PQC Network Scanner

The PQC Network Scanner is a purpose‑built assessment tool designed to help organisations understand their cryptographic exposure as they transition toward a post‑quantum security posture. Unlike traditional TLS scanners that focus solely on certificate validity or classical cryptographic strength, this scanner evaluates endpoints through a quantum‑aware lens. It inspects not only RSA and elliptic‑curve keys but also identifies emerging post‑quantum algorithms, hybrid deployments and experimental PQC indicators embedded within certificates, extensions and cipher suites. This makes it uniquely suited for environments preparing for the cryptographic shift driven by NIST’s PQC standardisation and the growing threat of “harvest now, decrypt later” adversaries.

At its core, the scanner performs deep inspection of TLS endpoints across an internal network. It retrieves and analyses full certificate chains, evaluates key types and sizes, detects PQC‑related OIDs, and identifies hybrid key‑exchange mechanisms such as X25519+Kyber. The tool also examines TLS protocol versions and cipher suites to determine whether endpoints support Perfect Forward Secrecy (PFS) or rely on legacy, quantum‑vulnerable configurations. By combining these the scanner provides a comprehensive view of both classical and quantum‑era cryptographic resilience.

Beyond cryptography, the scanner incorporates intelligent device identification. It correlates certificate metadata, DNS information and naming conventions to classify endpoints such as routers, firewalls, VPN gateways, web servers and application hosts. This contextual awareness helps security teams understand not just what cryptography is deployed, but where it resides within the network. An essential capability for building a crypto inventory and prioritising remediation.

The output report contains technical detail with clear, actionable commentary. Each endpoint is assessed for quantum vulnerability, PQC readiness, TLS posture and certificate chain integrity. The report highlights high‑risk configurations, identifies PQC‑enabled or hybrid deployments and provides migration guidance aligned with emerging standards such as ML‑DSA and ML‑KEM. Summary sections consolidate findings across the scanned environment, offering a high‑level view of organisational readiness and exposure.

Version 2.0 is designed to be used on Enterprise networks where IDS/IPS my prove problematic. So it will slow and randomise scan traffic to avoid triggering IDS/IPS. This applies pacing to both port checks and TLS handshakes and is recommended for production or monitored networks.

Link to: GitHub PQC Network Scanner

Link to: ORCID