NIST FIPS 203/204 · ML-KEM-768 · ML-DSA-65

Host with proof.Scan. Fix. Attest.

Two products on one platform. PQC Host deploys any GitHub repo with ML-DSA-65 attestations and Bastion pre-deploy scanning. KXCO Bastion scans any stack for quantum-vulnerable cryptography and hands you the fix.

Get Started Free →See Live Demo

No credit card · No agents · ML-DSA-65 on every deploy and attestation

PQC Host · DeployingLive

JackKXCO/my-saas-app · main · Next.js

KXCO Bastion scan: passed
Build successful — 2m 14s
ML-DSA-65 attestation issued

pqc.kxco.ai/sites/3f8a2c1d… →

KXCO Bastion · Scan result74/100 HIGH

api.yourservice.com · package.json

CriticalRSA certificate — quantum-vulnerable
Criticalnode-rsa@1.1.1 in package.json
HighRS256 JWT algorithm detected

Apply PQC fix → ML-DSA-65 certificate issued

GitHub → deploy in < 3 min·Bastion on every build·ML-DSA-65 attestation·NIST FIPS 203/204

Every hosting platform can't prove what it deployed. Every crypto scanner stops at the report. RSA-2048 and ECDSA — the algorithms underneath every existing cloud host, CDN, and npm crypto library — will be broken by Shor's algorithm within this decade. KXCO Cloud is the only platform that signs every deployment with ML-DSA-65 and scans your stack for quantum-vulnerable cryptography before every build.

PQC Host

Other platforms give you hosting.

We give you proof.

Feature
Vercel / Netlify / Fly
KXCO Cloud
Static + Node.js hosting
GitHub auto-deploy
Free TLS
Pre-deploy security scan
Some
✓ KXCO Bastion
Quantum-vulnerability detection
ML-DSA-65 deployment attestation
Independently verifiable proof
01

Connect your GitHub repo

Paste any public or private GitHub URL. Framework auto-detected in under 3 seconds — Next.js, React, Vue, Svelte, static, Node.js all supported.

02

Bastion scans before we build

Before a single line compiles, Bastion checks your package.json for quantum-vulnerable dependencies. Critical findings block the deploy.

03

ML-DSA-65 attestation issued

The moment your build completes, the platform signs a deployment manifest: commit SHA, build timestamp, Bastion result, and live URL. Verifiable forever.

Deploy free →1 site free · ML-DSA-65 attestation included

KXCO Bastion

Enterprise scanners need infrastructure teams.

You need a URL.

Enterprise crypto scanners require SPAN port access and Linux LD_PRELOAD agents before you see your first result. KXCO Bastion requires a URL, a package.json, or a code snippet — and returns an ML-DSA-65 attested report in under 10 seconds. Full comparison →

Feature
Enterprise scanners
KXCO Cloud
Setup required
SPAN port + Linux LD_PRELOAD agent
Zero — paste any file or URL
Time to first result
Infrastructure deployment required
Under 10 seconds
Pricing
Enterprise contract only
Free tier — self-serve
Detects RSA / ECC / SHA-1 / weak TLS
✓ 7 language ecosystems
Dockerfile / Terraform / Kubernetes
Not documented natively
✓ all three, zero setup
GitHub Actions CI/CD
Custom integration required
✓ JackKXCO/bastion-action@v1
CBOM export
✓ (2 specific generators only)
✓ CycloneDX 1.6, ML-DSA-65 signed
Migration code per finding
Impact simulation dashboard
✓ Before/after code + npm commands
Proof of assessment
Proprietary control plane
✓ ML-DSA-65 — independently verifiable
PQ-native standards
PQ migration on classical stack
✓ NIST FIPS 203/204 from day one
01

Submit any target

10 scan types — no setup for any of them. URL/TLS, package.json (npm), requirements.txt (Python), go.mod, Gemfile, Cargo.toml, pom.xml, nginx/OpenSSL config, Dockerfile, Terraform HCL, GitHub Actions YAML, Kubernetes manifests. Auto-detected.

02

Receive your ML-DSA-65 attested report

Risk score (0–100), per-finding severity, blast radius estimate, and the exact KXCO package command for every fix. Every report is ML-DSA-65 signed and exports as a CycloneDX 1.6 CBOM.

03

Apply the PQC fix

One click generates before/after code and npm commands for every finding. Confirming produces an ML-DSA-65 certificate of remediation — independently verifiable forever.

Run free scan →No agents · No SPAN ports · Results in 10 seconds

Security architecture

The only platform built on NIST post-quantum standards from day one.

Deployment attestationML-DSA-65 (NIST FIPS 204) — every build
Storage encryptionML-KEM-768 + AES-256-GCM (NIST FIPS 203)
Security levelCategory 3 — AES-192 equivalent
Pre-deploy scanKXCO Bastion — quantum-vulnerability detection
Audit log integritySHA-256 hash-chain + ML-DSA-65 signatures
VerificationIndependent — no server contact required
Open-source primitiveskxco-post-quantum on npm (Cure53 audited 2024)

New · Optimize for AI

AI crawlers are reading your competitor's site and ignoring yours.

Most sites accidentally block the crawlers that feed AI answer engines. We fix the technical foundation — robots.txt configuration, llms.txt, JSON-LD schema, and citation monitoring. From $500.

See the full service →

Pricing

Both products. One plan.

Every tier includes PQC Host and KXCO Bastion. No weaker tier. No attestation fees.

Free

$0

no card needed

Try both products.

1 site
Bastion scan on deploy
ML-DSA-65 attestation
1 Bastion probe / day
kxco-verify access
Start free

Starter

$12

/month

For individuals.

3 sites
1 custom domain
Auto-deploy on push
10 Bastion probes / day
CycloneDX 1.6 CBOM export
Start Starter
Best value

Pro

$49

/month · best value

For teams.

10 sites
Unlimited custom domains
Unlimited Bastion probes
CycloneDX 1.6 CBOM + CI/CD action
Remediation certificates
Start Pro

Enterprise

Custom

volume pricing

Regulated industries.

Unlimited sites
On-prem key management
White-label API
CI/CD integration
SLA + dedicated support
Contact sales

Prices in USD. Contact us for volume pricing.

FAQ

Common questions.

What does the ML-DSA-65 deployment attestation prove?+

It proves that a specific git commit, from a specific repo, was deployed to a specific URL at a specific time — and that the deployment wasn't tampered with afterwards. Verifiable by anyone using kxco-verify, with no account and no connection to KXCO required.

Does Bastion block my deploy if it finds vulnerabilities?+

Only for Critical severity. High and Medium findings appear in the attestation report but don't block the build. You can also disable the scan.

What hosting frameworks are supported?+

Next.js, React (Vite / CRA), Vue, Svelte, static HTML/CSS/JS, and Node.js Express/Fastify. Framework is auto-detected from package.json in under 3 seconds.

What does Bastion scan?+

URLs (TLS version + certificate algorithm), package.json (12+ quantum-vulnerable npm packages including node-rsa, elliptic, jsonwebtoken), environment variables (PEM-encoded RSA/EC keys), and code snippets (RSA keygen, ECDH, SHA-1 signing, AES-128, RS256 JWTs).

What happens to my attestations if KXCO stops operating?+

They remain verifiable forever. The verification is mathematical — it depends only on the ML-DSA-65 signature and the platform public key published at /.well-known/kxco-pq-pubkey.

Can I use Bastion without PQC Host?+

Yes. Bastion is available as a standalone product. Run probes against any URL, package.json, or code snippet from the dashboard — no site deployment required.

Still have questions? Talk to us →

Deploy with proof.Scan and fix. Ship faster.

PQC Host and KXCO Bastion on one platform, from day one. Start free, no card required.

Get Started Free →Contact Sales

No credit card · NIST FIPS 203/204 · Both products included free