptographic-discovery engine in-house.

MSSPs

Add PQC discovery to your services

Extend your managed offering with cryptographic inventory, CBOM and risk scoring — under your delivery, on the client’s perimeter.

Audit & GRC firms

Produce audit-ready evidence

Generate CycloneDX CBOMs and board-ready reports for your DORA, NIS2 and CRA engagements — open-standard, defensible artefacts.

Integrators

Deliver the migration, not just findings

Pair discovery with wave-based migration roadmaps. Migration Advisory can be delivered directly or co-delivered with you.

Referral and co-delivery arrangements available. Become a partner →

Free 30-minute discovery call

I will run CRYPTAGION against your code in the call.

Bring a representative repository (public, anonymised, or under NDA). You walk out with a real preview of your cryptographic posture. No payment until you've seen the tool work against your own codebase. No slides. No salesforce.

Book a free 30-minute call on Calendly

Or write directly: contact@cryptagion.io