Is your code quantum-safe?

PostQuant scans your TLS endpoints and source code for quantum-vulnerable cryptography. Get a letter grade. Know your risk.

Get Started View on GitHub
$

🔐 PostQuant v0.1.1 — Quantum Readiness Scanner
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Target: google.com:443

Overall Grade: C+

Certificate
Algorithm: RSA-2048 🔴 Quantum Vulnerable

Connection
Protocol: TLS 1.3 🟢 Current
Key Exchange: X25519 (inferred) 🔴 Quantum Vulnerable
Cipher: AES-256 🟢 Quantum Safe
MAC: SHA-384 🟢 Quantum Safe

Summary
🔴 2 quantum-vulnerable findings
🟢 3 quantum-safe findings

Migration Notes
• ML-DSA (FIPS 204)
• ML-KEM (FIPS 203) hybrid key exchange
• NIST Timeline: Current algorithms deprecated 2030, disallowed 2035

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$

🔐 PostQuant v0.2.0 — Code Scanner
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Overall Grade: D+

Stats
Files scanned: 2,940
Files with findings: 5

Summary
🔴 7 quantum-vulnerable findings
🟢 1 quantum-safe finding

Findings
django/contrib/auth/hashers.py:669
MD5 🔴 Quantum Vulnerable

django/template/loaders/cached.py:96
SHA-1 🔴 Quantum Vulnerable

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

NIST says your encryption expires in 2030.

Harvest Now, Decrypt Later

Adversaries are collecting your encrypted data today. When quantum computers arrive, they'll decrypt everything. The clock started years ago.

The Deadline Is Real

NIST will deprecate RSA and ECC by 2030 and disallow them by 2035. Every organization using public-key cryptography needs to migrate. That's everyone.

Nobody's Ready

We scanned the world's top websites. Google, Apple, Chase, the FBI. The best score? C+. Nobody has deployed post-quantum cryptography.

We scanned the internet.
Here's what we found.

37 of the world's biggest sites. Banks. Governments. Security companies. The best score? C+. Nobody has deployed post-quantum cryptography.

GoogleC+
Cert: RSA-2048
Kx: X25519
AppleC+
Cert: ECDSA P-256
Kx: X25519
MicrosoftC+
Cert: ECDSA P-256
Kx: X25519
AmazonC
Cert: RSA-2048
Kx: X25519
NetflixC+
Cert: ECDSA P-256
Kx: X25519
MetaC
Cert: ECDSA P-256
Kx: X25519
CloudflareC+
Cert: ECDSA P-256
Kx: X25519
GitHubC
Cert: ECDSA P-256
Kx: X25519
StripeC+
Cert: ECDSA P-256
Kx: X25519
ChaseC
Cert: RSA-2048
Kx: X25519
GoldmanC+
Cert: RSA-2048
Kx: X25519
PayPalC
Cert: RSA-2048
Kx: X25519
CitiC+
Cert: RSA-2048
Kx: X25519
SpotifyC+
Cert: ECDSA P-256
Kx: X25519
LinkedInC+
Cert: ECDSA P-256
Kx: X25519
AirbnbC+
Cert: ECDSA P-256
Kx: X25519
SlackC+
Cert: RSA-2048
Kx: X25519
ZoomC+
Cert: RSA-2048
Kx: X25519
DockerC
Cert: RSA-2048
Kx: X25519
GoogleC+
Cert: RSA-2048
Kx: X25519
AppleC+
Cert: ECDSA P-256
Kx: X25519
MicrosoftC+
Cert: ECDSA P-256
Kx: X25519
AmazonC
Cert: RSA-2048
Kx: X25519
NetflixC+
Cert: ECDSA P-256
Kx: X25519
MetaC
Cert: ECDSA P-256
Kx: X25519
CloudflareC+
Cert: ECDSA P-256
Kx: X25519
GitHubC
Cert: ECDSA P-256
Kx: X25519
StripeC+
Cert: ECDSA P-256
Kx: X25519
ChaseC
Cert: RSA-2048
Kx: X25519
GoldmanC+
Cert: RSA-2048
Kx: X25519
PayPalC
Cert: RSA-2048
Kx: X25519
CitiC+
Cert: RSA-2048
Kx: X25519
SpotifyC+
Cert: ECDSA P-256
Kx: X25519
LinkedInC+
Cert: ECDSA P-256
Kx: X25519
AirbnbC+
Cert: ECDSA P-256
Kx: X25519
SlackC+
Cert: RSA-2048
Kx: X25519
ZoomC+
Cert: RSA-2048
Kx: X25519
DockerC
Cert: RSA-2048
Kx: X25519
WhiteHouseC+
Cert: RSA-2048
Kx: X25519
FBIC+
Cert: ECDSA P-256
Kx: X25519
NASAC+
Cert: RSA-2048
Kx: X25519
Defense.govC+
Cert: ECDSA P-256
Kx: X25519
NSAC+
Cert: RSA-2048
Kx: X25519
State.govC
Cert: RSA-2048
Kx: X25519
IRSC+
Cert: ECDSA P-256
Kx: X25519
CrowdStrikeC+
Cert: ECDSA P-256
Kx: X25519
Palo AltoC+
Cert: RSA-2048
Kx: X25519
ProtonC+
Cert: RSA-4096
Kx: X25519
NordVPNC+
Cert: RSA-4096
Kx: X25519
LastPassC+
Cert: ECDSA P-256
Kx: X25519
ZscalerC-
Cert: ECDSA P-256
Kx: X25519
WalmartC+
Cert: ECDSA P-256
Kx: X25519
AdobeC+
Cert: RSA-2048
Kx: X25519
SalesforceC+
Cert: RSA-2048
Kx: X25519
IBMC-
Cert: RSA-2048
Kx: X25519
OracleC-
Cert: RSA-2048
Kx: DHE-RSA
WhiteHouseC+
Cert: RSA-2048
Kx: X25519
FBIC+
Cert: ECDSA P-256
Kx: X25519
NASAC+
Cert: RSA-2048
Kx: X25519
Defense.govC+
Cert: ECDSA P-256
Kx: X25519
NSAC+
Cert: RSA-2048
Kx: X25519
State.govC
Cert: RSA-2048
Kx: X25519
IRSC+
Cert: ECDSA P-256
Kx: X25519
CrowdStrikeC+
Cert: ECDSA P-256
Kx: X25519
Palo AltoC+
Cert: RSA-2048
Kx: X25519
ProtonC+
Cert: RSA-4096
Kx: X25519
NordVPNC+
Cert: RSA-4096
Kx: X25519
LastPassC+
Cert: ECDSA P-256
Kx: X25519
ZscalerC-
Cert: ECDSA P-256
Kx: X25519
WalmartC+
Cert: ECDSA P-256
Kx: X25519
AdobeC+
Cert: RSA-2048
Kx: X25519
SalesforceC+
Cert: RSA-2048
Kx: X25519
IBMC-
Cert: RSA-2048
Kx: X25519
OracleC-
Cert: RSA-2048
Kx: DHE-RSA

These organizations have trillions of dollars in resources. None have deployed quantum-safe cryptography. Have you checked yours?

Scan your site

The PostQuant Grading Scale

Grade Meaning Who Gets This
A+ All quantum-safe algorithms. PQC key exchange + signatures. Nobody. Yet.
A Quantum-safe with minor observations Theoretically possible with hybrid PQC
B Mostly safe, some moderate-risk items Sites using AES-128 but PQC otherwise
C+ Quantum-vulnerable, but best classical crypto (AES-256, SHA-384) Google, Apple, Cloudflare, NSA
C Quantum-vulnerable with some moderate items (SHA-256) Amazon, GitHub, Chase, Meta
C- Quantum-vulnerable with multiple moderate items (AES-128, TLS 1.2) IBM, Oracle, Zscaler
D Multiple quantum-vulnerable components Legacy enterprise systems
F Critical vulnerabilities + legacy protocols TLS 1.1 or below, MD5, severely outdated

+/- modifiers reflect classical crypto hygiene within each grade band. Fewer moderate findings = better modifier.

Check your quantum readiness in 30 seconds.

# Install globally $ npm install -g postquant
# Or run directly $ npx postquant scan yourdomain.com
# Scan multiple hosts $ postquant scan api.example.com app.example.com
# JSON output for CI/CD $ postquant scan example.com --format json

Requires Node.js 18+

npm version GitHub stars

Scan your source code for quantum-vulnerable crypto.

Detect RSA, ECDSA, DH, and other quantum-vulnerable algorithms across your codebase. Supports Python, JavaScript/TypeScript, Go, and Java.

# Scan your project $ npx postquant analyze .
# SARIF output for GitHub Code Scanning $ npx postquant analyze ./src --format sarif
# CycloneDX CBOM for compliance $ npx postquant analyze . --format cbom
# Filter by language $ npx postquant analyze . --language python --verbose

4 Languages

Python, JavaScript/TypeScript, Go, Java — 54 crypto detection patterns

4 Output Formats

Terminal, JSON, SARIF 2.1.0, CycloneDX CBOM 1.6

PostQuant scans itself. Grade: A

We scanned the world's most popular frameworks.

9 open source projects. 4 languages. Real results from PostQuant v0.2.0.

Go stdlibGoF
161 critical findings
ECDSA, RSA, DH throughout crypto package
Spring BootJavaD+
7 critical findings
RSA in OAuth2 auth server, SHA-1 in DevTools
DjangoPythonD+
7 critical findings
MD5 in auth hashers, SHA-1 in templates
Next.jsJSD+
4 critical findings
MD5 + SHA-1 in Turbopack runtime
Node.jsJSD+
6 critical findings
DH + ECDH in crypto.js, SHA-1 in TLS
FlaskPythonD+
1 critical finding
SHA-1 in session management
FastAPIPythonA
0 critical findings
No quantum-vulnerable crypto detected
ExpressJSA
0 critical findings
No quantum-vulnerable crypto detected
GinGoA
0 critical findings
No quantum-vulnerable crypto detected

Scanned March 2, 2026. Run npx postquant analyze <path> to scan your own.

This is just the beginning.

March 2026

TLS Scanner CLI

Live

March 2026

Code Scanner + CBOM

Live

April 2026

Migration Playbook

In Progress

May 2026

Dashboard + Enterprise

Planned

June 2026

CI/CD Integrations

Planned

Star us on GitHub to follow progress

Star PostQuant

Stay ahead of the deadline.

Get notified when new features drop. No spam.