IT-RAT the stack/qryx GitHub ↗
crypto plane · wave 1

Qryx. Find every key and algorithm, grade the quantum risk, migrate on your schedule.

A crypto audit tells you what your architecture documents say you run. Qryx tells you what is actually running: it scans binaries, containers, live TLS, certificates, dependencies and cloud KMS, and comes back with a cryptographic asset graph instead of a slide deck. Every asset gets a post-quantum grade against the NCSC's 2028, 2031 and 2035 milestones, and CI fails the day a new weak key ships, not at the next audit cycle.

releasev0.2.0 · prebuilt binaries
coreGo 1.27 · ML-DSA (FIPS 204)
scansbinaries · containers · TLS · cloud KMS · source · certs
outputCBOM · NCSC report · signed evidence
milestonesNCSC 2028 · 2031 · 2035
sixty seconds, one estate

Watch it find every key in the building.

This is a simulation, but the shape is real: it replays a live run against 25,586 ELF binaries, a container image and a live TLS endpoint. A quantum-vulnerable cert turns up mid-sweep. The evidence at the end is signed with a post-quantum algorithm, not a promise.

under the hood

One graph. Every report reads the same one.

Five kinds of sources feed one scan engine: binaries, containers, live TLS, cloud KMS, and source plus Terraform. Findings dedupe into an asset graph keyed on algorithm, key size and risk class, so a certificate that is both expired and quantum-vulnerable gets two nodes, not one silently overwriting the other. CBOM, the CNSA audit, the NCSC readiness report and the migration plan all read that same graph, so they cannot disagree with each other.

binaries ELF · PE · Mach-O containers docker save · OCI live TLS handshake + leaf cert cloud KMS AWS · GCP · Azure source + IaC Go · Py · JS/TS · HCL qryx core one graph, every report agrees detectors 7 sources → one model dedup graph risk-class-aware keys CNSA · NCSC grading context risk beats compliance reports + evidence CBOM · CycloneDX 1.6 CNSA 2.0 audit → NCSC PQC readiness migration plan, ranked by agility ed25519 · ECDSA P-256 · ML-DSA sha256 digest, self-verifying agent-events crypto_finding · crypto_drift policy_violation · evidence_signed onto the shared bus · agent-passport SPEC.md §6.2
what it holds

Not a PDF audit. A graph that grades itself.

CBOM

CycloneDX 1.6, one component per unique asset and risk class, every occurrence attached. It plugs into the same supply-chain tooling that already tracks your SBOMs, so cryptography stops living in its own isolated report.

Harvest now, decrypt later

Data encrypted with a quantum-vulnerable algorithm today can be captured now and decrypted once a cryptographically relevant quantum computer exists. NIST standardized the replacements in 2024; NCSC's clock runs discovery by 2028, the highest-priority systems by 2031, everything by 2035.

Post-quantum signing

Evidence attestations sign with ML-DSA (FIPS 204) straight from Go's stdlib, crypto/mldsa, no cosign dependency. All three security levels, ML-DSA-44/65/87, live-verified end to end against real openssl-generated keys.

Context beats compliance

The asset graph keys on risk class as well as algorithm and key size, so a certificate that is both expired and quantum-vulnerable gets two findings instead of one silently overwriting the other. That exact bug turned up scanning a real endpoint, and it is fixed.

CI drift gate

Snapshot the graph, then fail the build the moment a new weak or quantum-vulnerable asset appears: a baseline diff exits 2 on new high-risk findings. The policy engine exits 3 on a standards violation; a regressed compliance trend exits 3 too.

Agent-aware

The agents connector inventories the governance stack's own trust surface: Agent Passport attestation crypto and the agent-event hash chain's prev_hash integrity. Identity stays Idryx's job; this connector stays strictly on the crypto axis.

an honest comparison

You cannot migrate what you cannot see.

A crypto audit and a CSPM checkbox both ask about cryptography. Neither one reads the binary.

QryxAnnual crypto auditCSPM checkbox
CadenceEvery commitYearly PDFWeekly dashboard
Sees binariesSymbol-level, incl. static fallbackNoNo
Post-quantum gradingNCSC + CNSA milestonesA consultant's opinionNone
EvidenceSigned, ML-DSA optionalSlide deckScreenshot
Cost of a findingA failed CI runA remediation projectA ticket nobody owns
in the stack

The inventory the rest of the stack borrows from.

Qryx emits every finding as an agent-event onto the shared bus that Platform defines and every service writes to. It watches the same estate TokenFuse spends against, the binaries, endpoints and keys underneath the calls TokenFuse meters. Mockryx can demand a crypto reaction in its drills too: an expect.event assertion that a fire drill actually produced a crypto_finding, not silence.

try it now
qryx scan .
qryx tls api.anthropic.com:443

Grab a v0.2.0 binary from the releases page (Linux, macOS, Windows, SHA256SUMS included), or build from source: the ML-DSA toolchain downloads itself on the first build, Go 1.27.