KXCO Bastion · KXCO Bastion

Find every weak cipher.Fix it in minutes.

Other tools hand you a PDF report. KXCO gives you the exact code, npm packages, and ML-DSA-65 attested certificate to fix every finding.

Run Bastion Scan →See Live Demo

No credit card · No agents to install · Results attested with ML-DSA-65

KXCO · BastionRisk · 74/100 HIGH

TARGET

api.yourservice.com

CriticalRSA certificate — quantum-vulnerable
Criticalnode-rsa@1.1.1 in package.json
HighRS256 JWT algorithm detected

Remediation plan

npm install kxco-pq-vault kxco-pq-attest

Apply PQC Fix →ML-DSA-65 certificate issued on confirm
URL · package.json · Env vars · Code·ML-DSA-65 attested reports·Before/after migration code·No agents to install

RSA-2048, ECDSA, and elliptic curve Diffie-Hellman will all be broken by quantum computers within this decade. Enterprise crypto scanners require SPAN port access, Linux agents, and months of infrastructure work before you see a single result. Most teams don't have that runway. KXCO Bastion finds every vulnerable component in under 10 seconds and hands you the exact code to replace it.

Why KXCO Bastion

Enterprise scanners need an infrastructure team.

You need a URL.

Enterprise crypto scanners require SPAN port access, Linux agents, and months of infrastructure setup before you see a single result. KXCO Bastion is the opposite: zero infrastructure, self-serve, results in 10 seconds.

Capability
Enterprise scanners
KXCO Bastion
Setup required
SPAN port + Linux LD_PRELOAD agent
Zero — URL, code, or package.json
Platform / OS support
Linux runtime only
Any OS, any stack, any language
Time to first result
Infrastructure deployment required
Under 10 seconds
Pricing
Enterprise contract, no public tiers
Free tier — self-serve
Detects RSA / ECC / SHA-1
✓ 7 language ecosystems
Dockerfile / Terraform / K8s
Not documented natively
✓ all three, zero setup
CI/CD GitHub Actions
Custom integration required
✓ one file, auto-detects manifests
CBOM export
✓ (2 specific generators only)
✓ CycloneDX 1.6, any scan, ML-DSA-65 signed
Migration code per finding
Impact simulation dashboard
Before/after code + npm commands
Proof of assessment
Proprietary control plane
ML-DSA-65 attested — independently verifiable
PQ-native standards
PQ migration layer on classical stack
NIST FIPS 203/204 from day one
Target market
Fortune 500, defense, government
Developers, institutions, SMEs

Comparison based on publicly available product documentation from leading enterprise cryptographic posture management vendors, June 2026.

Enterprise scanners — built for large orgs

Live network + runtime scanning — powerful, but needs SPAN ports and Linux agents
FedRAMP-ready — ideal for defense and large regulated institutions
Enterprise contract only — no public pricing, no self-serve
Control plane dashboard — you see the risk, your team does the fixing

KXCO Bastion — built for everyone else

Zero infrastructure — paste a URL, package.json, or code snippet and get results in 10 seconds
Self-serve free tier — no sales cycle, no procurement, no agents to deploy
ML-DSA-65 attested report — cryptographically signed, independently verifiable, not locked in a proprietary platform
Before/after code for every finding — your team ships the fix the same day

URL & TLS Scan

Connect to any HTTPS host and check TLS version, certificate algorithm (RSA/ECC/SHA-1), and cipher suite. Results in under 10 seconds.

Dependency Analysis

Parse any package.json and flag quantum-vulnerable npm packages — node-rsa, elliptic, jsrsasign, jsonwebtoken with RS256, and 10+ more.

Environment Variable Check

Detect PEM-encoded RSA and EC private keys in submitted env vars. Findings never stored — values are scanned and discarded immediately.

Code Pattern Scanner

Regex-based scan of code snippets for RSA key generation, ECDH, SHA-1 signing, MD5, AES-128, RS256/ES256 JWTs, and more.

ML-DSA-65 Attested Report

Every risk report is signed with the platform ML-DSA-65 key and independently verifiable via kxco-verify. Proof of your assessment, forever.

One-Click Remediation Plan

Each finding ships with npm install commands, before/after migration code, and estimated hours. Confirming generates an ML-DSA-65 remediation certificate.

How it works

Scan, report, fix — in three steps.

Quantum-safe doesn't mean complicated. KXCO Bastion is as fast as running a linter — with a remediation plan ready to ship.

1

Submit any target

10 scan types — no setup for any of them. URL/TLS, package.json (npm), requirements.txt (Python), go.mod, Gemfile, Cargo.toml, pom.xml, nginx/OpenSSL config, Dockerfile, Terraform HCL, GitHub Actions YAML, or Kubernetes manifests. Auto-detected. No agents. No install.

2

Receive your ML-DSA-65 risk report

In under 10 seconds: risk score (0–100), per-finding severity, blast radius estimate, and the exact package command or config change to fix each issue. The report is signed with ML-DSA-65 and publicly verifiable — not locked in a proprietary dashboard.

3

Apply the PQC fix

One click generates a full remediation plan: before/after code, install commands, and migration checklist. Confirming produces an ML-DSA-65 attested certificate of remediation — cryptographic proof of your migration, verifiable by anyone.

Detection coverage

What we detect — and fix.

Every finding includes an exact KXCO package command and before/after migration code.

RSA-2048 / RSA-4096CriticalBroken in hours by Shor's algorithm — any RSA key sizeML-KEM-768 via kxco-pq-vault
ECDSA / ECDH / X25519CriticalAll elliptic curves broken by Shor's — no safe ECC variant existsML-DSA-65 / ML-KEM-768
SHA-1 signaturesCriticalPractical collision today — broken classically and quantumML-DSA-65 + SHA-256
RS256 / ES256 JWTHighRSA/ECDSA JWT — authentication quantum-vulnerablekxco-pq-attest token layer
Math.random() key materialCriticalPredictable — trivial key recovery without any quantum computercrypto.randomBytes() / crypto.getRandomValues()
npm: node-rsa / ellipticCriticalRSA/ECC npm packages — quantum-vulnerable across your graphkxco-pq-vault / kxco-post-quantum
pip: pycrypto / ecdsaCriticalAbandoned/classical Python crypto — multiple CVEs + quantum riskpip install cryptography>=42.0 (or pqcrypto)
go.mod: crypto/rsa, ecdsaCriticalGo stdlib RSA/ECDSA — quantum-vulnerable with no PQ alternativePlan ML-DSA migration; enforce 2048+ bits now
Cargo: rsa crate <0.9.6CriticalMarvin timing attack (RUSTSEC-2023-0071) + quantum-vulnerableUpdate rsa>=0.9.6; plan ml-kem migration
Gemfile: rsa / jwt gemsHighRuby RSA/JWT gems — quantum-vulnerable signing and encryptionAudit; enforce HS256 minimum
pom.xml: nimbus-jose-jwtHighJava JWT library with RS256/ES256 — quantum-vulnerableEnforce HS256; plan ML-DSA migration
TLS 1.0 / 1.1CriticalDeprecated RFC 8996 — no PQ cipher suite support possibleTLS 1.3 + hybrid ML-KEM-768
RSA / ECDSA certificateHighClassical cert — quantum-vulnerable; NIST deadline: 2035Plan ML-DSA-65 cert migration
nginx ssl_ciphers: RC4/DESCriticalBroken ciphers in production — trivial to crack without quantumUse AES-256-GCM + TLS 1.3 only
Dockerfile: libssl1.0CriticalEOL OpenSSL 1.0 — known timing attacks on RSA key generationUpgrade to ubuntu:24.04 (OpenSSL 3.3+)
Terraform: KMS RSA_2048CriticalAWS KMS RSA key — quantum-vulnerable; AWS now supports ML_DSA_65customer_master_key_spec = "ML_DSA_65"
K8s: RSA cert-managerHighcert-manager issuing classical certs — monitor for PQC supportEnsure key size >= 2048; watch cert-manager roadmap
AES-128-CBCMediumGrover's algorithm halves key strength to 64 bits post-quantumAES-256-GCM via kxco-pq-vault

CI/CD Integration

Block quantum vulnerabilities before they deploy.

Add one file to your repository. KXCO Bastion auto-detects package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, Dockerfiles, Terraform, and Kubernetes manifests — scans them all, posts an ML-DSA-65 attested report as a PR comment, and blocks the merge on Critical findings.

.github/workflows/bastion-scan.ymlDownload →
# Add to .github/workflows/bastion-scan.yml
# Set KXCO_TOKEN in: repo Settings → Secrets → Actions

name: KXCO Bastion Scan
on: [pull_request, push]

jobs:
  bastion:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write   # for PR comments
    steps:
      - uses: actions/checkout@v4
      - name: KXCO Bastion scan
        env:
          KXCO_TOKEN: ${{ secrets.KXCO_TOKEN }}
        run: |
          # Auto-detects: package.json, requirements.txt,
          # go.mod, Gemfile, Cargo.toml, Dockerfile, *.tf, k8s/
          curl -sf https://pqc.kxco.ai/bastion-scan.yml | bash
1

Add secret

Create KXCO_TOKEN in repo Settings → Secrets → Actions. Use your API key from the dashboard.

2

Drop in the file

Copy bastion-scan.yml into .github/workflows/. Auto-detects all manifest and config files in your repo.

3

Merge with proof

Every PR gets an ML-DSA-65 attested comment. Merges are blocked on Critical findings. CBOM available for download.

CycloneDX 1.6 CBOM

Every scan exports a signed CBOM.

Every KXCO Bastion report downloads as a CycloneDX 1.6 Cryptographic Bill of Materials — the industry-standard format for cryptographic asset inventories. Each CBOM is ML-DSA-65 signed and includes NIST quantum security levels, OIDs, and evidence locations for every finding.

CycloneDX 1.6 format — compatible with enterprise security toolchains
ML-DSA-65 signed — tamper-evident, independently verifiable
NIST quantum security level: 0 for every vulnerable asset
Evidence locations — exactly where in your codebase
OIDs for all major algorithms (RSA, ECDSA, SHA-1, 3DES)
kxco-bastion-cbom.json (excerpt)
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "metadata": {
    "tools": [{ "vendor": "KXCO by Knightsbridge",
                "name": "KXCO Bastion" }],
    "properties": [
      { "name": "kxco:riskLevel", "value": "high" },
      { "name": "kxco:attestation", "value": "..." }
    ]
  },
  "components": [{
    "type": "cryptoAsset",
    "name": "RSA",
    "cryptoProperties": {
      "assetType": "algorithm",
      "algorithmProperties": {
        "primitive": "asymmetric-encryption",
        "nistQuantumSecurityLevel": 0
      },
      "oid": "1.2.840.113549.1.1.1"
    },
    "evidence": {
      "occurrences": [{
        "location": "node-rsa@1.1.1"
      }]
    },
    "tags": ["quantum-vulnerable", "shor-vulnerable"]
  }]
}

Aligned with

NIST FIPS 203 — ML-KEM-768NIST FIPS 204 — ML-DSA-65CycloneDX 1.6 CBOMCSA PQC Guide · Nov 2025RFC 8996 — TLS deprecationOWASP Cryptographic Failures (A02)

FAQ

Common questions about scanning legacy crypto.

What does "blast radius" mean in the risk report?+

Blast radius is an estimate of the operational impact if a quantum attacker broke your crypto today — exposed operations per day, data at risk in GB, and estimated migration hours. It's a decision-making tool, not a precise measurement.

Are my environment variable values stored?+

Never. Submitted env var values are scanned for PEM headers and key patterns in memory, then discarded immediately. The probe record stores only the finding — variable name, severity, and remediation — never the raw value.

What happens after I click "Apply PQC Fix"?+

KXCO generates a remediation plan with before/after code and npm commands for every finding. Confirming the plan produces an ML-DSA-65 signed remediation certificate — proof that the assessment was completed, independently verifiable.

Can I scan a production URL?+

Yes. The TLS scanner connects to port 443, reads the certificate chain and TLS version, and disconnects. It makes no HTTP requests beyond the TLS handshake. There is a rate limit of 5 URL scans per hour per account.

How accurate are the findings?+

The scanner detects what it can observe: TLS metadata, dependency names and versions, PEM-encoded keys, and code patterns. It may produce false positives on vendored or compiled code. Each finding includes the specific evidence so you can assess it.

Still have questions? Our team can walk you through how KXCO Bastion fits your stack.

Find quantum-vulnerable cryptobefore someone else does.

Post-quantum cryptography and ML-DSA-65 attested proof — built in from day one. Start free, no card required.

Run Bastion Scan →Talk to us

No credit card required · No agents to install · ML-DSA-65 attested results