Announcing QuantumPQC Pilot: An Open-Source Quantum-Safe Cryptography Auditor
- Team ArcQubit
- Dec 5, 2025
- 5 min read
Updated: Dec 19, 2025
Cryptography that looked “strong enough” ten years ago is now on the clock.
With post-quantum cryptography (PQC) deadlines approaching and “store-now, decrypt-later” attacks in play, organizations can’t afford to guess where RSA-2048, ECDSA, SHA-1, MD5, or legacy ciphers are still hiding in their codebases. At the same time, security and compliance teams are being asked to prove crypto posture against NIST SP 800-53 SC-13 and emerging PQC guidance from CISA, NIST, and Canadian CCCS/CSE.
Manual inventories and spreadsheets don’t cut it anymore.
Today we’re releasing QuantumPQC
QuantumPQC is a quantum-safe cryptography auditor offered as an open-source product in beta pilot for free. It is designed to help engineering, security, and compliance teams find vulnerable cryptography and generate machine-readable evidence in one pass.
What is QuantumPQC?
QuantumPQC is a Rust-based quantum-safe cryptography engine that analyzes source code to detect quantum-vulnerable and deprecated algorithms and then produces standards-aligned compliance reports.
In practical terms, QuantumPQC helps you answer three questions:
Where are we still using crypto that will not survive quantum attacks?
How do those findings map to NIST SP 800-53 SC-13 and Canadian CCCS/CSE requirements?
Can we export this as machine-readable evidence (OSCAL JSON) for audits and automated pipelines?
Key capabilities at a glance
Multi-language crypto scanning
QuantumPQC statically analyzes source code across common stacks:
Languages: Rust, JavaScript, TypeScript, Python, Java, Go, C++, C#
Algorithms detected:
Public-key: RSA, ECDSA, ECDH, DSA, DH
Hash / integrity: MD5, SHA-1
Symmetric / ciphers: DES, 3DES, RC4
This gives you a unified view of legacy cryptography across microservices, monoliths, and libraries without stitching together one-off scripts and tools.
Quantum-safe compliance out of the box
QuantumPQC doesn’t just find bad crypto and stop there. It automatically generates control-aligned assessment reports.
NIST SP 800-53 SC-13 (Cryptographic Protection)
Control assessment status
Findings linked to SC-13 objectives
Compliance and risk scores (0–100)
Evidence (file, line, and crypto type)
Canadian CCCS/CSE support
Mappings to ITSG-33 SC-13, ITSP.40.111, ITSP.40.062 and CMVP expectations for validated cryptographic modules (for Canadian federal/critical infrastructure use cases).
For teams operating in U.S. and Canadian regulatory environments, QuantumPQC provides a single view of cryptographic risk aligned to both ecosystems.
OSCAL-native, machine-readable reports
QuantumPQC generates OSCAL 1.1.2-compliant JSON for assessment results, so your crypto findings plug directly into:
System Security Plans (SSPs)
Assessment and authorization packages
Automated GRC and evidence management platforms
GitHub Actions / CI pipelines that need structured security artifacts
Instead of PDF lock-in or unstructured logs, you get clean JSON that can flow through modern “governance as code” pipelines.
Built for performance and portability
Under the hood:
Implemented in Rust for safety and speed
Compiled to WebAssembly (WASM) with a footprint under ~500 KB (gzipped)
Runs in browsers, Node.js, and Deno, making it easy to embed into portals, dashboards, or developer tooling
Benchmarked at ~0.35 ms per 1,000 lines of code with >90% test coverage, so it scales to large repositories without grinding your CI to a halt
This combination makes QuantumPQC a solid fit for enterprise pipelines, security portals, and even in-browser developer tooling.
Who is QuantumPQC for?
QuantumPQC is designed for three overlapping groups:
Security & crypto engineers
Quickly identify where non-PQC-ready algorithms still live
Prioritize remediation by risk and control mapping
Maintain an always-current inventory of crypto usage
DevSecOps & platform teams
Add quantum-vulnerable crypto checks to CI/CD
Enforce policy on pull requests and main branch merges
Generate OSCAL JSON for downstream compliance and reporting
Compliance, risk, and audit teams
Obtain evidence-rich SC-13 assessment results backed by automated scans
Support NIST, FedRAMP, CMMC, and CCCS/CSE programs that require cryptographic protection evidence
Move from manual spreadsheets to repeatable, automated crypto posture reports
How QuantumPQC fits into your workflow
You can use QuantumPQC in several ways.
Local developer workflow
Run QuantumPQC from the CLI as part of local checks
Scan specific repos, modules, or files before pushing changes
CI/CD integration
Wire QuantumPQC into your pipeline (e.g., GitHub Actions, Jenkins, GitLab CI) to scan on pull requests and main branch builds
Fail builds on high-risk findings or export OSCAL JSON as an artifact for later review
Security & compliance dashboards
Use the WASM build to embed QuantumPQC into an internal web app
Let teams upload or point at repositories and receive an SC-13 and CCCS-aligned report in minutes
Because it’s open source and small, you can run it where your code already lives...in your secure build environment, in your browser, or inside your existing security tools.
Why this matters now
Regulators are no longer speaking in hypotheticals.
NIST is standardizing post-quantum algorithms and expects federal systems to migrate away from quantum-vulnerable public-key cryptography.
CISA and other agencies are pushing automated discovery and inventory tools for PQC readiness.
Canadian CCCS/CSE have explicit cryptographic guidance and CMVP expectations for validated modules.
But none of that is actionable until you can answer:
“Where, exactly, are we still using quantum-vulnerable cryptography and how non-compliant is it?” - Trevor Bowman
QuantumPQC gives you a repeatable, automatable way to answer that question, backed by machine-readable evidence.
Temporarily Open source, MIT-licensed, and ready for contributions
QuantumPQC is released under the MIT License, with:
Comprehensive tests and benchmarks
Example usage in Rust and JavaScript
Build scripts and Makefile targets for Rust, WASM, and NPM packages
We welcome community contributions:
New language detectors (e.g., PHP, Ruby, Kotlin)
Expanded algorithm support, including PQC-ready primitives and “good vs. bad” configurations
Additional compliance mappings (e.g., FIPS 140-3 reporting, industry frameworks)
Improved rulesets and detection heuristics for real-world patterns
Get started with QuantumPQC
You can be up and running in a few minutes.
Visit the repository
Install and build
Use the provided make and NPM scripts to build Rust + WASM targets and run tests.
Scan your first repo
Point QuantumPQC at one of your services and generate an SC-13 report.
Export OSCAL JSON and plug it into your compliance or GRC workflow.
Plan your PQC migration
Use the findings to prioritize remediation and track progress against NIST and CCCS expectations.
FAQ: QuantumPQC in 3 Quick Questions
Is QuantumPQC a post-quantum library?
No. QuantumPQC detects quantum-vulnerable and deprecated cryptography and generates compliance reports. It’s not an implementation of PQC algorithms, but a discovery and assessment tool to help you migrate safely.
Can I use QuantumPQC in regulated environments (FedRAMP, CMMC, GC, etc.)?
Yes, that’s the intent. QuantumPQC produces NIST SP 800-53 SC-13-aligned findings and OSCAL JSON that can feed into SSPs, A&A artifacts, and evidence repositories. Final acceptance always depends on your specific regulator and program, but the artifacts are structured for that world.
Does it support both U.S. and Canadian crypto standards?
Yes. QuantumPQC is built to support NIST SC-13 as well as Canadian CCCS/CSE guidance (ITSG-33, ITSP.40.111, ITSP.40.062, CMVP), making it suitable for teams that operate across North American regulatory regimes.
Next Steps
Run QuantumPQC on a real codebase, generate your first quantum-safe cryptography report, and use that as the starting point for a serious PQC migration roadmap.