QuTrust · Full Stack PQC Migration Engine
Quantum-vulnerable cryptography
is hiding in seven places.
Most tools find one.
QuTrust analyzes all seven in a single decision-intelligence engine: source code, dependencies, certificates, infrastructure configs, deployed binaries, SBOMs, and runtime tokens. Every finding mapped to FIPS 203, 204, and 205, with file-and-line evidence.
No Docker. No infrastructure. First findings in under five minutes, in our cloud or inside your perimeter.
The Problem
Everyone else hands you a scan.
You need a decision.
The real deadline is not 2035. U.S. rules already require agencies to replace today's encryption by 2030, and national-security systems sooner. A migration this size takes years, so the clock is already running. Yet most teams are stuck: the tools they can buy only scan, and a scan is not a migration.
7
surfaces where quantum-vulnerable cryptography hides
2030
U.S. deadline to replace today's encryption
1
surface the best single-purpose tools cover
Most tools see one surface. Your risk lives in seven.
Vulnerable cryptography hides across code, dependencies, certificates, configs, binaries, inventories, and tokens. Single-purpose scanners cover one and call it done. You cannot plan a migration against a partial picture.
A list of findings is not a plan.
Finding the risk is easy. Turning thousands of findings into a prioritized roadmap, mapped to your auditors' standards and tied to your timeline, is the hard part, and where every other tool quits. That is the line between a scanner and a decision-intelligence engine.
A one-time report cannot prove progress.
Migration takes years, but a snapshot is stale the day it lands, and new code quietly reintroduces the risk you just cleared. Your board and your regulator want measurable progress, not a pile of disconnected reports.
The Solution
All seven. One engine.
Compress years into weeks. A multi-year PQC migration begins with finding the risk across thousands of artifacts spread through your hardware and software stack. QuTrust analyzes all of them in a single engine, across the full migration lifecycle, and builds the cryptographic inventory for you. No guesswork. No CBOM or SBOM required to start.
Surface
What QuTrust finds
Competitive Landscape
Source Code
Python · Java · Go · JS · TypeScript · Rust · Ruby
RSA and EC key generation calls at exact file-and-line location, each mapped to FIPS 203, 204, and 205.
Incomplete
SAST tools find crypto. None classify findings by quantum risk or map to post-quantum standards.
SAST tools find crypto. None classify findings by quantum risk or map to post-quantum standards.
Dependency Manifests
npm · pip · Maven · Cargo · Gemfile · Go modules
Quantum-vulnerable packages (node-rsa, jsonwebtoken, crypto-js, bcrypt) flagged before they ship, risk-classified, not just listed.
Incomplete
SCA tools find CVE-vulnerable packages. None assess or score quantum exposure.
SCA tools find CVE-vulnerable packages. None assess or score quantum exposure.
Existing SBOMs
CycloneDX · SPDX
Quantum-risk overlay applied directly to inventories your team already maintains. No re-analysis required.
Only QuTrust
No other PQC tool ingests existing SBOMs and adds quantum-risk annotation.
No other PQC tool ingests existing SBOMs and adds quantum-risk annotation.
Certificates & Keys
PEM · CRT · CER · DER · P12 · PFX
Algorithm identification across every format, private-key markers detected, every finding assessed against the 2030 deadline.
Only QuTrust
No other PQC tool analyzes this surface.
No other PQC tool analyzes this surface.
Infrastructure Configs
nginx · Kubernetes · Envoy · Istio · HAProxy · Traefik · Apache
TLS settings and mTLS policies surfaced across every major load balancer, proxy, and service mesh. The crypto your infrastructure enforces, not just what developers wrote.
Only QuTrust
No competitor covers infrastructure configuration as a cryptographic surface.
No competitor covers infrastructure configuration as a cryptographic surface.
Deployed Artifacts
.class · .dll · .so · .deb
Runtime binaries analyzed for vendored libraries, build-time dependencies, renamed crypto packages, and embedded cryptographic code invisible to source-level scanners.
Partial
The one surface artifact-focused PQC tools cover, with language and format limits.
The one surface artifact-focused PQC tools cover, with language and format limits.
JWT Tokens
RS256 · RS384 · ES256 · ES384 · PS256
Runtime authentication flows analyzed for quantum-vulnerable signing algorithms, identified at the point of issuance.
Only QuTrust
No other PQC tool reaches runtime token analysis.
No other PQC tool reaches runtime token analysis.
Start from the inventory you already keep
CMDB-native, not another console
A scanner makes you hand it a list of what to check, then leaves the results in a console nobody opens twice. QuTrust works the other way around. Connect ServiceNow, BMC Helix, and other CMDB platforms, and QuTrust reads your asset inventory straight from the system you already trust, then analyzes what it finds there for quantum exposure. No list to build by hand. No CBOM or SBOM required to start.
The Process
Analyze. Map. Move.
Discovery is the starting line, not the finish. QuTrust takes you from raw artifacts to a roadmap your teams can execute, on a timeline your board can track.
1
Analyze
The engine reads your artifacts across the full hardware and software stack to uncover cryptographic algorithms and risks that do not align with modern standards.
2
Map
The risk engine translates architectural risk into clear transition roadmaps tied directly to your operational timelines.
3
Move
Your development teams execute migration workflows using automated guidance to preserve long-term data protection.
Deployment
One engine.
Your choice of where it runs.
The same proprietary engine powers every deployment mode, so the choice is about where your data lives, not what your tool can find. Most enterprise customers run more than one path in parallel: one for the compliance workflow, one for the build pipeline.
No-Code · Hosted
QuTrust Cloud
A no-code interface that runs entirely in your browser, hosted in a secure, isolated cloud. Nothing to install, no terminal. Connect GitHub, cloud drives, or object storage, or drop files straight in, and drive intake, reports, and CMDB integration without writing a line of code.
Built for: CISOs, GRC leads, compliance officers, mid-market security teams, and commercial unclassified workloads.
Low-Code · In your environment
QuTrust CLI
A signed binary that runs entirely inside your perimeter. Source, certificates, configs, and binaries never leave your environment unless you choose to sync findings. A tiny surface (
qutrust login, qutrust scan) and declarative CI/CD, gating pull requests in an afternoon. Built for: regulated environments, including those aligned to FINRA and HIPAA requirements, and environments where SaaS is not an option.
Hybrid · Enterprise & Federal
Coming SoonDedicated Tenant
The no-code experience of the Cloud combined with the data sovereignty of the CLI, deployed as a dedicated, single-tenant instance inside your own cloud environment. The platform, the engine, and every finding stay within boundaries you control.
Built for: large enterprise and federal programs.
Same engine. Same findings. Same standards. The only variable is where your data lives.
Built for regulated environments
Your code, keys, and binaries
never leave your network.
QuTrust analyzes the most sensitive assets you own: proprietary source, production binaries, and the private keys behind every certificate. No bank, insurer, or government agency can hand those to a third-party cloud. So in the CLI and dedicated-tenant modes, QuTrust does not ask. It deploys inside your environment, and the analysis stays there.
0
Zero data egress
In CLI and dedicated-tenant modes, source, certificates, private keys, and binaries are analyzed in place. Nothing is uploaded or retained by a vendor. The complete map of your quantum-vulnerable assets, the most dangerous inventory in your organization to leak, never leaves your control.
3
Deploy on your terms
Hosted cloud for commercial speed, a CLI inside your perimeter for data sovereignty, or a dedicated tenant that combines both, including fully air-gapped configurations. Agentless. Works on legacy systems without modification.
100%
Yours, end to end
Meeting the migration deadline should not force you to violate the data-residency rules you are already bound by. Run the engine where you choose: no new third-party processor, no new breach surface, no new compliance review you did not ask for.
Deploys as
Hosted cloudCLI in your perimeterDedicated tenantAir-gapped
The Difference
No integration tax.
No blind spots.
Every other PQC approach forces you to buy a three to five product stack and stitch it together. The exposure lives in the gaps between those tools, and the intelligence lives in a proprietary engine they do not have. QuTrust closes both.
7/7
Complete surface coverage
One analysis closes every cryptographic surface at once. No integration work, no blind spots between tools, no dashboards to reconcile. Your complete quantum exposure picture, in one place.
Σ
Proprietary risk engine
QuTrust does not pattern-match strings like a scanner. The engine interprets what each artifact actually does, classifies its quantum risk, and maps it to FIPS 203, 204, and 205. This is intelligence no SAST, SCA, or BOM tool can produce.
:42
File-and-line evidence
Every finding includes the exact file path and line number, not a vague risk score, not a count. Actionable evidence your engineers can triage and remediate without a second tool to locate the issue.
Output
Actionable data. Standards-native.
Generated where you run.
QuTrust is not a BOM generator and it is not a scanner. It is a proprietary analysis engine that speaks the formats your pipeline already consumes. Every audit produces machine-readable artifacts, ready to ingest into your CMDB, GRC platform, or remediation tracker.
Quantum Exposure Report
Every quantum-vulnerable algorithm mapped to file and line, prioritized, with remediation guidance and a risk classification (BannedMixedCompliant), plus the insights needed to migrate Cloud, IT, and OT assets.
CycloneDX CBOM
A CycloneDX Cryptography Bill of Materials, the de facto standard for cryptographic inventory disclosure. Hand it to federal procurement, your auditor, or your customer's supply-chain security team without translation.
Dependency SBOM
Your existing CycloneDX or SPDX inventory, enriched with quantum-risk annotation. No re-analysis required if you already maintain an SBOM.
Board-Ready PQC Migration Insights
Compliance deadlines are a moving target. Start now.
Context-Aware
FIPS 203FIPS 204FIPS 205Coming July 2026CNSA 2.0NIST IR 8547EO 14028
From Discovery to Done
Discovery is the starting line.
A first audit produces a continuous baseline. Every subsequent scan compares against it, so progress toward 2035 is measurable, not anecdotal. From the baseline, the work splits into three streams.
Banned
Remediate first.
RSA-1024, SHA-1, and similar end-of-life algorithms are non-negotiable. QuTrust flags them at the top of the queue with the file, the line, and the FIPS replacement.
RSA-1024, SHA-1, and similar end-of-life algorithms are non-negotiable. QuTrust flags them at the top of the queue with the file, the line, and the FIPS replacement.
Mixed
Plan into the roadmap.
RSA-2048, ECDSA, and similar quantum-vulnerable-but-not-yet-broken algorithms get scheduled into your remediation plan on the path to 2035.
RSA-2048, ECDSA, and similar quantum-vulnerable-but-not-yet-broken algorithms get scheduled into your remediation plan on the path to 2035.
Compliant
Monitor for regression.
New code re-introduces vulnerable crypto. CI/CD integration fails builds that bring back banned or mixed algorithms, so progress does not quietly reverse.
New code re-introduces vulnerable crypto. CI/CD integration fails builds that bring back banned or mixed algorithms, so progress does not quietly reverse.
.github/workflows/qutrust.yml
# Gate every pull request on quantum exposure - name: QuTrust Audit uses: arcqubit/qutrust-action@v1 with: token: ${{ secrets.QUTRUST_TOKEN }} project: my-service
Migration Roadmap
From discovery to
full migration.
A phased plan across Cloud, IT, and OT, aligned to NIST, CISA ACDI, and sector regulators. One roadmap, every environment, so nothing falls between the teams that own it.
Phase 12025-2028Discover and protect
Phase 22025-2031Hybrid transition
Phase 32031-2035Full migration
CloudSaaS, IaaS, PaaS
- Workload crypto analysis
- KMS and secrets audit
- Compliance baseline
- Hybrid KMS rotation
- API gateway hybrid TLS
- CSP PQC validation
- Full PQC service mesh
- Retire classical KMS
- PQC by default
ITEnterprise networks and endpoints
- PKI and CA inventory
- VPN headend upgrade
- Code signing pipeline
- Hybrid PKI rollout
- SSH and TLS 1.3 migration
- HSM PQC validation
- PKI root re-issuance
- Retire classical certs
- Full PQC enforcement
CriticalOT, ICS, and mission systems
- Asset and crypto inventory
- Boundary gateway design
- OEM PQC requests
- PQC gateways deployed
- Operator workstation hardening
- Firmware dual-signing
- Safety and mission firmware
- Asset fleet migration
- Retire classical crypto
Continuous governance and executive reporting throughout: what is protected, what is not, and what happens next.
Who It Is For
Built for the people
who own the answer.
CISOs & GRC Leadership
The board wants a timeline. You need a real inventory first.
You cannot scope a migration you cannot see, or prove progress against an inventory that is stale on delivery.
QuTrust gives you portfolio-wide visibility across all seven surfaces, a CycloneDX CBOM your team can act on, and a quantum-risk-prioritized remediation queue. Board-ready, regulator-ready, built on evidence, not estimates.
QuTrust gives you portfolio-wide visibility across all seven surfaces, a CycloneDX CBOM your team can act on, and a quantum-risk-prioritized remediation queue. Board-ready, regulator-ready, built on evidence, not estimates.
Engineering & DevSecOps
Close the ticket and mean it.
Scanners miss things: vendored libraries, build-time dependencies, the JWT tokens your services issue every second. One regression slips in, and your name is on the sign-off.
QuTrust gives you file-and-line evidence across all seven surfaces, FIPS-mapped findings, and CI/CD gating that fails the build when banned crypto returns. In your pipeline, not your inbox.
QuTrust gives you file-and-line evidence across all seven surfaces, FIPS-mapped findings, and CI/CD gating that fails the build when banned crypto returns. In your pipeline, not your inbox.
Federal & Defense ProgramsComing Soon
SaaS is a non-starter. Coverage still isn't.
Your workloads are controlled, classified, or air-gapped. "Upload your source to our cloud" ends the conversation. The 2035 mandate does not care.
QuTrust runs as a signed binary entirely inside your perimeter, or as a dedicated tenant within boundaries you control. Source, certs, and binaries never leave unless you choose to sync. Full seven-surface coverage with evidence your ATO package can cite (FedRAMP, ITAR, CMMC).
QuTrust runs as a signed binary entirely inside your perimeter, or as a dedicated tenant within boundaries you control. Source, certs, and binaries never leave unless you choose to sync. Full seven-surface coverage with evidence your ATO package can cite (FedRAMP, ITAR, CMMC).
Pricing
Priced to your
deployment and boundary.
Every plan runs the same proprietary engine across all seven surfaces and maps findings to FIPS 203, 204, and 205. What changes is where it runs and how deep the compliance workflow goes. Start with a free audit, and we will scope from there.
Cloud
Custom
No-code, hosted in a secure cloud. Fastest path to a board-ready answer.
- ✓ All 7 surfaces, one engine
- ✓ No-code dashboard and connectors (GitHub)
- ✓ CBOM, SBOM, and quantum exposure report
- ✓ CMDB integration
Most popular
Enterprise
Custom
Cloud plus a CLI inside your perimeter and gating in your pipeline.
- ✓ Everything in Cloud
- ✓ Low-code CLI in your environment
- ✓ CI/CD gating and build-over-build trending
- ✓ SSO and priority support
Federal / Dedicated
Coming SoonCustom
Sovereign and air-gap capable, within boundaries you control.
- ✓ Everything in Enterprise
- ✓ Dedicated single-tenant instance in your environment
- ✓ Air-gapped deployment
- ✓ FedRAMP, ITAR, and CMMC alignment and ATO support
Just shipping code? QuCode is the self-serve, developer path, from $50 a month.
Trusted and Ready
Built by the people who
defend the real thing.
Credentials
VOSBWOSBCAGESAM.gov registered and active
National-security pedigree
ArcQubit co-founders built a career inside big tech firms and high-stakes environment work, including Sandia National Laboratories, Pacific Northwest National Laboratory, and government research entities domestically and internationally. The people reading your risk exposure have defended the real thing.
Research, not marketing
Our solutions are grounded in peer-reviewed research, not slideware. ArcQubit's founders have authored dozens of publications, including the first framework to formally define dual quantum technology risk. The science is published, not promised.
Veteran-led, federal-ready
Co-founded and led by a U.S. Army combat veteran of the 82nd Airborne, ArcQubit already holds the credentials federal and defense work demands: VOSB, WOSB, CAGE, and active SAM.gov registration. The mission discipline and the contracting paperwork are both in place, not on a roadmap.
Enterprise and government fluency
The team has experience providing leadership across the Department of War, NASA, the Missile Defense Agency, the largest federal contractors in the country, and the International Atomic Energy Agency. That range means ArcQubit speaks two languages fluently: the commercial language of an enterprise decision-maker, and the compliance language of a federal program office.
FAQ
Frequently asked
questions.
How is QuTrust different from a scanner?
A scanner pattern-matches strings on one surface and hands you a list. QuTrust is a full-spectrum quantum exposure engine. It interprets what each artifact does across all seven surfaces, classifies its quantum risk, maps every finding to the GRC standard that replaces it, and turns the result into a prioritized migration roadmap. A scan is a snapshot. QuTrust is the plan.
What are the seven surfaces?
Source code, dependency manifests, existing SBOMs, certificates and keys, infrastructure configs, deployed binaries, and runtime JWT tokens. Most tools cover one. QuTrust covers all seven in a single engine.
Do we need an existing SBOM or CBOM to start?
No. QuTrust builds context from your raw artifacts, and it reads your asset inventory straight from the CMDB and other artifacts you already maintain, including ServiceNow and BMC Helix. If you already keep a CycloneDX or SPDX SBOM, QuTrust enriches it rather than re-analyzing it.
Where does our data live?
Wherever your rules require. Run QuTrust hosted in our cloud for speed, as a CLI inside your own perimeter, or as a dedicated tenant in your environment. In CLI and dedicated-tenant modes, your source, certificates, private keys, and binaries are analyzed in place, with zero data egress.
How do findings map to the standards our auditors ask about?
Every finding maps to FIPS 203, 204, and 205, with outputs aligned to CNSA 2.0, NIST IR 8547, and EO 14028. QuTrust produces a CycloneDX CBOM, a dependency SBOM, and a quantum exposure report, all standards-native and ready for procurement, your auditor, or a customer's supply-chain security team.
What deadline are we actually working against?
The binding near-term deadline is 2030, when U.S. rules require replacing today's algorithms like RSA and ECDSA, with national-security acquisitions affected as early as 2027. 2035 is the final cutoff. A migration of this scale takes years, so PQC migration activities need to start now.
How does QuTrust relate to QuCode?
QuCode is the self-serve developer product, covering the five code-time surfaces from $50 a month. QuTrust is the enterprise product, covering all seven surfaces with full deployment, sovereignty, and compliance options. Teams often start with QuCode and grow into QuTrust as the organization scales.
See your full cryptographic
exposure. All seven surfaces.
Run QuTrust in our cloud for a board-ready answer in minutes, or inside your own perimeter where your data never leaves your network. Either way: every surface, every finding mapped to FIPS, file by file. No Docker. No guesswork about what got missed.
Hosted cloud, CLI, or dedicated tenant. Federal & enterprise: book a working session.