๐Ÿ”“ Open source ยท Apache 2.0 ยท pip install pqc-sandbox

See exactly what breaks
before you migrate to PQC

Point it at your real endpoint. It replays the TLS handshake with ML-KEM / ML-DSA sizes and shows you exactly which components will fail in production โ€” with the fix for each one.

$ pqc-sandbox simulate api.mybank.com
Probing api.mybank.com:443 โ€ฆ TLSv1.3 ยท X25519 ยท ECDSA-P256 ยท MTU 1500

โœ— BLOCKED โ€” 3 breaks found ยท estimated fix: 6 days

BREAK 1 TLS certificate chain too large for proxies
ML-DSA-44 cert chain: 2,121B โ†’ 8,332B โš  exceeds 8KB nginx limit
Fix: ssl_stapling on + large_client_header_buffers 8 32k

BREAK 2 DNSSEC signatures exceed UDP limit (2,420B vs 1,232B cap)
BREAK 3 HSM firmware may not support ML-KEM-768 / ML-DSA-44

Each break: component ยท mechanism ยท evidence ยท blast radius ยท copy-paste fix
pip install pqc-sandbox โ†’ โญ Star on GitHub

๐Ÿ”’ Zero cloud. Zero telemetry. Runs entirely on your machine.

How it works
Four steps from zero to RBI-ready

No agents. No cloud. No code changes. Just point it at your systems.

01

Point it at your systems

TLS endpoints, CBOM output from your security scanner, or SARIF from Semgrep/CodeQL. We integrate, not rebuild.

02

Simulate migration impact

Side-by-side benchmark of your current algorithm vs the NIST PQC replacement. Real numbers, not estimates.

03

Find what breaks

MTU limits, TLS 1.2 constraints, embedded device RAM, DNSSEC UDP limits, JWT header overflow โ€” all checked.

04

Get a report your CISO can sign

Auto-generated RBI / SEBI / NIST / DORA compliance reports, plus a copy-paste config diff for your engineers.

What you get
Every output your team needs

Engineers get benchmarks and diffs. CISOs get risk memos. Auditors get compliance reports.

๐Ÿ“Š
Performance benchmark

ECDSA signature72 B
ML-DSA-44 signature2,420 B (+33ร—)
Sign latency delta+0.15 ms
Verify latency delta+0.09 ms
Verdictโš  CAUTION

๐Ÿ›ก๏ธ
Compatibility oracle

TLS versionโœ“ TLS 1.3 ready
MTU (1500B)โš  ClientHello too large
Device RAMโœ“ Sufficient
DNSSEC UDPโœ— Exceeds 1232B limit
HSM supportโš  Vendor check needed

๐Ÿ“
Config diff (copy-paste)

# OpenSSL 3.3+ (hybrid, drop-in)
Groups = P256_mlkem768:P256:X25519

# nginx
ssl_ecdh_curve X25519MLKEM768:X25519;

# Go TLS (no code change)
GODEBUG=tlsmlkem=1 ./your-binary

๐Ÿ›๏ธ
RBI compliance report

Crypto asset inventoryPartially Compliant
Quantum-safe KEXNon-Compliant
TLS version policyCompliant
HNDL threat responsePartially Compliant
Ready to submit to RBI IT auditor. Maps to RBI-CS-2016, IT Master Direction 2023, CERT-In.
Who it's for
One tool, three audiences
๐Ÿ‘ฉโ€๐Ÿ’ป

Security Engineer

Run it on your endpoints today. Get benchmark numbers, compat issues, and config diffs โ€” in one command.

๐Ÿฆ

CISO / CTO

Forward the executive risk memo to your board. It reads like a risk document, not a dev tool output.

๐Ÿ“‹

Compliance Officer

Generate RBI / SEBI / NIST reports pre-mapped to control IDs. Ready to hand to your auditor.

๐Ÿ—๏ธ

Platform / Infra Team

Drop into CI/CD. JSON output, exit codes (0=GO, 1=CAUTION, 2=BLOCKED). Catch new vulnerable crypto in PRs.

Regulatory coverage
8 jurisdictions, one platform

Every major financial regulator is asking about PQC. QuantumShift maps your results to their requirements.

Jurisdiction Framework Type Deadline Who's covered
๐Ÿ‡ฎ๐Ÿ‡ณ IndiaRBI Cybersecurity Framework 2016 + IT Master Direction 2023MandatoryFY2026-27Banks, NBFCs, Payment Banks
๐Ÿ‡ฎ๐Ÿ‡ณ IndiaSEBI CSCRF 2024MandatoryFY2025-26Brokers, Exchanges, Depositories
๐Ÿ‡ฎ๐Ÿ‡ณ IndiaCERT-In Directions 2022MandatoryOngoingAll IT organisations in India
๐Ÿ‡ฎ๐Ÿ‡ณ IndiaDPDP Act 2023EmergingRules 2025All data fiduciaries
๐Ÿ‡บ๐Ÿ‡ธ United StatesNSA CNSA 2.0 / OMB M-23-02Mandatory2030Federal agencies, NSS, critical infra
๐Ÿ‡ช๐Ÿ‡บ European UnionDORA + ENISA PQC GuidelinesMandatoryIn force Jan 2025EU financial entities, MIIs
๐Ÿ‡ฌ๐Ÿ‡ง United KingdomNCSC PQC Guidance + FCAAdvisory2028UK organisations, systemically important firms
๐Ÿ‡ธ๐Ÿ‡ฌ SingaporeMAS TRM GuidelinesAdvisory2025 reviewMAS-regulated financial institutions
๐Ÿ‡ฉ๐Ÿ‡ช GermanyBSI TR-02102AdvisoryUpdated 2024Federal IT, KRITIS operators
๐Ÿ‡ฆ๐Ÿ‡บ AustraliaASD/ACSC + APRA CPS 234Advisory2025Government agencies, APRA entities
Pricing
Free for engineers. Team platform coming soon.
Open Source CLI
Free forever
Everything you need to simulate your own migration.
  • โœ“ pqc-sandbox simulate <endpoint>
  • โœ“ Breakage proof + fix for each issue
  • โœ“ Config diffs (nginx, OpenSSL, Go, Python)
  • โœ“ PR gate โ€” blocks vulnerable crypto in CI
  • โœ“ Zero telemetry ยท runs on your machine
  • โœ“ Apache 2.0 โ€” audit everything
โญ View on GitHub โ†’
Team Platform
Coming soon
For security teams managing org-wide PQC migration.
  • โ—‹ All endpoints monitored continuously
  • โ—‹ Remediation tracking + owner assignment
  • โ—‹ Org-wide PR gate across all repos
  • โ—‹ Auto-discovery (CT logs, AWS ACM, DNS)
  • โ—‹ Compliance export (RBI, DORA, NIST)
  • โ—‹ SSO + team management
Get notified โ†’

Stay in the loop

We'll email you when the team platform launches โ€” and when there are breaking changes to the CLI you should know about.

โœ“ Done. We'll be in touch.
GitHub โญ ยท PyPI