Scan every surface where crypto hides
One guide per discovery surface — what the command does, what the results mean, and what stays on your machine (everything).
Build a cryptographic inventory
What a cryptographic inventory is, the columns a QSA expects, and how to build one in an afternoon with a free local scanner — no spreadsheet archaeology.
Scan your TLS endpoints
Probe your domains for protocol versions, cipher suites and key-exchange groups — and see whether you already negotiate hybrid X25519MLKEM768.
Inventory your SSH host keys
Read the host-key algorithm every SSH server presents — pre-authentication, no credentials, no login attempt. Put your SSH fleet in the crypto inventory.
Find the crypto in your source code
Discover crypto usage across Python, JavaScript/TypeScript, Java and Go — algorithm, key size, library and file:line — with one local command.
Scan your dependency lockfiles
Scan npm, Go, pip/poetry, Maven, Cargo and Bundler lockfiles for the cryptographic libraries your app ships — whether or not your code calls them.
Audit your certificate stores
Inventory PEM/DER certificate files and directories: key algorithm and size, signature hash, validity — with code-signing certificates flagged as priority.
Open your JKS & PKCS#12 keystores
Open .jks, .p12 and .pfx keystores locally and inventory the keys and certificates inside — where Java services and load balancers actually keep their crypto.
Scan your JWKS
Point PQLens at a JWKS URL and classify every JWT signing key behind your token layer — RSA, EC and EdDSA keys, statuses included.
Scan your configs & IaC
Read the crypto your configs declare: nginx/Apache/HAProxy TLS settings, Terraform and cert-manager key specs, and SSH authorized_keys files.
Enrich your SBOM with crypto
Feed an existing SBOM to PQLens and get every component’s cryptography attributed and classified — the CBOM your SBOM was missing.
Scan AWS KMS & ACM
Read-only, metadata-only scan of your AWS KMS keys and ACM certificates with the credentials you already have — the crypto nobody has on disk.
Verify a signed evidence pack
PQLens evidence packs are signed with ML-DSA-65 (FIPS 204) over a canonical hash. Anyone can verify one with a free command — here is how, and why it matters.