You can't migrate to post-quantum what you can't see.
MCert is Antrapol's continuous crypto inventory and monitoring platform: automated CycloneDX CBOM/SBOM discovery across your entire estate, quantum-risk scoring, and signed, regulator-ready reporting — so your whole cryptographic estate stays continuously visible.
CycloneDX CBOM/SBOM · Quantum-risk scoring · Continuous monitoring · Secure regulatory reporting
Standards-based discovery, mapped to the frameworks your regulators track
The problem
Most organizations can't plan a PQC migration — they're planning it blind
RSA and ECC keys, certificates, protocols and crypto libraries are scattered across servers, applications, network devices, containers and code repositories. Nobody has a single, current view of where quantum-vulnerable cryptography actually lives — and you can't prioritize a migration you can't measure.
No inventory, no plan
Without knowing which algorithms, certificates, keys and protocols are deployed, PQC migration planning is impossible and unknown weaknesses go unaddressed.
Point-in-time audits go stale
Manual, ad-hoc discovery is out of date the moment it's collected — every asset that changes between audit cycles is missed.
Fragmented formats
Each team and tool produces inventory differently, so aggregation, comparison and regulatory reporting become inconsistent and labour-intensive.
No quantum-risk lens
You can't systematically assess which assets are quantum-vulnerable without mapping discovered crypto to known vulnerability classes and migration priorities.
The inventory is itself a target
A crypto inventory reveals your security posture and weaknesses — without encryption and access control, the inventory becomes a high-value asset for attackers.
No safe channel to regulators
Sharing posture reports with regulators such as NACSA and BNM needs end-to-end encrypted transfer with verifiable integrity — ad-hoc methods risk leakage.
The core thesis is simple: you cannot migrate to post-quantum cryptography what you cannot see. MCert makes the crypto estate continuously visible, standardized, risk-scored against the quantum threat, and safely reportable.
How it works
Continuous discovery, standardized output, quantum-risk scoring
Lightweight, ephemeral scanners run against your assets on a schedule you control. Every result is normalized to CycloneDX, risk-scored, and stored encrypted — then surfaced on a real-time dashboard and packaged into signed reports.
Discover — zero-footprint, ephemeral scanners
Containerized scanners deploy to a target with only a container runtime as a prerequisite, find every algorithm, certificate, key, protocol and crypto library, then are removed — leaving no residual data behind. A stateless agent is the only component that touches your infrastructure.
Standardize — CycloneDX CBOM & SBOM
Outputs from every scanner are normalized into canonical CycloneDX, ending format fragmentation and making your inventory machine-comparable, mergeable across tools, and regulator-ready.
Assess — quantum-risk scoring
The Risk Profile engine tags quantum-vulnerable (RSA / ECC / DH without a PQC hybrid), deprecated and weak-parameter cryptography, computes a per-asset and per-category risk score, and derives a PQC migration-readiness score.
Monitor & report — continuously
Scheduled scans keep the inventory fresh; threshold alerts fire when risk climbs. Reports are digitally signed for integrity and non-repudiation, and can be encrypted to a recipient for secure transfer to regulators.
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"metadata": {
"component": { "name": "payments-api", "type": "application" }
},
"components": [
{
"type": "cryptographic-asset",
"name": "RSA-2048",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "signature",
"parameterSetIdentifier": "2048",
"nistQuantumSecurityLevel": 0
}
}
},
{
"type": "cryptographic-asset",
"name": "ML-KEM-768",
"cryptoProperties": { "assetType": "algorithm" }
}
]
}
Quantum-risk scoring
A default risk matrix your experts will recognize
Every discovered component is classified against a transparent default matrix — and subscribers can layer their own custom risk policies and thresholds on top of the platform defaults.
| Risk class | What MCert flags |
|---|---|
| Quantum-vulnerable | RSA, ECC and DH used without a PQC hybrid — the assets to prioritize for migration. |
| Deprecated | MD5, SHA-1, DES, 3DES and RC4 — legacy primitives that should already be gone. |
| Weak parameters | RSA below 2048-bit and ECC below 256-bit key sizes. |
| Expiring certificates | Certificates falling inside a configurable expiry threshold. |
| Non-compliant configuration | Protocol versions and cipher suites that don't meet policy. |
| Unknown / unrecognized | Algorithms the scanners can't map to a known classification. |
Risk scores recalculate automatically on every scan, and a PQC migration-readiness score tracks the share of components that are PQC-native or protected by a hybrid PQC configuration. Findings map to NIST SP 800-131A, MySEAL, NACSA guidelines and BNM RMiT — MCert maps to these frameworks; it does not claim certification against them.
Capabilities
Everything you need to run a crypto-agility observability program
Continuous discovery
Scheduled scans — monthly, quarterly, fortnightly, half-yearly, yearly or on a specific date — plus on-demand scans, across servers, applications, network devices, container clusters and code repositories.
Zero-dependency scanners
Scanners ship as signed container images and run in an isolated container with resource limits, then are destroyed. The catalogue supports registering open-source tools like CycloneDX utilities, Syft, Grype and OWASP Dependency-Check.
CycloneDX normalization
Every result — CBOM, SBOM, SPDX or proprietary — is normalized to canonical CycloneDX, with duplicate detection and multi-scanner merge by algorithm, version and location.
Real-time dashboard
Algorithm distribution, a PQC-readiness gauge, certificate-expiry timeline, risk-score trend, scan coverage and mitigation progress — all updating as inventory and risk change.
Inventory versioning & diff
Each scan creates a new snapshot per asset, so you get historical comparison, change tracking, and a clear added / removed / modified diff between any two points in time.
Closed-loop remediation
Mitigation plans (e.g. RSA → ML-DSA) tie to live findings; when a later scan shows the component remediated, the plan is auto-completed with scan evidence — progress measured against the real environment.
PQC-native protection
The inventory is encrypted at rest per subscriber with AES-256-GCM; the agent channel and reports are signed with ML-DSA or the sovereign KAZ-SIGN option, with key encapsulation via ML-KEM or the sovereign KAZ-KEM option.
Secure regulatory reporting
Full-inventory, change, risk, PQC-readiness, compliance and executive reports — signed for non-repudiation and optionally encrypted to a regulator's key for secure transfer. Output as PDF, JSON (CycloneDX), CSV or HTML.
Multi-tenant & self-service
Subscriber admins register assets, configure schedules, view inventory and track mitigation within their own tenancy, with RBAC roles and strict per-tenant data isolation.
Use cases
One platform, three jobs it does immediately
Pre-migration assessment
Establish a baseline: where does quantum-vulnerable RSA/ECC live, which certificates and keys are weak or expiring, and what should you migrate first? Turn a blind migration into a prioritized, evidence-based plan.
Compliance & audit
Produce signed, tamper-evident reports mapped to NIST SP 800-131A, MySEAL, NACSA and BNM RMiT, and share them with regulators over an encrypted secure-transfer channel — with a digitally signed audit trail behind every change.
Ongoing drift monitoring
Scheduled scans and snapshot diffs catch new quantum-vulnerable crypto the moment it's introduced, alert on risk-threshold breaches, and keep the PQC-readiness picture current — turning a one-off project into a continuous program.
Step 1 of PQC migration
Discover → Govern → Prove
MCert is the observability layer of the MyPQC platform, and the natural first step of any post-quantum migration. You discover your entire crypto estate here; the Crypto Agility Core Engine lets you govern and swap algorithms by policy; and MCert's signed reporting lets you prove progress to auditors and regulators over time.
You can't orchestrate PQC migration or enforce crypto policy on assets you can't see — which is exactly why continuous inventory comes first.
Discover — MCert
Continuous CycloneDX CBOM/SBOM inventory and quantum-risk scoring across the estate.
Govern — Crypto Agility Core
Change and enforce cryptographic algorithms by policy — including the move to NIST PQC standards.
Prove — Signed reporting
Signed, regulator-ready reports and a tamper-evident audit trail that measure remediation against the live environment.
Standards & algorithms
CBOM-first, standards-based, and honest about assurance tiers
MCert normalizes discovery to CycloneDX and protects its own data and reports with post-quantum cryptography — pairing NIST-standardized algorithms with optional, policy-selectable sovereign options.
Discovery & exchange formats
- CycloneDX CBOM & SBOM — the canonical bill-of-materials format for cryptographic and software assets; supported from CycloneDX 1.4 forward.
- SPDX 2.3+ — supported for SBOM interoperability.
- Report output complies with the CycloneDX CBOM exchange format for machine-readable regulatory submissions.
Protecting the inventory & reports
- Signing with ML-DSA (FIPS 204), with the sovereign KAZ-SIGN available as an option alongside it.
- Key encapsulation with ML-KEM (FIPS 203), with the sovereign KAZ-KEM available as an option alongside it.
- Symmetric encryption of inventory and reports with AES-256-GCM, per-subscriber keys.
ML-KEM (FIPS 203) and ML-DSA (FIPS 204) are finalized NIST post-quantum standards. KAZ-SIGN and KAZ-KEM are optional, policy-selectable sovereign (Malaysian) algorithms offered alongside the NIST standards — not NIST-standardized or approved. Because algorithm choice is policy-driven, that sovereign option can be swapped at any time as standards and threats evolve.
See your entire crypto estate — before you migrate
Start with a continuous CycloneDX CBOM/SBOM inventory and quantum-risk baseline for your organization.