CBOM Generation
Your auditor asks: "What's your quantum exposure?" A CBOM gives you the answer.
A Cryptographic Bill of Materials is a complete inventory of every cryptographic algorithm, key, certificate, and protocol in your environment — and which ones are vulnerable to quantum attack. We don't just find crypto in your codebase — we trace which cryptographic calls are actually executed in production through reachability analysis, so you're not chasing dead code. We also analyse third-party dependencies to uncover hidden cryptographic risks in your supply chain.
What is a CBOM?
A Cryptographic Bill of Materials is a comprehensive inventory of all cryptographic components used in your systems, similar to how an SBOM catalogs software components.
Algorithm Discovery
Identify every cryptographic algorithm in use — RSA, AES, SHA, ECC, and more — across all systems and applications.
Key Inventory
Document all cryptographic keys, their sizes, locations, and lifecycle status across your infrastructure.
Certificate Mapping
Track all digital certificates, their chains of trust, expiration dates, and algorithm dependencies.
Protocol Analysis
Document cryptographic protocols (TLS, SSH, IPSec) and their configurations across your network.
Dependency Mapping
Understand how cryptographic components relate to each other and to your business processes.
Risk Classification
Categorise each asset by quantum vulnerability level and business criticality for migration planning.
Sample CBOM Output
Here's what a CBOM finding looks like in practice. Each entry identifies the algorithm, its location, quantum risk level, and recommended action.
| Algorithm | Location | Quantum Risk | Recommended Action |
|---|---|---|---|
| RSA-2048 | payment-api/auth.py:142 |
High | Migrate to ML-KEM-768 |
| AES-256 | storage/encryption.go:89 |
Low | Quantum-safe (symmetric) |
| ECDH P-256 | comms/tls-client.java:203 |
High | Migrate to ML-KEM-768 |
| SHA-256 | integrity/hash-utils.cs:57 |
Medium | Monitor; consider SHA-3 for long-term |
Fictional example. Actual CBOM output is delivered in CycloneDX 1.6 format (JSON/XML) with full file paths, line numbers, and call graph context.
24 Supported Languages
Our scanner covers all major programming languages used in enterprise environments.
Why You Need a CBOM
A CBOM is the foundation for any successful post-quantum migration strategy.
Reduce Risk
Identify vulnerable cryptographic implementations before they become attack vectors.
Plan Migration
Create accurate timelines and budgets based on actual inventory data.
Meet Compliance
Satisfy regulatory requirements that mandate cryptographic inventory documentation.
Save Time
Automated discovery eliminates months of manual documentation effort.
What You'll Receive
CBOM Report
A comprehensive document detailing every cryptographic asset discovered, including:
- Cryptographic Catalogue
- Protocol configurations
- Quantum vulnerability assessment
- Prioritised migration recommendations
Machine-Readable Output
Structured data exports for integration with your systems:
- JSON/XML formatted CBOM data
- Integration with SBOM tools
- Excel formatted results
- Executive project status/summary report
- Technical workshop findings review
Related Services
Continue your post-quantum journey with our complementary services.
Cryptographic Audit
Go beyond inventory with in-depth security assessment of your cryptographic implementations.
Learn MorePQC Training
Empower your team with the knowledge to understand and implement post-quantum cryptography.
Learn MoreQRIM Assessment
Measure your quantum readiness and benchmark your progress against industry peers.
Learn MoreTry It Free — No Commitment Required
Upload your source code and get a CBOM in minutes. When you're ready for a full assessment with third-party dependency analysis and expert review, Tier 1 starts at £4,875.