Architecture playbook: crypto-agility for the post-quantum era. Learn more
Step 1 of PQC migration · Discover → Govern → Prove →

You can't migrate to post-quantum what you can't see.

MCert is Antrapol's continuous crypto inventory and monitoring platform: automated CycloneDX CBOM/SBOM discovery across your entire estate, quantum-risk scoring, and signed, regulator-ready reporting — so your whole cryptographic estate stays continuously visible.

CycloneDX CBOM/SBOM · Quantum-risk scoring · Continuous monitoring · Secure regulatory reporting

Standards-based discovery, mapped to the frameworks your regulators track

CycloneDX CBOM & SBOM SPDX 2.3+ NIST SP 800-131A MySEAL NACSA guidelines BNM RMiT

The problem

Most organizations can't plan a PQC migration — they're planning it blind

RSA and ECC keys, certificates, protocols and crypto libraries are scattered across servers, applications, network devices, containers and code repositories. Nobody has a single, current view of where quantum-vulnerable cryptography actually lives — and you can't prioritize a migration you can't measure.

No inventory, no plan

Without knowing which algorithms, certificates, keys and protocols are deployed, PQC migration planning is impossible and unknown weaknesses go unaddressed.

Point-in-time audits go stale

Manual, ad-hoc discovery is out of date the moment it's collected — every asset that changes between audit cycles is missed.

Fragmented formats

Each team and tool produces inventory differently, so aggregation, comparison and regulatory reporting become inconsistent and labour-intensive.

No quantum-risk lens

You can't systematically assess which assets are quantum-vulnerable without mapping discovered crypto to known vulnerability classes and migration priorities.

The inventory is itself a target

A crypto inventory reveals your security posture and weaknesses — without encryption and access control, the inventory becomes a high-value asset for attackers.

No safe channel to regulators

Sharing posture reports with regulators such as NACSA and BNM needs end-to-end encrypted transfer with verifiable integrity — ad-hoc methods risk leakage.

The core thesis is simple: you cannot migrate to post-quantum cryptography what you cannot see. MCert makes the crypto estate continuously visible, standardized, risk-scored against the quantum threat, and safely reportable.

How it works

Continuous discovery, standardized output, quantum-risk scoring

Lightweight, ephemeral scanners run against your assets on a schedule you control. Every result is normalized to CycloneDX, risk-scored, and stored encrypted — then surfaced on a real-time dashboard and packaged into signed reports.

1

Discover — zero-footprint, ephemeral scanners

Containerized scanners deploy to a target with only a container runtime as a prerequisite, find every algorithm, certificate, key, protocol and crypto library, then are removed — leaving no residual data behind. A stateless agent is the only component that touches your infrastructure.

2

Standardize — CycloneDX CBOM & SBOM

Outputs from every scanner are normalized into canonical CycloneDX, ending format fragmentation and making your inventory machine-comparable, mergeable across tools, and regulator-ready.

3

Assess — quantum-risk scoring

The Risk Profile engine tags quantum-vulnerable (RSA / ECC / DH without a PQC hybrid), deprecated and weak-parameter cryptography, computes a per-asset and per-category risk score, and derives a PQC migration-readiness score.

4

Monitor & report — continuously

Scheduled scans keep the inventory fresh; threshold alerts fire when risk climbs. Reports are digitally signed for integrity and non-repudiation, and can be encrypted to a recipient for secure transfer to regulators.

mcert-cbom.cyclonedx.json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "metadata": {
    "component": { "name": "payments-api", "type": "application" }
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "RSA-2048",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "signature",
          "parameterSetIdentifier": "2048",
          "nistQuantumSecurityLevel": 0
        }
      }
    },
    {
      "type": "cryptographic-asset",
      "name": "ML-KEM-768",
      "cryptoProperties": { "assetType": "algorithm" }
    }
  ]
}

Quantum-risk scoring

A default risk matrix your experts will recognize

Every discovered component is classified against a transparent default matrix — and subscribers can layer their own custom risk policies and thresholds on top of the platform defaults.

Default risk classification matrix — subscribers may extend it with custom rules, weightings and thresholds.
Risk classWhat MCert flags
Quantum-vulnerableRSA, ECC and DH used without a PQC hybrid — the assets to prioritize for migration.
DeprecatedMD5, SHA-1, DES, 3DES and RC4 — legacy primitives that should already be gone.
Weak parametersRSA below 2048-bit and ECC below 256-bit key sizes.
Expiring certificatesCertificates falling inside a configurable expiry threshold.
Non-compliant configurationProtocol versions and cipher suites that don't meet policy.
Unknown / unrecognizedAlgorithms the scanners can't map to a known classification.

Risk scores recalculate automatically on every scan, and a PQC migration-readiness score tracks the share of components that are PQC-native or protected by a hybrid PQC configuration. Findings map to NIST SP 800-131A, MySEAL, NACSA guidelines and BNM RMiT — MCert maps to these frameworks; it does not claim certification against them.

Capabilities

Everything you need to run a crypto-agility observability program

Continuous discovery

Scheduled scans — monthly, quarterly, fortnightly, half-yearly, yearly or on a specific date — plus on-demand scans, across servers, applications, network devices, container clusters and code repositories.

Zero-dependency scanners

Scanners ship as signed container images and run in an isolated container with resource limits, then are destroyed. The catalogue supports registering open-source tools like CycloneDX utilities, Syft, Grype and OWASP Dependency-Check.

CycloneDX normalization

Every result — CBOM, SBOM, SPDX or proprietary — is normalized to canonical CycloneDX, with duplicate detection and multi-scanner merge by algorithm, version and location.

Real-time dashboard

Algorithm distribution, a PQC-readiness gauge, certificate-expiry timeline, risk-score trend, scan coverage and mitigation progress — all updating as inventory and risk change.

Inventory versioning & diff

Each scan creates a new snapshot per asset, so you get historical comparison, change tracking, and a clear added / removed / modified diff between any two points in time.

Closed-loop remediation

Mitigation plans (e.g. RSA → ML-DSA) tie to live findings; when a later scan shows the component remediated, the plan is auto-completed with scan evidence — progress measured against the real environment.

PQC-native protection

The inventory is encrypted at rest per subscriber with AES-256-GCM; the agent channel and reports are signed with ML-DSA or the sovereign KAZ-SIGN option, with key encapsulation via ML-KEM or the sovereign KAZ-KEM option.

Secure regulatory reporting

Full-inventory, change, risk, PQC-readiness, compliance and executive reports — signed for non-repudiation and optionally encrypted to a regulator's key for secure transfer. Output as PDF, JSON (CycloneDX), CSV or HTML.

Multi-tenant & self-service

Subscriber admins register assets, configure schedules, view inventory and track mitigation within their own tenancy, with RBAC roles and strict per-tenant data isolation.

Use cases

One platform, three jobs it does immediately

Pre-migration assessment

Establish a baseline: where does quantum-vulnerable RSA/ECC live, which certificates and keys are weak or expiring, and what should you migrate first? Turn a blind migration into a prioritized, evidence-based plan.

Compliance & audit

Produce signed, tamper-evident reports mapped to NIST SP 800-131A, MySEAL, NACSA and BNM RMiT, and share them with regulators over an encrypted secure-transfer channel — with a digitally signed audit trail behind every change.

Ongoing drift monitoring

Scheduled scans and snapshot diffs catch new quantum-vulnerable crypto the moment it's introduced, alert on risk-threshold breaches, and keep the PQC-readiness picture current — turning a one-off project into a continuous program.

Step 1 of PQC migration

Discover → Govern → Prove

MCert is the observability layer of the MyPQC platform, and the natural first step of any post-quantum migration. You discover your entire crypto estate here; the Crypto Agility Core Engine lets you govern and swap algorithms by policy; and MCert's signed reporting lets you prove progress to auditors and regulators over time.

You can't orchestrate PQC migration or enforce crypto policy on assets you can't see — which is exactly why continuous inventory comes first.

Discover — MCert

Continuous CycloneDX CBOM/SBOM inventory and quantum-risk scoring across the estate.

Govern — Crypto Agility Core

Change and enforce cryptographic algorithms by policy — including the move to NIST PQC standards.

Prove — Signed reporting

Signed, regulator-ready reports and a tamper-evident audit trail that measure remediation against the live environment.

Standards & algorithms

CBOM-first, standards-based, and honest about assurance tiers

MCert normalizes discovery to CycloneDX and protects its own data and reports with post-quantum cryptography — pairing NIST-standardized algorithms with optional, policy-selectable sovereign options.

Discovery & exchange formats

  • CycloneDX CBOM & SBOM — the canonical bill-of-materials format for cryptographic and software assets; supported from CycloneDX 1.4 forward.
  • SPDX 2.3+ — supported for SBOM interoperability.
  • Report output complies with the CycloneDX CBOM exchange format for machine-readable regulatory submissions.

Protecting the inventory & reports

  • Signing with ML-DSA (FIPS 204), with the sovereign KAZ-SIGN available as an option alongside it.
  • Key encapsulation with ML-KEM (FIPS 203), with the sovereign KAZ-KEM available as an option alongside it.
  • Symmetric encryption of inventory and reports with AES-256-GCM, per-subscriber keys.

ML-KEM (FIPS 203) and ML-DSA (FIPS 204) are finalized NIST post-quantum standards. KAZ-SIGN and KAZ-KEM are optional, policy-selectable sovereign (Malaysian) algorithms offered alongside the NIST standards — not NIST-standardized or approved. Because algorithm choice is policy-driven, that sovereign option can be swapped at any time as standards and threats evolve.

See your entire crypto estate — before you migrate

Start with a continuous CycloneDX CBOM/SBOM inventory and quantum-risk baseline for your organization.