QuantumSafeSecurity

We turned NIST's post-quantum mandate into shipping code: an SDK that fixes vulnerable crypto and a scanner that finds it.

Cybersecurity / Cryptography (post-quantum migration tooling)

Book a call

quantumsafe.app

qsafe scan → CBOM

CycloneDX 1.6

crypto.createCipheriv(RSA)vulnerable
ecdsa.sign(secp256k1)vulnerable
mlkem768.encapsulate()ML-KEM ✓
mldsa65.sign(msg)ML-KEM ✓

Quantum-readiness2 fixed · 2 flagged

The challenge

NIST has finalized post-quantum cryptography standards (ML-KEM, ML-DSA, SLH-DSA) and regulators now mandate cryptographic inventories, but most engineering teams have no easy way to find the quantum-vulnerable crypto buried in their code or to adopt safe replacements. QuantumSafe needed a credible, standards-anchored SDK and scanner built fast, without standing up a full cryptography R&D team.

Security

Cybersecurity / Cryptography (post-quantum migration tooling)

What we built

The system, in parts.

A developer-friendly TypeScript post-quantum crypto SDK (@qsafe/crypto) with high-level APIs for KEM, signatures, sealed-box encryption, password hashing, and signed tokens — defaulting to NIST ML-KEM-768, ML-DSA-65, and hybrid X25519+ML-KEM-768 over RFC 9180 HPKE

An enterprise source scanner (qsafe scan) that flags risky and quantum-vulnerable cryptography — RSA, ECDH/ECDSA, weak hashing, unsafe randomness, AES misuse, hardcoded keys — with rule explanations and scan-to-scan diffing in CI

A CycloneDX 1.6 Cryptographic Bill of Materials (CBOM) emitter as the primary, standards-conformant inventory output, plus JSON, SARIF, Markdown, HTML, and text projections

A policy and quantum-readiness scoring engine so teams can govern findings, suppress noise, and track migration progress over time

A monorepo CLI (scan, report, diff, rules, explain) that wires the SDK and scanner into existing developer workflows

An evaluation harness wired to official NIST ACVP test vectors for ML-KEM-768, ML-DSA-65, and SLH-DSA — 380+ curated cases — for reproducible, provenance-tracked conformance testing

Outcomes

What changed for them.

Turns an abstract regulatory mandate into a concrete workflow: the scanner discovers risky crypto and the SDK is the recommended, drop-in remediation
Cryptographic inventory becomes machine-readable and portable via standards-conformant CycloneDX CBOM, ready for downstream and federal ingestion pipelines without bespoke parsers
Conformance is evidenced, not asserted — public-API surface and behavior are validated against official NIST ACVP vectors with pinned provenance
Built on published standards with no invented primitives, and honest production-readiness guardrails (not yet audited / not FIPS-validated) to set correct trust expectations
Architected as a wedge: a free, credible open-source SDK and scanner that funnels into a commercial cloud and regulated-enterprise platform

How it’s built

The stack.

TypeScriptNode.js 20+pnpm monoreponoble cryptography (ML-KEM / ML-DSA / SLH-DSA)RFC 9180 HPKEAES-256-GCM + HKDF-SHA-384Argon2idCycloneDX 1.6 CBOMSARIFNIST ACVP test vectorsVitest + fast-checkCodeQL / CI

More work

See all

Healthcare

Automated compliance for an enterprise health plan — provider-directory accuracy, CMS network adequacy, and audit-readiness run as an always-on program instead of a manual fire drill.

Read the story

Government

A Punjab government counselling engine that ranks and allots seats across 200+ colleges and multiple rounds — automatically, transparently, and provably at scale.

Read the story

Marketing Ops

We turned a 50-year, 400+ product irrigation manufacturer's catalog into an always-on marketing engine — programmatic SEO, campaign content, and lead capture at global scale, without a big in-house marketing team.

Read the story

Two ways to start

Want a system like this?

Tell us the workflow you want to run itself. We will scope a focused first project — designed, built, and operated, with humans in control.

Book a call

See our work