A crypto audit tells you what your architecture documents say you run. Qryx tells you what is actually running: it scans binaries, containers, live TLS, certificates, dependencies and cloud KMS, and comes back with a cryptographic asset graph instead of a slide deck. Every asset gets a post-quantum grade against the NCSC's 2028, 2031 and 2035 milestones, and CI fails the day a new weak key ships, not at the next audit cycle.
This is a simulation, but the shape is real: it replays a live run against 25,586 ELF binaries, a container image and a live TLS endpoint. A quantum-vulnerable cert turns up mid-sweep. The evidence at the end is signed with a post-quantum algorithm, not a promise.
Five kinds of sources feed one scan engine: binaries, containers, live TLS, cloud KMS, and source plus Terraform. Findings dedupe into an asset graph keyed on algorithm, key size and risk class, so a certificate that is both expired and quantum-vulnerable gets two nodes, not one silently overwriting the other. CBOM, the CNSA audit, the NCSC readiness report and the migration plan all read that same graph, so they cannot disagree with each other.
CycloneDX 1.6, one component per unique asset and risk class, every occurrence attached. It plugs into the same supply-chain tooling that already tracks your SBOMs, so cryptography stops living in its own isolated report.
Data encrypted with a quantum-vulnerable algorithm today can be captured now and decrypted once a cryptographically relevant quantum computer exists. NIST standardized the replacements in 2024; NCSC's clock runs discovery by 2028, the highest-priority systems by 2031, everything by 2035.
Evidence attestations sign with ML-DSA (FIPS 204) straight from Go's stdlib, crypto/mldsa, no cosign dependency. All three security levels, ML-DSA-44/65/87, live-verified end to end against real openssl-generated keys.
The asset graph keys on risk class as well as algorithm and key size, so a certificate that is both expired and quantum-vulnerable gets two findings instead of one silently overwriting the other. That exact bug turned up scanning a real endpoint, and it is fixed.
Snapshot the graph, then fail the build the moment a new weak or quantum-vulnerable asset appears: a baseline diff exits 2 on new high-risk findings. The policy engine exits 3 on a standards violation; a regressed compliance trend exits 3 too.
The agents connector inventories the governance stack's own trust surface: Agent Passport attestation crypto and the agent-event hash chain's prev_hash integrity. Identity stays Idryx's job; this connector stays strictly on the crypto axis.
A crypto audit and a CSPM checkbox both ask about cryptography. Neither one reads the binary.
| Qryx | Annual crypto audit | CSPM checkbox | |
|---|---|---|---|
| Cadence | Every commit | Yearly PDF | Weekly dashboard |
| Sees binaries | Symbol-level, incl. static fallback | No | No |
| Post-quantum grading | NCSC + CNSA milestones | A consultant's opinion | None |
| Evidence | Signed, ML-DSA optional | Slide deck | Screenshot |
| Cost of a finding | A failed CI run | A remediation project | A ticket nobody owns |
Qryx emits every finding as an agent-event onto the shared bus that Platform defines and every service writes to. It watches the same estate TokenFuse spends against, the binaries, endpoints and keys underneath the calls TokenFuse meters. Mockryx can demand a crypto reaction in its drills too: an expect.event assertion that a fire drill actually produced a crypto_finding, not silence.
Grab a v0.2.0 binary from the releases page (Linux, macOS, Windows, SHA256SUMS included), or build from source: the ML-DSA toolchain downloads itself on the first build, Go 1.27.