╔════════════════════════════════════════════════════════════╗
║ ║
║ ██████ ██ ██ ██████ ██ ████████ █████ ██████ ║
║ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ║
║ ██ ██ ██ ██ ██████ ██ ██ ███████ ██ ║
║ ██ ▄▄ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ║
║ ██████ ██████ ██████ ██ ██ ██ ██ ██████ ║
║ ▀▀ ║
║ ║
║ Post-Quantum Cryptography Scanner ║
║ https://qubitac.com ║
║ ║
╚════════════════════════════════════════════════════════════╝
Scan. Discover. Secure.
🎬 YouTube Demo
-
AC Scanner Demo —
sh scan.sh qubitac.com --web
Scans all standard web ports (80, 443, 8080, 8443, 9443) and generates a Crypto Bill of Materials (CBOM) with a clean summary report. -
AC Scanner Verbose Demo —
sh scan.sh qubitac.com --web -v
Same web scan with verbose output enabled.
AC Scanner is an open-source pipeline that maps your full cryptographic attack surface across TLS endpoints and SSH services, assesses every asset against NIST post-quantum standards, and generates a structured **Cryptographic Bill of Materials (CBOM)** — in a single command.
With NIST finalizing ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) in 2024, and NIST IR 8547 mandating deprecation of quantum-vulnerable algorithms by 2030, organizations need to inventory their cryptographic assets now. AC Scanner automates that process from discovery to compliance-ready reporting.
🔗 Dashboard: qubitac.com/dashboard
First-of-its-kind cryptographic surface scan across the top 35 Fortune 500 companies, conducted April 2026 using AC Scanner.
| Metric | Endpoint Count | Percentage |
|---|---|---|
| Total HTTPS endpoints scanned | 42,796 | 100% |
| Running TLS 1.3 | 39,574 | 92.5% |
| Running TLS 1.2 | 3,222 | 7.5% |
| PQC Hybrid deployed | 13,164 | 30.8% |
| No PQC protection | 29,632 | 69.2% |
| Expired certificates | 362 | 0.8% |
| Hostname mismatches | 2,207 | 5.2% |
| PQC-safe certificate signatures | 0 | 0% |
"69% of 42,796 HTTPS endpoints across the top 35 Fortune 500 companies have zero quantum protection today."
"Finance is the second least PQC-ready sector at 14.1%, despite being the most heavily regulated"
362 expired certificates. 2,207 hostname mismatches. 2,569 total certificate governance failures across 35 Fortune 500 companies and 0% PQC-safe signatures across all 42,796 endpoints. This is not a quantum problem, this is a cryptographic governance crisis.
Four stages:
| Stage | What Happens |
|---|---|
| Discovery | Subdomain enumeration, DNS resolution, web & SSH service detection |
| Scanning | OpenSSL TLS handshake analysis + SSH auditing per host |
| Analysis | PQC vulnerability scoring, NIST deadline mapping, CBOM generation |
| Reporting | JSONL + JSON + Markdown output, ready to upload to the dashboard |
- TLS scanning — Captures TLS version, cipher suite, certificate chain, EC curve, key exchange group, and PQC hybrid detection (X25519MLKEM768, SecP256r1MLKEM768, etc.)
- SSH auditing — Classifies KEX algorithms against PQC-safe patterns (sntrup761, mlkem, kyber, ntru, frodokem), flags weak ciphers (3DES, DES, RC4, arcfour, Blowfish) and weak MACs (SHA-1, MD5, RIPEMD), detects quantum-vulnerable host keys (RSA, ECDSA, Ed25519, Ed448, DSA) with per-algorithm ML-DSA replacement guidance, and factors OpenSSH version into migration priority (7.x = CRITICAL, 8.x = HIGH, 9.x = MEDIUM)
- PQC scoring — Per-endpoint quantum vulnerability score across three components: key exchange (70%), certificate signature (30%), and symmetric cipher (Grover's impact)
- Migration priorities — CRITICAL / HIGH / MEDIUM / LOW tiers aligned to NIST IR 8547 deadlines (2030 deprecation, 2035 disallowment)
- CBOM output — Structured Cryptographic Bill of Materials in JSON, ready for auditors, CISOs, and compliance frameworks (NIST, PCI-DSS)
- CDN bypass — SSH scanner probes subdomain records, MX, and SPF ip4: directives to find real IPs behind CDNs
- HTTP fallback — When TLS fails, falls back to HTTP probing for server fingerprinting and OS detection
- Legacy cipher detection — Flags RC4, 3DES, NULL, export-grade, and CBC+SHA1 ciphers as non-PQC-ready regardless of key exchange
- Data quality flags — Each result includes a probe status and data quality flags indicating exactly what was and wasn't captured, enabling the CBOM engine to accurately score only endpoints with sufficient data
- No cloud dependency — Runs entirely on your own infrastructure; suitable for air-gapped environments
- Timestamped scan history — Compare scan runs over time to track PQC migration progress
| Algorithm | Type | Broken By | NIST Replacement |
|---|---|---|---|
| X25519, P-256, P-384, P-521 | TLS Key Exchange | Shor's Algorithm | ML-KEM (FIPS 203) |
| RSA, ECDSA, DSA, Ed25519, Ed448 | SSH Host Keys / Signatures | Shor's Algorithm | ML-DSA (FIPS 204) |
| 3DES, DES, RC4, arcfour, Blowfish | SSH Ciphers | Classically weak | AES-256-GCM |
| SHA-1, MD5, RIPEMD | SSH MACs | Classically weak | SHA-256 / Poly1305 |
| AES-128 | Symmetric | Grover's Algorithm | AES-256 |
| Group | Classical Component | PQC Component | Security Level |
|---|---|---|---|
| X25519MLKEM768 | X25519 | ML-KEM-768 | 128-bit quantum-safe |
| SecP256r1MLKEM768 | P-256 | ML-KEM-768 | 128-bit quantum-safe |
| X25519Kyber768 | X25519 | Kyber-768 | 128-bit quantum-safe |
| SecP384r1MLKEM1024 | P-384 | ML-KEM-1024 | 192-bit quantum-safe |
- Linux or macOS (Windows via WSL)
- Python 3.8+
- OpenSSL 3.x (for PQC hybrid group detection)
# macOS
brew install subfinder dnsx httpx jq openssl
pip3 install ssh-audit
# Ubuntu / Debian
sudo apt install jq openssl dnsutils
pip3 install ssh-audit
# subfinder, dnsx, httpx (Go-based tools)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latestAC Scanner will check for all dependencies on startup and offer to install missing ones automatically.
# Clone the repo
https://github.com/qubitac/AC-Scanner.git
chmod +x scan.sh
# Scan a domain (Default web port: 443)
sh scan.sh example.com
# Scan web (Default web ports: 80, 443, 8080, 8443, 9443)
sh scan.sh example.com --web
# Scan SSH (Default web ports: 22, 2222)
sh scan.sh example.com --web --ssh
# Scan everything (web ports: 80, 443, 8080, 8443, 9443, 22, 2222)
sh scan.sh example.com --all
# Custom ports
sh scan.sh example.com -p 443,8443
# With verbose output
sh scan.sh example.com --all -v| Flag | Ports |
|---|---|
--web |
80, 443, 8080, 8443 |
--ssh |
22, 2222 |
--all |
All of the above |
-p |
Custom comma-separated ports |
Each scan produces three output files under <domain>/<timestamp>/:
example.com/
└── 2026-03-13T120000/
├── cbom/
│ ├── crypto-bom.json ← CBOM for dashboard upload
│ └── summary.md ← Human-readable scan summary
└── reports/
└── scan_stats.json ← Machine-readable scan statistics
{
"host": "api.example.com",
"port": 443,
"tls_version": "tls13",
"cipher": "TLS_AES_256_GCM_SHA384",
"pqc_hybrid": false,
"pqc_ready": false,
"migration_priority": "CRITICAL",
"vulnerabilities": [
{
"component": "Key Exchange",
"algorithm": "X25519",
"quantum_vulnerable": true,
"broken_by": "Shor's Algorithm",
"replacement": "ML-KEM (FIPS 203) via X25519MLKEM768"
}
]
}Upload crypto-bom.json to qubitac.com/dashboard to visualize your PQC readiness score, filter by TLS version, cipher suite, and migration priority, and export findings for auditors.
Each endpoint receives a score (0–100) based on NIST IR 8547:
| Priority | Score | Target Timeline | NIST Deadline |
|---|---|---|---|
| CRITICAL | 80–100 | 2026–2027 | Deprecated after 2030 |
| HIGH | 60–79 | 2026–2028 | Deprecated after 2030 |
| MEDIUM | 20–59 | 2028–2030 | Must complete before 2030 |
| LOW | 0–19 | 2030–2032 | Must complete before 2035 |
Note: TLS 1.2 endpoints are always forced to CRITICAL — TLS 1.3 is required for PQC hybrid key exchange.
scan.sh (orchestrator)
├── Discovery
│ ├── subfinder → subdomain enumeration
│ ├── dnsx → DNS resolution
│ └── httpx → live host detection
│
├── TLS Scanner (openssl_scanner.py)
│ ├── openssl s_client per host
│ ├── Certificate parsing (x509)
│ ├── PQC hybrid group detection
│ └── HTTP fallback probing
│
├── SSH Scanner (ssh_scanner.py)
│ ├── TCP pre-check
│ ├── ssh-audit per host
│ ├── CDN bypass (DNS/MX/SPF)
│ ├── PQC KEX classification (sntrup761, mlkem, kyber, ntru, frodokem)
│ ├── Weak cipher/MAC detection (3DES, RC4, SHA-1, MD5, RIPEMD)
│ ├── Host key vulnerability mapping (RSA/ECDSA/Ed25519 → ML-DSA)
│ └── OpenSSH version-based priority scoring
│
└── CBOM Engine (pqc_cbom.py)
├── Vulnerability scoring
├── Migration priority mapping
├── CBOM JSON generation
└── Markdown summary + migration roadmap
| Standard | Algorithm | Status | Role |
|---|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | ✅ Finalized Aug 2024 | Key Encapsulation |
| FIPS 204 | ML-DSA (Dilithium) | ✅ Finalized Aug 2024 | Digital Signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | ✅ Finalized Aug 2024 | Hash-based Signatures |
| FIPS 206 | FN-DSA (Falcon) | 🔄 Draft | Digital Signatures |
| — | HQC | 🔄 Selected Mar 2025 | Key Encapsulation (backup) |
NIST IR 8547 Timeline:
- 2030 — Deprecation of quantum-vulnerable algorithms
- 2035 — Full disallowment
- Blue teams — Inventory cryptographic assets before the 2030 NIST deadline
- Security architects — Identify which endpoints need TLS 1.3 upgrades before PQC can be deployed
- Compliance engineers — Generate CBOM evidence for auditors aligned to NIST and PCI-DSS
- Pentesters — Identify weak cipher suites, expiring certificates, and legacy TLS in scope
- Air-gapped environments — No API keys or cloud services required
| Variable | Default | Description |
|---|---|---|
SCAN_TIMEOUT |
10 |
Connection timeout in seconds |
VERBOSE |
0 |
Set to 1 for verbose output |
DEBUG |
0 |
Set to 1 for raw OpenSSL output |
SCAN_TIMEOUT=30 VERBOSE=1 bash scan.sh example.com --all| Platform | Support |
|---|---|
| Linux | ✅ Full support |
| macOS | ✅ Full support |
| Windows (WSL) | ✅ Supported |
| Windows (Git Bash) | ✅ bash scan.sh |
| Windows (native) | ❌ Not supported |
MIT License — see LICENSE
AC Scanner builds on top of excellent open-source tools:
- OpenSSL — TLS handshake and certificate parsing
- ssh-audit — SSH configuration auditing
- subfinder — Subdomain enumeration
- dnsx — DNS resolution
- httpx — HTTP probing