Cryptographic Bill of Materials (CBOM)

QCecuring CBOM discovers, inventories, and assesses cryptographic assets across your infrastructure — certificates, keys, algorithms, and protocols — generating a standards-compliant CycloneDX v1.6 CBOM with quantum risk classification and compliance attestations.

What CBOM Solves

Crypto Visibility — No unified view of certificates, keys, and algorithms deployed across endpoints, file systems, keystores, cloud services, and Active Directory
Quantum Risk — Unknown exposure to quantum-vulnerable algorithms (RSA, ECDSA, DH) with no path to post-quantum readiness
Compliance Gaps — Inability to attest conformance to CNSA 2.0, NIST PQC, or FIPS 140-3 requirements
Manual Tracking — Spreadsheet-based crypto inventories that go stale immediately

CBOM automates discovery with distributed sensors, classifies risk automatically, and exports machine-readable CycloneDX CBOMs for supply chain integration.

Core Capabilities

Automated Discovery

Deploy sensors near your infrastructure to scan:

HTTPS/TLS endpoints (certificate chains, cipher suites, protocol versions)
File systems (PEM, DER, CRT, P12, JKS files)
Java Keystores (JKS, PKCS#12)
SSH keys
Windows Certificate Stores
Source code (crypto API calls, hardcoded keys)
Binaries (DLL, EXE, SO, JAR — linked crypto libraries, embedded keys)
AWS services (ACM, KMS, IAM)
Active Directory / LDAP (ADCS certificates, templates)

→ Discovery & Scanners

Centralized Inventory

All discovered assets in a single searchable view:

Asset types: certificate, private-key, public-key, symmetric-key, algorithm, protocol, signature
Filtering by type, algorithm, risk level, lifecycle state, scanner source
Content-based deduplication (SHA-256 fingerprint)
Lifecycle state tracking (NIST SP 800-57)

→ Inventory

Quantum Risk Classification

Automatic risk scoring for every asset:

Risk Level	Meaning	Examples
CRITICAL	Broken or deprecated	MD5, SHA-1, DES, RC4, TLS 1.0/1.1
HIGH	Quantum-vulnerable	RSA, ECDSA, ECDH, DH, DSA
MEDIUM	Reduced strength under Grover’s	AES-128
LOW	Adequate with margin	AES-192
NONE	Quantum-safe	AES-256, SHA-256+, ML-KEM, ML-DSA

Maps to NIST Quantum Security Levels (QSL 0–5) in CycloneDX export.

→ PQC Readiness

Compliance & Attestations

Policy templates for cryptographic standards:

CNSA 2.0 (NSA Commercial National Security Algorithm Suite)
NIST PQC (Post-Quantum Cryptography standards)
FIPS 140-3 (approved algorithms and key sizes)
Custom policies

→ Compliance

CycloneDX v1.6 Export

Standards-compliant CBOM output including:

bom-ref on every component (enables dependency graph)
dependencies section (issuer chains, signer, keystore containment)
Full algorithmProperties (primitive, parameterSetIdentifier, mode, OID, nistQuantumSecurityLevel)
certificateProperties with extensions and fingerprint
relatedCryptoMaterialProperties for keys
BOM-Link URN generation for SBOM cross-referencing

→ Import/Export

Relationship Visualization

Interactive SVG graph showing:

Certificate issuer chains
Key-to-certificate associations
Keystore containment
Signer relationships

→ Relationships

Platform Pages

Page	Purpose
Dashboard	Risk overview, asset counts, scan activity
Inventory	Browse and search all crypto assets
Sensors	Manage deployed sensors and scan runs
Alerts	Alert rules and scheduled scanning
Relationships	Visualize asset relationships
Compliance	Policy evaluation and attestations
Import/Export	CycloneDX import/export and BOM-Link
Users	User management (admin/viewer roles)

Next Steps

Architecture — How the components fit together
Setup Guide — Deploy the API, sensor, and UI
Discovery & Scanners — Configure scanner types