PQLensGuides › Scan your TLS endpoints
100% local · nothing leaves your machine

Scan your TLS endpoints

One command shows the protocol version, cipher suite, key-exchange group and certificate chain your servers actually present — including whether the handshake is classical ECDHE or hybrid post-quantum.

pqlens scan tls example.com
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Run pqlens scan tls yourdomain.com — add more hosts (or host:port) in one command.
  2. PQLens performs a real handshake and records the negotiated protocol, cipher suite and key-exchange group.
  3. Hybrid key exchange (X25519MLKEM768) is reported as hybrid; classical ECDHE is quantum-vulnerable — which is normal today, not negligence.
  4. The certificate chain is inventoried too: key algorithm, size, signature hash and expiry.

What “quantum-vulnerable” means here

Almost every certificate and key exchange on the public internet today is RSA or elliptic-curve — secure against classical attackers, vulnerable to a future cryptographically relevant quantum computer. That is the industry baseline, not a finding to panic over. The reason to measure it now is harvest-now-decrypt-later: recorded traffic can be decrypted retroactively, so long-lived secrets over classical key exchange are already exposed. Browsers and CDNs are moving to hybrid X25519MLKEM768 — this scan shows whether your servers have.

Endpoint limits

The free tier probes up to 10 endpoints per scan — enough for a real look at your estate. Pro removes the limit and adds --fail-on so a CI job can fail when an endpoint regresses, plus scan history and drift so you can see when an endpoint changed.

Frequently asked questions

Does scanning send anything to PQLens servers?

No. The scanner connects directly from your machine to the hosts you name, and the results stay local.

Is RSA-2048 in my certificate a problem today?

Against classical attackers, no — RSA-2048 is fine today. NIST plans to deprecate it after 2030 and disallow it after 2035, which is why it belongs in your inventory with a migration date, not an incident ticket.

How do I know if my server already does post-quantum key exchange?

If the negotiated group is X25519MLKEM768, PQLens reports the handshake as hybrid. If you see classical ECDHE groups, your TLS terminator does not offer a PQC hybrid yet.

How many endpoints can I scan?

Ten per scan on the free tier; unlimited on Pro.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.