QNSP
Start building free
Why QNSP
The Quantum ImperativeWhy QNSPPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Capabilities

Discover. Enforce. Scale.

Quantum-safe trust infrastructure for regulated enterprises. Three stages of maturity, six named services, eighteen production microservices — every claim on this page grounded in code shipping today.

18Production services
90PQC algorithms
4Crypto-policy tiers
7Compliance frameworks live
8HSM vendors integrated

01 — Discover

Inventory every cryptographic asset across your estate

You cannot migrate what you cannot see. The crypto-inventory service discovers assets from cloud KMS/HSM, certificate and TLS endpoints, secret managers, and Kubernetes across AWS, Azure, and GCP — or you can import an existing inventory directly through the API — then auto-classifies every asset and exports a CycloneDX-compatible Cryptographic Bill of Materials with per-asset NIST classification and HNDL-exposure scoring.

Discover from 30+ cloud / certificate / secret-manager connectors, or import an inventory via API
Every imported asset auto-classified and assessed for PQC migration urgency — no connector required
CycloneDX CBOM export with PQC algorithm classification
HNDL-exposure scoring per asset (data lifetime × ciphertext capture risk)
Live evaluation against your tenant's crypto policy

From Dev Pro · standard on Business Advanced+

02 — Enforce

Lock production to FIPS-finalised algorithms

Four crypto-policy tiers (default / strict / maximum / government) define which PQC algorithms and parameter sets are allowed per tenant. Enforcement runs in-line on every KMS, vault, and audit operation. A downgrade attempt is denied at the policy layer, not detected after the fact.

4 enforcement tiers — packages/security/src/crypto-policy.ts
Per-tenant policy, per-key authorization
Downgrade-attack prevention at operation time
Cross-verification on Maximum and Government tiers (liboqs + @noble/post-quantum)

Strict from Business Advanced · Maximum from Enterprise Pro · Government on Specialized

03 — Scale

Government-grade with BYOH HSM and sovereign deployment

Government tier locks to the CNSA 2.0 algorithm set (ML-KEM-1024, ML-DSA-87, SLH-DSA-256) and requires a customer-managed FIPS 140-3 HSM as the root of trust. Deploy into QNSP Cloud, your own VPC (AWS / Azure / GCP), or fully air-gapped. Audit chain survives jurisdictional review.

BYOH HSM: Thales Luna · Entrust nShield · Utimaco · AWS CloudHSM · Azure HSM · GCP HSM · IBM Cloud HSM · Marvell LiquidSecurity
Air-gapped deployment with offline ML-DSA-87 signing
Sovereign data residency at infrastructure + key layer
7-year audit retention for regulator review

Enterprise Pro+ · Specialized for air-gapped / sovereign

Six named services

What's behind the platform

The 18-service backend mesh consolidates into six buyer-facing capabilities. Each tile lists real route counts and the billable operations it exposes.

KMS

95 routes · 13 billable ops

PQC key management. Create, rotate, sign, verify, wrap, unwrap. ML-KEM-768/1024 + ML-DSA-65/87 + SLH-DSA. Customer-managed HSM as root of trust on Maximum and Government tiers.

kms.key.createkms.encryptkms.decryptkms.sign+9 more

Vault

41 routes · 5 billable ops

PQC-encrypted secret storage with retention locks and dynamic-secret generation. Per-tenant key isolation, leakage-scan ingest, versioned reads.

vault.secret.readvault.secret.writevault.dynamic_secret.generatevault.leakage_scan+1 more

CBOM

37 routes · 2 billable ops

Cryptographic Bill of Materials. Continuous inventory of every cryptographic asset across your estate — including legacy RSA / ECDSA still to be retired. Import an existing inventory via API or discover from cloud connectors. CycloneDX export, per-asset NIST classification.

crypto-inventory.cbom_exportcrypto-inventory.cert_renew

Edge Gateway

9 routes · 1 billable ops

Hybrid X25519MLKEM768 PQC-TLS termination, JWT-audience and entitlement enforcement, request signing. Single ingress for the 17-service backend mesh.

edge.api.request

Audit

29 routes · 2 billable ops

Cryptographically chained audit log — every key operation, vault write, and policy decision rolled into a SHA3-512 Merkle tree, root signed with ML-DSA-65 (default tiers) or ML-DSA-87 (Government). Independently verifiable.

audit.compliance_reportaudit.retention_cleanup

AI Enclaves

99 routes · 4 billable ops

GPU enclave orchestration (Intel SGX, AMD SEV-SNP, AWS Nitro, NVIDIA CC, Intel TDX, ARM TrustZone, ARM CCA, IBM Secure Execution). PQC-signed inference responses. Encrypted training data through the enclave boundary.

ai.inferenceai.embeddingsai.trainingai.model_deploy

Helps you with

The buyer-side problems QNSP solves

If one of these is on your roadmap, the resolution is shipping today.

Harvest now, decrypt later

Adversary captures encrypted traffic today and stores it for future quantum decryption. Long-life records (financial, medical, classified, transcripts) are HNDL targets the moment they cross a wire.

PQC at every layer — TLS, KMS, vault, storage — applied today. Captured 2026 ciphertexts stay protected past CRQC arrival.

FIPS 140-3 readiness

Auditors increasingly require FIPS 140-3 validated cryptographic modules, especially for federal and financial customers.

Customer-managed FIPS 140-3 HSMs (8 vendors supported) become the root of trust on Maximum and Government tiers. QNSP CAVP algorithm validation in progress.

MAS TRM compliance (Singapore financial)

Banks under MAS Notice 644 must demonstrate cryptographic controls and tamper-evident audit logging.

10 MAS TRM controls live-evaluated by audit-service. Tier mapping (Strict / Maximum) per business line. Live evidence at /trust/compliance.

PCI DSS v4.0.1 crypto-agility

Requirements 3 and 4 explicitly demand cryptographic agility — the ability to rotate algorithms without changing application code or data formats.

KMS-managed algorithm parameter + crypto-policy tier — applications call kms.encrypt(key) and the policy decides which algorithm runs. Rotate by changing the policy, not the code.

AWS KMS replacement (or coexistence)

Cloud KMS is convenient but locks key material to one cloud, doesn't support all PQC algorithms, and exposes you to cross-tenant blast-radius in the worst case.

QNSP KMS speaks the same wire shapes (encrypt / decrypt / sign / verify), supports 90 PQC algorithms, runs on customer HSM, and isolates per-tenant. Live side-by-side at /compare/aws-kms.

BYOH HSM with sovereign root

Defense, intelligence, and regulated-finance customers cannot let a vendor hold the master key.

Customer's Thales Luna / Entrust nShield / Utimaco / AWS CloudHSM / Azure Dedicated HSM / Google Cloud HSM / IBM Cloud HSM / Marvell LiquidSecurity is the root of trust. QNSP signs and wraps inside the HSM boundary — never holds the root.

CNSA 2.0 algorithm migration

NSA mandate: US National Security Systems must move to ML-KEM-1024 + ML-DSA-87 + SLH-DSA-256 by 2030–2033 depending on system class.

Government crypto-policy tier locks exactly to the CNSA 2.0 algorithm set. No draft standards, no parameter-set substitutions.

Audit-chain integrity

Regulators increasingly demand cryptographically verifiable evidence of access — not just log retention.

Every key operation enters a SHA3-512 Merkle tree. The tree's root is periodically signed with ML-DSA and published. Any historical event is reconstructable and independently verifiable.

Evidence

Every claim above is verifiable

The platform publishes its own evidence — independently fetchable, tamper-bound, regenerated per release.

NIST ACVP conformance →

435 / 435 tests passed. Dual-provider (noble + liboqs). SHA-3-256 tamper-bound.

Performance benchmarks →

p50 / p95 / p99 across ML-KEM, ML-DSA, Falcon, SLH-DSA. Reproducible, schema v3.

Live compliance →

7 frameworks, 48 controls evaluated live against service health. SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, PDPA, MAS TRM.

Frequently asked questions

Frequently asked questions

The capability questions buyers and AI assistants ask most about CBOM, BYOH HSM, CNSA 2.0, and audit-chain integrity.

What is a Cryptographic Bill of Materials (CBOM)?

A CBOM is a continuous inventory of every cryptographic asset across your estate — keys, certificates, protocols, and algorithms, including legacy RSA and ECDSA still to be retired. QNSP's crypto-inventory service ingests from cloud KMS, CT logs, code, and TLS endpoints, then exports a CycloneDX CBOM with per-asset NIST classification and HNDL scoring.

Does QNSP support bring-your-own-HSM (BYOH)?

Yes. On Maximum and Government tiers a customer-managed FIPS 140-3 HSM is the root of trust — Thales Luna, Entrust nShield, Utimaco, AWS CloudHSM, Azure HSM, Google Cloud HSM, IBM Cloud HSM, or Marvell LiquidSecurity. QNSP signs and wraps inside the HSM boundary and never holds the master key.

What is the CNSA 2.0 algorithm set?

CNSA 2.0 is the NSA mandate requiring US National Security Systems to migrate to ML-KEM-1024, ML-DSA-87, and SLH-DSA-256 by 2030–2033 depending on system class. QNSP's Government crypto-policy tier locks exactly to this set — no draft standards and no parameter-set substitutions are permitted.

How does QNSP make its audit trail tamper-evident?

Every key operation, vault write, and policy decision enters a SHA3-512 Merkle tree. The tree's root is periodically signed with ML-DSA — ML-DSA-65 on default tiers, ML-DSA-87 on Government — and published. Any historical event is reconstructable and independently verifiable through receipt-replay, without trusting QNSP's database.

Next

Start free or talk to a deployment lead

Start freePricingIndustry use casesTalk to a deployment lead