See your post-quantum exposure before the mandates bite
SBOMVault inventories the cryptography in your software supply chain and flags what a quantum computer will break — scored against NSA CNSA 2.0. You cannot migrate what you cannot see.
Four classes of cryptographic risk
We classify the cryptographic libraries and algorithm components found in your SBOMs into four buckets, following NSA CNSA 2.0 guidance. Each detected asset carries the rationale for its classification.
Quantum-vulnerable
Public-key and key-agreement schemes broken by Shor’s algorithm on a cryptographically-relevant quantum computer (CRQC).
Deprecated
Primitives already broken classically — not a quantum concern, but they should not be in your supply chain at all.
Post-quantum-safe
NIST-standardized PQC schemes and symmetric/hash primitives that retain sufficient strength against quantum attack.
Unknown · inspect
General-purpose crypto provider libraries that bundle algorithms without naming one — surfaced for manual review.
The migration clock has started
NIST has finalized its first post-quantum standards — ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). NSA's CNSA 2.0 sets the timeline for federal systems to move off RSA and elliptic-curve cryptography and onto those primitives.
The threat is not only future. “Harvest now, decrypt later” means data exfiltrated today can be stored and broken once a cryptographically-relevant quantum computer exists. Long-lived secrets are already exposed.
Regulators and enterprise buyers have started asking for cryptographic inventories. The first step in any migration is knowing what cryptography you actually run — and that is exactly what a CBOM gives you.
How an SBOM is scored
The CBOM / PQC framework runs four checks over the cryptographic assets in an SBOM, each returning a clear pass, warning, or fail with the components responsible.
01
Cryptographic inventory present
A CBOM requires that cryptographic assets are actually enumerated. We confirm your SBOM yields one.
02
No quantum-vulnerable algorithms
Flags RSA, ECDSA, ECDH, DSA and Diffie-Hellman — the Shor-breakable schemes CNSA 2.0 retires.
03
No deprecated primitives
Flags MD5, SHA-1, 3DES and RC4 — broken classically, regardless of quantum.
04
PQC adoption
Credits NIST PQC primitives where present, with migration guidance where they are not.
Where it lives in the product
Available on the Enterprise plan.
01
Cryptography (CBOM) dashboard
Every cryptographic asset SBOMVault finds in your inventory, grouped by quantum risk — vulnerable, deprecated, post-quantum-safe, and inspect. Your migration backlog, sorted.
02
CBOM / PQC compliance framework
Scores an SBOM against the four checks above and reports it alongside NTIA, PCI, ISO and the rest of your framework matrix — one consistent pass/warn/fail view.
03
CycloneDX 1.6 crypto-asset aware
Where your tooling already emits CycloneDX 1.6 cryptographic-asset metadata, we read it directly — and we fall back to heuristic classification of library and algorithm names everywhere else.
What it is — and what it isn't
Detection works from the cryptography your SBOM describes: declared component and library names, package URLs, CPEs, and CycloneDX 1.6 cryptographic-asset metadata. It is heuristic inventory and classification, not binary analysis.
It does not — yet — reverse-engineer compiled binaries to discover undeclared cryptography. If an algorithm is statically linked and named nowhere in your SBOM, it will not appear in the CBOM. The inventory is as good as your SBOM.
That is a deliberate, honest boundary, and it is getting better as the ecosystem emits richer crypto metadata. For the cryptography your supply chain actually declares, you get a precise, CNSA-2.0-scored map of your post-quantum exposure today — which is far more than most organizations have.
Know your post-quantum exposure
The CBOM dashboard and PQC compliance check are available on the Enterprise plan. Talk to us about your crypto inventory, or start free and see your SBOM-derived cryptography today.