PQLens

Know every algorithm you run.

PQLens builds your cryptographic inventory, scores your quantum exposure, and hands you auditor-ready evidence — at mid-market prices. 100% local; nothing leaves your machine.

🔒 100% local & offline-capable 📋 PCI DSS 12.3.3 evidence 🧾 CycloneDX 1.6 CBOM 🔑 ML-DSA-signed reports

Cryptographic inventory is already mandatory.

PCI DSS v4.0 requirement 12.3.3 requires a documented inventory of the cryptography you use — today, not in 2030. PQLens generates that evidence in an afternoon, and flags the embarrassing stuff (MD5, SHA-1, TLS 1.0, RSA-1024) while it's at it. Post-quantum readiness is the roadmap it hands you next.

Broken / deprecated Quantum-vulnerable Quantum-weakened PQC-ready

Ten discovery surfaces

One tool, from source to certificate. An inventory is only as good as the places it looks — so PQLens looks at the crypto you call, the crypto you ship, the crypto you declare, and the crypto you serve.

Code

Crypto API usage across Python, JavaScript/TypeScript, Java/Kotlin and Go — algorithm, key size, library, file:line.

Dependencies

Lockfiles for npm, Go, pip/poetry, Maven, Cargo and Bundler — the crypto your libraries ship, whether or not you call it directly.

Config & IaC

nginx, Apache and HAProxy TLS settings; Terraform and cert-manager key specs; SSH public keys. The crypto you declare, not the crypto you call.

Certificates

PEM/DER stores and directories — key algorithm and size, signature hash, validity, deprecated-signature warnings, code-signing keys called out.

SBOM enrichment

Ingest a CycloneDX or SPDX SBOM and attribute the crypto each dependency ships, classified for quantum risk.

TLS endpoints

Protocol versions, cipher suites, key-exchange groups (spot classical ECDHE vs hybrid X25519MLKEM768), certificate chains and expiry.

SSH hosts

Live host keys, read pre-authentication. No credentials, no login attempt — just the algorithm your fleet presents.

JWKS

The JSON Web Key Set behind your JWT trust — every signing key classified, so your token layer is in the inventory too.

Keystores

PKCS#12 (.p12/.pfx) and Java KeyStores (.jks) — where Java services, load balancers and signing pipelines actually keep their certificates. Bare PEM on disk is the exception, not the rule.

Cloud KMS & ACM

Your managed keys and certificates — the crypto nobody has on disk. Read-only, metadata only, using the AWS credentials you already have. For a PCI-scoped shop, the CMKs are the inventory.

Install

A single static binary — CLI for pipelines, desktop app when you run it with no arguments.

# macOS / Linux — download, then run the desktop app or the CLI
OS=$(uname -s | tr '[:upper:]' '[:lower:]'); ARCH=$(uname -m)
[ "$ARCH" = "x86_64" ] && ARCH=amd64; [ "$ARCH" = "aarch64" ] && ARCH=arm64
curl -fsSL "https://pqlens.cybxsan.com/download/latest/pqlens_${OS}_${ARCH}.tar.gz" | tar xz

./pqlens                         # opens the desktop app
./pqlens scan code .             # inventory this repo
./pqlens scan tls example.com    # probe a TLS endpoint
./pqlens scan code . --fail-on quantum-vulnerable   # CI gate (Pro)

Pricing

The app and all ten surfaces are free. Paid tiers buy a memory of what you scanned, the reports to prove it, and the signature an auditor will accept.

Free
$0
forever
  • Desktop app and CLI
  • All ten discovery surfaces
  • One scan at a time — nothing saved
  • CycloneDX & JSON output
Download
Pro
$49
/ month
  • Scan history & drift — on your machine, offline
  • HTML / PDF reports
  • Migration roadmap (Mosca)
  • CI gate · unlimited endpoints
Upgrade
Compliance
$149
/ month
  • ML-DSA-65-signed evidence packs
  • PCI 12.3.3 · ISO A.8.24 · CNSA 2.0 mappings
  • Signed PDF for your auditor
  • Push evidence to your GRC platform
Upgrade
Partner
$299
/ month + $99/report
  • White-label reports for auditors
  • Per-client workspaces — local
  • Client data never leaves your machine
  • vCISO / consultancy tooling
Upgrade

Already a CybXSan grc-pro customer? PQLens Compliance uploads its signed pack straight into your evidence pipeline, where it maps to A.8.24 and PCI 12.3.3. No extra module, no second bill.

Need it done for you? The PQC Readiness Assessment — tool-assisted report + 90-day roadmap + 1-hour readout — is $4,500, ~20–25% of Big-4 equivalents. Talk to CybXSan.

PCI DSS 12.3.3 is not a future problem

The cryptographic-inventory requirement has been mandatory since March 2025, and a QSA can ask for it today. The EU wants PQC migration started by the end of 2026; NIST deprecates RSA and ECDSA after 2030. Most of these rules ask for the same artifact first — an inventory of the cryptography you are actually running.

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.