PQLENS_LICENSE or pass --license.PQLens builds your cryptographic inventory, scores your quantum exposure, and hands you auditor-ready evidence — at mid-market prices. 100% local; nothing leaves your machine.
PCI DSS v4.0 requirement 12.3.3 requires a documented inventory of the cryptography you use — today, not in 2030. PQLens generates that evidence in an afternoon, and flags the embarrassing stuff (MD5, SHA-1, TLS 1.0, RSA-1024) while it's at it. Post-quantum readiness is the roadmap it hands you next.
One tool, from source to certificate. An inventory is only as good as the places it looks — so PQLens looks at the crypto you call, the crypto you ship, the crypto you declare, and the crypto you serve.
Crypto API usage across Python, JavaScript/TypeScript, Java/Kotlin and Go — algorithm, key size, library, file:line.
Lockfiles for npm, Go, pip/poetry, Maven, Cargo and Bundler — the crypto your libraries ship, whether or not you call it directly.
nginx, Apache and HAProxy TLS settings; Terraform and cert-manager key specs; SSH public keys. The crypto you declare, not the crypto you call.
PEM/DER stores and directories — key algorithm and size, signature hash, validity, deprecated-signature warnings, code-signing keys called out.
Ingest a CycloneDX or SPDX SBOM and attribute the crypto each dependency ships, classified for quantum risk.
Protocol versions, cipher suites, key-exchange groups (spot classical ECDHE vs hybrid X25519MLKEM768), certificate chains and expiry.
Live host keys, read pre-authentication. No credentials, no login attempt — just the algorithm your fleet presents.
The JSON Web Key Set behind your JWT trust — every signing key classified, so your token layer is in the inventory too.
PKCS#12 (.p12/.pfx) and Java KeyStores (.jks) — where Java services, load balancers and signing pipelines actually keep their certificates. Bare PEM on disk is the exception, not the rule.
Your managed keys and certificates — the crypto nobody has on disk. Read-only, metadata only, using the AWS credentials you already have. For a PCI-scoped shop, the CMKs are the inventory.
A single static binary — CLI for pipelines, desktop app when you run it with no arguments.
# macOS / Linux — download, then run the desktop app or the CLI
OS=$(uname -s | tr '[:upper:]' '[:lower:]'); ARCH=$(uname -m)
[ "$ARCH" = "x86_64" ] && ARCH=amd64; [ "$ARCH" = "aarch64" ] && ARCH=arm64
curl -fsSL "https://pqlens.cybxsan.com/download/latest/pqlens_${OS}_${ARCH}.tar.gz" | tar xz
./pqlens # opens the desktop app
./pqlens scan code . # inventory this repo
./pqlens scan tls example.com # probe a TLS endpoint
./pqlens scan code . --fail-on quantum-vulnerable # CI gate (Pro)
The app and all ten surfaces are free. Paid tiers buy a memory of what you scanned, the reports to prove it, and the signature an auditor will accept.
Already a CybXSan grc-pro customer? PQLens Compliance uploads its signed pack straight into your evidence pipeline, where it maps to A.8.24 and PCI 12.3.3. No extra module, no second bill.
Need it done for you? The PQC Readiness Assessment — tool-assisted report + 90-day roadmap + 1-hour readout — is $4,500, ~20–25% of Big-4 equivalents. Talk to CybXSan.
The cryptographic-inventory requirement has been mandatory since March 2025, and a QSA can ask for it today. The EU wants PQC migration started by the end of 2026; NIST deprecates RSA and ECDSA after 2030. Most of these rules ask for the same artifact first — an inventory of the cryptography you are actually running.