Evidence signature
Public signals bind to governed proof.
No customer data.
QScout proof sequence. Evidence Handshake. public-to-private proof path. No customer data.
You can't protect what you can't see. Build a complete inventory of your cryptographic assets to identify quantum-vulnerable encryption and prioritize your PQC migration.
A Cryptographic Bill of Materials (CBOM) is a comprehensive inventory of all cryptographic assets within an organization — algorithms, keys, certificates, libraries, and configurations. It answers the fundamental question: “What cryptography are we using, where, and is it quantum-safe?”
Just as SBOM (Software Bill of Materials) catalogs software dependencies for supply chain security, CBOM catalogs cryptographic implementations for quantum readiness. The key difference: CBOM goes deeper into how cryptography is configured and deployed, not just which libraries are present.
Without a complete CBOM, PQC migration is impossible to plan, budget, or execute. You cannot prioritize what you haven't inventoried. You cannot estimate migration timelines without knowing the full scope of quantum-vulnerable cryptography in your environment.
A complete CBOM covers six critical areas across your infrastructure, applications, and data stores.
RSA, ECC, AES, SHA, 3DES, and all cryptographic algorithms deployed across applications and infrastructure.
Key sizes, rotation policies, and cryptographic parameters that determine security strength.
Root CAs, intermediate CAs, certificate chains, and trust hierarchies.
HSMs, cloud KMS, vaults, and all systems responsible for key lifecycle management.
All crypto libraries, SDKs, and dependencies in your software supply chain.
TLS versions, cipher suites, and cryptographic protocol settings.
Building a complete CBOM requires multiple complementary discovery approaches. No single method captures everything.
Passive inspection of TLS handshakes, certificate exchanges, and encrypted protocol negotiations to identify algorithms and configurations in transit.
Static analysis of source code, binaries, and dependencies to identify cryptographic function calls and library usage.
Direct inspection of server configurations, HSM settings, and key management system exports.
Comprehensive mapping of all certificates, their algorithms, validity periods, and trust chains.
Active probing of APIs and endpoints to determine cryptographic posture and supported algorithms.
QScout's multi-level module stack builds your CBOM across discovery, cryptographic inventory, PQC readiness, and evidence workflows.
Certificate chains, cipher suites, protocol versions, and handshake analysis
HSM configurations, KMS policies, key rotation, and lifecycle management
CA hierarchies, certificate policies, revocation mechanisms
DKIM, DMARC, SPF, S/MIME, and email transport encryption
JWT/JWE, API authentication, session management, token signing
SSH, IPSec, VPN configurations, and protocol crypto
Database encryption, file system crypto, backup encryption
PQC readiness, HNDL exposure, hybrid TLS, migration gaps
Point-in-Time Scan: QScout delivers initial CBOM findings in 7 days, providing a complete snapshot of your cryptographic posture.
Continuous Monitoring: Ongoing subscription tracks cryptographic drift, new deployments, and configuration changes in real-time.
CBOM data exports to JSON and SARIF formats for integration with existing CMDB, SBOM tools, and vulnerability management platforms.
Maps directly to NIST CSF 2.0 cryptographic controls and feeds into Board Number risk calculations for executive reporting.
Not all cryptographic assets require immediate attention. Use this framework to prioritize migration based on risk, complexity, and business impact.
Public, Internal, Confidential, Restricted, Top Secret — each level increases migration priority.
Shor-vulnerable algorithms (RSA, ECC, DH) scored higher than symmetric algorithms with adequate key lengths.
Systems with deep crypto dependencies, legacy code, or third-party constraints require more time.
Revenue-generating systems, customer-facing applications, and regulatory-scoped assets prioritized.
| System | Sensitivity | Vulnerability | Complexity | Criticality | Priority Score |
|---|---|---|---|---|---|
| Customer Payment API | 95 | 90 | 70 | 100 | 91.5 |
| Internal HR Portal | 60 | 85 | 40 | 50 | 62.5 |
| Public Marketing Site | 10 | 85 | 20 | 30 | 36.0 |
A practical framework for creating your first cryptographic inventory in 4 weeks.
Identify all systems, applications, and infrastructure components that will be included in the cryptographic inventory. Set coverage targets (e.g., 95%+ of enterprise systems) and define success criteria.
Implement network traffic analysis, code scanning, and configuration auditing tools. Configure passive monitoring and schedule active scans across all in-scope environments.
Document all cryptographic algorithms in use, key lengths, and configurations. Create a structured inventory database with consistent naming conventions.
Map certificate authorities, certificate chains, key management systems (HSMs, KMS), and certificate lifecycle management processes across the organization.
Identify all cryptographic libraries, SDKs, and third-party dependencies. Integrate with existing SBOM processes and identify version-specific vulnerabilities.
Score each cryptographic asset against quantum vulnerability criteria. Apply the prioritization framework to rank systems for migration planning.
Implement ongoing cryptographic drift detection, change management integration, and regular review cadence to keep the CBOM current.
Initial CBOM creation typically takes 2-4 weeks for mid-sized organizations and 1-3 months for large enterprises. This includes automated discovery (1-2 weeks), manual verification and gap-filling (1-2 weeks), and classification/prioritization (1 week). QScout Surface, Silver, or Gold can shorten the first discovery cycle to about 7 days, and organizations that need ongoing drift detection can extend into QScout Pulse afterward.
Cryptographic discovery combines multiple approaches: network traffic analysis (TLS inspection, protocol scanning), static code analysis (grep-based and AST parsing), configuration audits (HSM, KMS, PKI), certificate transparency log monitoring, API endpoint scanning, and SBOM integration. QScout Surface, Silver, and Gold bring these methods together in deeper scoped engagements when a fast first-step scan is no longer enough.
Best practice is continuous monitoring with formal reviews quarterly. At minimum, update the CBOM whenever major infrastructure changes occur, new applications deploy, or cryptographic policies change. NIST and OMB M-23-02 recommend maintaining a current inventory as part of PQC migration readiness.
SBOM (Software Bill of Materials) lists all software components and dependencies in an application. CBOM (Cryptographic Bill of Materials) specifically inventories cryptographic algorithms, keys, certificates, and related configurations. A CBOM can be derived from SBOM data but goes deeper into cryptographic implementation details that SBOM alone does not capture.
Get your complete CBOM with a scoped assessment. QScout automatically discovers and classifies cryptographic assets across your enterprise, with dedicated quantum-risk analysis for PQC readiness assessment.