Inspiration

Every secure connection you make today — every TLS handshake, SSH login, signed software update, VPN tunnel — is protected by asymmetric cryptography: RSA, ECDSA, ECDH, EdDSA. A sufficiently large quantum computer running Shor's algorithm breaks all of it. Not weakens — breaks.

The unsettling part is the timing. "Harvest now, decrypt later" (HNDL): an adversary records your encrypted traffic today and decrypts it the moment a cryptographically-relevant quantum computer exists. For anything with a long secrecy lifetime — health records, financial data, credentials, intellectual property, state secrets — the breach has, in effect, already happened. You just can't see it yet.

And it's now mandated. NIST finalized the post-quantum standards (FIPS 203/204/205) and, in IR 8547, deprecates RSA/ECDSA after 2030 and disallows them after 2035. OMB M-23-02 requires US agencies to produce annual cryptographic inventories; CNSA 2.0 and the EU roadmap set hard deadlines. Every regulated organization has to migrate this decade.

But step one of every one of those mandates is the same sentence: "produce a complete cryptographic inventory." You cannot migrate what you cannot see — and almost no organization can see it. That blind spot is what we set out to close.

## This is not a code-scanning problem

The instinct is to treat this as "scan the source for crypto." That misses where the risk actually lives:

  • It's broadcast on the wire. A server's certificate, key size, and negotiated key-exchange announce themselves in every handshake — no source, no access, no exploit needed. Crypto is the one vulnerability class that advertises itself publicly.
  • It's in binaries you didn't build. The OpenSSL in a container image, the Go binary in production, the vendored library three dependencies deep — all carry quantum-vulnerable crypto, and none of it is in your source tree.
  • And the truly hard question isn't "where is the crypto" — it's "which of it matters." Finding crypto is commoditized (open-source scanners do it). Ranking it by what data flows through it, how long that data must stay secret, and when the algorithm actually breaks is a data-governance and threat-horizon problem. That's the open research gap ("Gap G1") nobody has filled — and it's the layer that turns a 50,000-line scan dump into the three things you must fix first.

Formally, this is Mosca's inequality — if the time your data must stay secret plus the time to migrate exceeds the time until a quantum computer arrives, you are already too late:

$$X + Y > Z$$

where $X$ = data-secrecy lifetime, $Y$ = migration time, $Z$ = time until a cryptographically-relevant quantum computer. Aegis estimates all three — across the wire, the source, and the binaries — and ranks your exposure by them.

## What it does

Aegis is a quantum cryptographic posture-management platform. It discovers an organization's quantum-vulnerable cryptography across three surfaces, reasons about which findings actually matter, and closes the loop with verified fixes — all tracked as a continuous lifecycle in AWS Aurora PostgreSQL.

  • Black-box (zero integration): point it at a domain. In seconds it inspects TLS / SSH / mail (STARTTLS) cryptography, enumerates forgotten shadow subdomains via Certificate Transparency logs ("you think you have 12 services — here are 47, and this legacy-api is still live"), and flags the catastrophic case: endpoints with no forward secrecy, where a single future key-break retroactively decrypts every session ever recorded under that key.
  • White-box (repo access): finds quantum-vulnerable crypto and classical crypto misuse (hardcoded keys, reused nonces, ECB mode, weak RNG, MD5/SHA-1). An LLM triage layer kills false positives and judges reachability; findings are prioritized, a crypto-agility migration PR is opened, and a re-verify step re-scans and flips resolved rows red → green.
  • Binary & container tier (no source at all): scans compiled binaries and container images — pulled daemonlessly straight from the registry — for crypto across OpenSSL, Go, Rust, Windows CNG/CAPI, and Apple ecosystems. It emits a standards-compliant CycloneDX CBOM and a NIST IR 8547 / CNSA 2.0 compliance posture.

Every asset walks a lifecycle — Discovered → Triaged → PR-open → Migrated → Verified — and a re-scan closes the loop.

## How we built it

  • Frontend: Next.js, deployed on Vercel.
  • Database — the product, not storage: AWS Aurora PostgreSQL as a lifecycle state machine + audit trail. Multi-tenant from day one: API-key auth, RBAC (viewer/member/admin), strict tenant isolation, and real posture-trend snapshots accrued per scan (we record real history; we never fabricate a past).
  • Black-box scanner: Python — ssl/cryptography for TLS, ssh-keyscan, SMTP STARTTLS, and crt.sh / CT APIs for shadow-subdomain discovery.
  • White-box scanner: Semgrep + Gitleaks → SARIF → Claude for triage, reachability reasoning, and prioritization → GitHub API for auto-forked fix PRs → Semgrep re-run for closed-loop verification.
  • Binary tier: LIEF + Capstone — symbol analysis, standard-curve constant scanning, direct-call reachability, symbol-free structural big-integer detection, and selector value-set recovery for OpenSSL-3 generic dispatch — all sandboxed; CycloneDX CBOM output; OS-package provenance via dpkg/apk.

## Challenges we ran into

  • Precision on real binaries. A program that statically over-links OpenSSL looks like it uses every algorithm. We built a reachability gate and value-set analysis so an AES-only binary linking libcrypto does not false-positive RSA/ECC — validated to 0 false positives across 2,176 real binaries.
  • You must not let an LLM write crypto. A 2026 study found AI-generated crypto is vulnerable ~57% of the time (nonce reuse, hardcoded secrets) — and a single bad nonce is full key recovery. So our automation only performs the agility refactor against a verified library, gated behind differential + size-assertion tests and human review. It never authors a primitive, mode, nonce, or RNG.
  • Honesty under a fear-prone topic. Breaking TLS collapses the communications/identity trust layer — it lets an attacker decrypt recorded sessions and impersonate a server. It does not hand them a shell or your database. We claim the first precisely and never the second; that precision is the product's credibility.
  • Migration is not find-and-replace. PQC keys and signatures are 4–50× larger (an ML-DSA-65 signature ≈ 3,309 B vs. ECDSA ≈ 64 B), which silently breaks deployed stacks — blowing past the TLS packet MTU, the initial congestion window, and the DNSSEC size limit. Reasoning about that blowup is the product.

## Accomplishments we're proud of

  • A real, measured binary detector: real-world precision 1.0 / recall 0.974 across 2,700+ binaries we did not compile, scored against an independent ground-truth oracle — not a self-graded demo.
  • A genuinely closed loop: discover → prioritize → fix PRre-verify red→green, end-to-end on live targets.
  • Aurora as the product — a queryable, auditable migration system-of-record with real multi-tenant security, not a backing store.
  • Three discovery surfaces — perimeter, source, and binary/container — unified under one CycloneDX-standard inventory.

## What we learned

Detection is the wedge, not the moat. Scanning for vulnerable crypto commoditizes — Semgrep is open-source, CBOMkit is free. The durable value is everything downstream of the finding: reasoning about what actually matters, fixing it correctly, and being the auditable record of migration progress against a deadline. The company that becomes the system-of-record during the migration window wins — and that's what we designed Aurora to be from day one.

## What's next

Continuous monitoring with change alerts; CI/CD gates and a Kubernetes admission controller; auditor-ready compliance exports (M-23-02, CNSA 2.0, EU PQC roadmap); CBOM signing + VEX / SBOM linkage; broader coverage (JVM, .NET, firmware); and a cross-customer data flywheel that improves false-positive filtering at scale.

Built With

Share this project:

Updates