Documentation

Cisora CryptoScan

Find all of your cryptography, learn what quantum computers will break, and produce the regulator-ready inventory you'll be asked for — without any private key ever leaving your environment.

Overview

Cisora CryptoScan is a cryptographic discovery and Cryptographic Bill of Materials (CBOM) platform. It answers four questions about your organization's cryptography, continuously:

Where is all my cryptography? — TLS certificates, keys, and crypto libraries across your network, cloud, and code.
What is weak or quantum-vulnerable, and how urgent is it?
Can you give me the exact inventory my regulator expects? — a standards-based CBOM.
What do I fix first, and is my migration on track?

Why this matters

Today's public-key cryptography — RSA and elliptic-curve (ECC/ECDSA) — secures nearly all internet traffic. A sufficiently large quantum computer running Shor's algorithm breaks it. Two facts make this urgent now, not later:

Harvest now, decrypt later. Encrypted data captured today can be stored and decrypted once quantum arrives. Long-lived secrets are already exposed.

Hard deadlines. India's CBOM-readiness window (~Dec 2026), CNSA 2.0 (from 2027), and NIST/NCSC timelines require organizations to inventory and migrate their cryptography.

You can't migrate what you can't see. The first step every framework requires is discovery — an accurate inventory of where your cryptography lives.

Run your first scan

Enter a domain

Go to scan.cisora.io (or the box on our home page) and enter a domain you own or operate, e.g. yourcompany.in. No signup, no install.

We scan your public surface

We enumerate every subdomain ever certified for your domain via Certificate Transparency logs, then probe each live TLS endpoint.

Read your report

You get a quantum-readiness grade (A–F), the percentage of your public-facing cryptography that is quantum-vulnerable, certificates nearing expiry, weak TLS/ciphers, and a teaser CBOM.

The free scan only ever looks at your external surface and reads public metadata. It never connects into your network and never sees a private key.

How it works

CryptoScan has four layers. The free scan uses the first two; the paid product adds internal discovery and the full CBOM.

Layer	What it does
Discovery	Finds cryptography across network/TLS, Certificate Transparency logs, cloud KMS/HSM, code repositories, and endpoints.
Classification	Maps every algorithm to a quantum-readiness status using a deterministic, auditable rules table (see below).
CBOM	Generates a standards-based OWASP CycloneDX Cryptographic Bill of Materials from the verified inventory.
Migration & monitoring	Prioritizes fixes, tracks progress, re-scans continuously, and alerts on new risk or expiring certificates.

Crypto classification

Whether an algorithm is quantum-vulnerable is a known fact, not a judgment call. CryptoScan classifies every finding against a hard-coded, auditable rules table grounded in NIST FIPS 203/204/205, NIST IR 8547, CNSA 2.0, and SP 800-131A. An AI model never decides this — a hallucinated "RSA is safe" in a compliance artifact would be catastrophic.

Algorithm	Status	Why
RSA, ECC/ECDSA, DH, DSA	Quantum-vulnerable	Broken by Shor's algorithm
AES-128	Weakened	Grover halves its strength — prefer AES-256
AES-256, SHA-256/384/512	Acceptable	Tolerable under quantum attack
3DES, RC4, MD5, SHA-1	Broken	Already broken classically — deprecate now
ML-KEM, ML-DSA, SLH-DSA	Quantum-safe	NIST PQC standards (FIPS 203/204/205)

The readiness grade

Each scan rolls up into a single A–F grade so non-specialists can act. It's computed deterministically from finding severities: classically broken issues (expired certs, RC4, TLS 1.0) weigh heaviest, then quantum-vulnerable public-key crypto, then weakened algorithms. The grade is a starting point — the findings list tells you exactly what to fix and in what order.

The CBOM

A Cryptographic Bill of Materials is the inventory artifact regulators ask for: a machine-readable list of every cryptographic asset, its properties, and its quantum-readiness. CryptoScan exports the industry-standard OWASP CycloneDX cryptography format, plus an India-framework-shaped view. The free scan shows a teaser; the full CBOM (covering internal certs, SSH keys, KMS/HSM keys, and crypto usage in code) is part of the paid product.

Free external scan

The free scan is a complete, one-time readiness report for your public surface. Use it to get an instant grade, surface forgotten subdomains and shadow certificates, and catch certificates expiring this month. It requires no account and no access to your systems — it's also the fastest way to see what CryptoScan does before you bring it inside.

Continuous monitoring

Inside the dashboard, add a domain to continuous monitoring. CryptoScan re-scans it on a daily or weekly cadence, compares each scan to the last, and emails you when something regresses:

A certificate has expired or will within 30 days.
New critical or high findings appeared since the last scan.
Your readiness grade dropped.

With 47-day certificate lifetimes becoming the norm, manual tracking is mathematically impossible — this is the safety net.

Plans

Plan	What you get
Free	One-time external scan, readiness grade, shareable report, CBOM teaser.
Starter	Continuous external monitoring, certificate-expiry alerting, scheduled re-scans.
Growth	Internal discovery (cloud + code), full CycloneDX CBOM export, compliance reports, migration tracking.
Enterprise	SSO/RBAC, on-prem or air-gapped deployment, MSSP/white-label, dedicated support.

To discuss a plan or see internal discovery on your own environment, book a demo.

Security & privacy

We are a crypto-hygiene vendor, so our own posture is non-negotiable:

Private keys never leave your environment. Scanners extract only metadata — algorithm, key size, public fingerprint, location, expiry. No secret key material is ever transmitted or stored.
Deterministic classification. Quantum-vulnerability verdicts come from an auditable rules table mapped to NIST standards — never from an AI model.
Least privilege. Cloud scanners use read-only roles; code scanners use read-only repo scopes. Every permission is documented.
India-hosted. Data resides in AWS Mumbai (ap-south-1) for data-residency and sovereignty eligibility. TLS 1.3 in transit, AES-256 at rest, strict tenant isolation.

FAQ

Do you need access to my servers for the free scan?

No. The free scan reads only public Certificate Transparency data and connects to your public TLS endpoints the same way any browser would.

Will you ever see my private keys?

Never. By design, every scanner — external or internal — collects metadata and public fingerprints only. This is the single most important rule in the product.

Is the quantum-vulnerability verdict AI-generated?

No. It comes from a hard-coded, auditable rules table grounded in published NIST standards. AI is used only for optional conveniences like plain-language summaries — never for classification or CBOM contents.

Can I scan a domain I don't own?

Please only scan domains you own or are authorized to assess. The free scanner validates and rate-limits input.

What standards do you align to?

NIST FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA), NIST IR 8547, CNSA 2.0, SP 800-131A, and the OWASP CycloneDX CBOM format, mapped to the India (MeitY/TEC/BIS) framework.