All products
Air-Gapped Compliance in a Connected WorldDownload · Linux + Windows binary

Air-Gapped PKI Visibility. Zero Compromise.

The elite TLS and Certificate Auditor designed for ultra-secure environments. Audit subnets, detect quantum-vulnerable keys, and ensure NIST compliance with a single static binary — no network packets leaving your LAN.

Download for Linux & WindowsView NIST Roadmap

CryptoSidekick

Problem & Solution

Built for what actually goes wrong

Pain point

Scanning sensitive internal subnets for TLS vulnerabilities without leaking data to the public internet or external CAs.

Value pillar

Zero-dependency, air-gapped execution model using Go standard library and a local system trust store.

Pain point

Legacy infrastructure using weak RSA keys or signatures that are vulnerable to current and future (Quantum) threats.

Value pillar

Automated classification of quantum-vulnerable assets and NIST SP 800-52r2 compliance grading.

Deep technical features

What ships in the box

High-Concurrency Worker Pool

Massive subnet scanning (up to /12) with atomic progress tracking, rate limiting, and adaptive timeouts. Zero-CGO, static-binary deployment for Linux/Windows.

Post-Quantum Discovery

First-class identification of quantum-vulnerable RSA/ECDSA keys and signature algorithms, preparing your inventory for the transition to PQC (Post-Quantum Cryptography).

Deterministic Risk Scoring

Generates one-glance verdicts (Safe, Suspicious, Malicious) based on certificate age, chain depth, self-signing, and cipher-suite strength — all verified offline.

Security & Compliance

Built on enterprise-grade infrastructure

A single, zero-dependency, statically-linked Go binary. CGO-free, no external service calls, no telemetry — the only network traffic is the TLS handshakes you explicitly tell it to perform. Built for classified subnets, financial back-offices, and any environment that mandates strictly offline crypto inventory.

Static Go binaryZero CGO / zero depsNo telemetryLocal trust store only
Network

Cloudflare global edge — innate DDoS protection, zero cold-starts.

Identity

Clerk (SOC 2 Type II, GDPR) for multi-tenant fleets; PBKDF2 for single-tenant apps.

Subprocessors

Cloudflare & Resend (SOC 2 Type II) · Stripe (PCI-DSS Level 1).

Product roadmap

From foundation to fleet scale

  1. Phase 1Shipped

    Foundation — Audit Engine

    • High-concurrency worker pool with CIDR/Port input and host caps.
    • Seven core security warnings (Expired, Self-Signed, Weak Hash, etc.).
    • Streaming CSV output with SHA-256 integrity digest.
  2. Phase 2Shipped

    Multi-Protocol & Visibility — Enhanced Scans

    • STARTTLS support for SMTP, IMAP, and LDAP.
    • Post-Quantum / quantum-vulnerable tagging and Forward Secrecy detection.
    • In-GUI results treeview with risk color-coding and filtering.
  3. Phase 3In progress

    Enterprise Evolution — Scale & Governance

    • Headless CLI mode for scheduled cron-driven baseline audits.
    • Adaptive backpressure rate-limiting and circuit-breaker logic.
    • Opt-in connected tier for OCSP/CRL revocation and CT log presence.

Ready to bring CryptoSidekick into your stack?

Talk to our team about deployment, custom SLAs, and integration with your existing identity and observability stack.

Request a consultation