Meet the Hounds · toggle theme, then print
HEIMDALL crest
MEET THE HOUNDS

HEIMDALL

Post-Quantum Cipher Analysis
Heimdall Hound · Category: Crypto
“Find the crypto that won’t survive quantum.”

The ever-watchful guardian who sees to the ends of the world — Heimdall watches the quantum horizon.

THE PROBLEM

“Harvest now, decrypt later” means adversaries can capture encrypted traffic today and read it the day quantum computers arrive. Long-lived certificates protecting sensitive data are already at risk — yet almost no organization has an inventory of its quantum-vulnerable crypto, let alone a migration order.

WHAT IT DOES

Heimdall classifies every certificate in your estate by quantum risk — RSA, ECC, and DSA are all broken by Shor’s algorithm, and key length is irrelevant — then ranks your harvest-now-decrypt-later exposure by certificate lifetime and asset criticality. It analyzes transport crypto, scores crypto-agility, correlates crown-jewel assets, and exports a migration roadmap framed to the CNSA 2.0 timeline. The whole post-quantum lifecycle, on data you already collect.

KEY CAPABILITIES

  • Certificate quantum-risk inventory — classifies every cert in the estate by algorithm family. RSA, ECC, and DSA are all Shor-breakable regardless of key length, so the size of your post-quantum problem becomes a query, not a guess.
  • Harvest-now hit-list — crosses cert lifetime against asset criticality on a selectable horizon, surfacing long-lived certs on high-value assets whose traffic is worth capturing today and decrypting later. Those get fixed first.
  • Transport-crypto analysis — inspects TLS and SSH key exchange plus weak-MAC signals (including SHA-1) — which sessions an adversary could actually target, not just which certificates exist.
  • Crypto-agility tiers — scores each host PQC-ready, Upgradable, or Legacy from its OpenSSH/OpenSSL footprint — which systems migrate with a config change, which need a replacement budget.
  • Crown-jewel correlation + priority score — folds calibrated ACR into one migration priority — the roadmap starts with the certs protecting what the business can't lose, ordered by impact.
  • CSV migration roadmap + gated “PQC” tags — exports the plan framed to CNSA 2.0 and proposes PQC tags with ACR routing — findings become a trackable, assignable program.

HOW IT WORKS

Heimdall runs against the local navi.db built from your Tenable data: the certs table, transport and cipher plugins (277650, 277654, 70657, 153588, 56984, 10267, 168149), and the software inventory for OpenSSH/OpenSSL agility readiness. All writes are proposed, human-approved, and logged.

WHY IT'S DIFFERENT

  • The entire PQC lifecycle in one place — inventory, exposure ranking, agility, and roadmap — with no new collectors.
  • Honest math: it tells you plainly that key-length upgrades don’t help post-quantum — no false comfort.
  • Prioritized by your shared ACR criticality currency, so its ranking agrees with the rest of the pack.

PROOF POINTS

  • In a reference environment of 268 assets, Heimdall found:
  • ~100% of certificates quantum-vulnerable — including certs valid to 2070 and 2114 (extreme harvest-now exposure).
  • 110 TLS services offering no post-quantum ciphers.
  • 79 TLS and 49 SSH services on classical-only key exchange; 59 services still using SHA-1 MACs.

Illustrative results from a demo lab — not a guarantee. Heimdall’s signals depend on the relevant plugins being present, and blind or uncredentialed hosts are called out, not hidden.

WORKS BETTER WITH

Heimdall consumes Certania’s certificate inventory, Anubis’s calibrated asset criticality, and Laelaps’s KEV signal — so the migration roadmap reflects what’s truly critical and actively exploited.

WHO IT'S FOR

PKI and crypto owners planning the PQC migration; CISOs and compliance planners working the CNSA 2.0 timeline; GRC teams that need evidence, not estimates.

CALL TO ACTION

Ask Heimdall for your harvest-now hit-list — before someone else builds one.

THE HOUNDS — a human-in-the-loop security agent pack for Tenable VM / Tenable One.Gated writes · Evidence-first · Honest about coverage