Post-Quantum Readiness
What Is a Cryptographic Inventory and Why Every Enterprise Needs One Before PQC Migration
Learn what a cryptographic inventory is and why it's the first step for post-quantum migration — then scan your domain free to inventory your public TLS, certificates, and algorithms in minutes.
What Is a Cryptographic Inventory and Why Every Enterprise Needs One Before PQC Migration Ask a security director at any large organization a simple question: "Where does cryptography live in your infrastructure?" Most will not have a complete answer. They know which firewalls they deploy, which VPN concentrators they run, which certificate authorities issue their TLS certificates. But a comprehensive, searchable, up to date inventory of every cryptographic component — algorithms, key sizes, certificates, libraries, protocols, and vendor managed crypto — rarely exists. Without a cryptographic inventory, you cannot: Know whether RSA 2048 is still in use anywhere Assess the blast radius of a certificate expiration Answer a regulator who asks about your quantum readiness Prioritize which systems to migrate first to post quantum cryptography (PQC) Prove to your board that you understand your cryptographic risk A cryptographic inventory is not a compliance checkbox. It is the foundational dataset every organization needs before it can begin its PQC migration. What a Cryptographic Inventory Includes A cryptographic inventory is a structured catalog of every cryptographic asset across an organization's infrastructure, applications, and services. It answers five essential questions: 1. What algorithm is being used? (RSA, ECC, AES, SHA 2, etc.) 2. What key size is in play? (RSA 2048 vs RSA 4096, ECC P 256 vs P 384) 3. Where is it deployed? (Which host, service, application, TLS endpoint) 4. Who manages it? (Internal team, third party vendor, cloud provider) 5. How critical is it? (What data does it protect, and what is the blast radius?) A mature cryptographic inventory includes: TLS certificate inventory — every certificate, issuer, algorithm, expiry date, SAN entries across all public facing endpoints Code level crypto dependencies — which libraries (OpenSSL, BoringSSL, Bouncy Castle) and algorithms are called in application code Infrastructure crypto — SSH host keys, VPN cipher suites, database encryption, cloud KMS keys, HSM resident keys Vendor managed crypto — cryptographic components inside SaaS platforms, third party APIs, managed PKI services Protocol and configuration data — TLS versions, cipher suites, signature algorithms in active negotiation Most organizations discover they have far more cryptographic assets than they assumed — often thousands of certificates and dozens of algorithm/key size combinations. Why a Crypto Inventory Is the Prerequisite for PQC Migration NIST published FIPS 203 (ML KEM), FIPS 204 (ML DSA), and FIPS 205 (SLH DSA) in 2024. These are the post quantum cryptographic standards that will eventually replace RSA, ECDSA, and ECDH across most enterprise deployments. But you cannot migrate what you cannot see. PQC migration is a per asset decision process that requires knowing: Exactly which systems rely on RSA 2048 Which TLS endpoints negotiate ECDHE with P 256 Which X.509 certificates use SHA 256 with RSA signatures Which third party services introduce cryptographic dependencies you do not control Which assets can be upgraded independently and which are tightly coupled With a cryptographic inventory, you can prioritize by risk, group by dependency, identify vendor blockers, estimate effort, and track progress. How to Build a Cryptographic Inventory There are three broad approaches: External Discovery (Passive, Metadata Only) : Examines publicly visible endpoints — DNS records, TLS handshakes, certificate chains, H