Assessment Service

Cryptographic Audit

Go beyond inventory — understand how your cryptographic implementations are managed.

Our cryptographic audit examines not just what algorithms you use, but how they're implemented and integrated. We focus on dependencies management, architecture trade-offs, and quantum risks to help you make informed decisions about your cryptographic landscape.

Typical duration: Tier 1: 2-3 weeks | Tier 2: 3-4 weeks | Fully remote

Request Security Audit
Cryptographic audit visualization with security shield and scan indicators

What We Examine

A comprehensive review of your cryptographic security posture.

Implementation Management

Review of how cryptographic primitives are implemented, assessing integration patterns and side-channel considerations.

Key Management

Assessment of key generation, storage, rotation, and destruction practices against industry best practices.

Protocol Configuration

Analysis of TLS, SSH, IPSec, and other protocol configurations for weak ciphers and implementation concerns.

Random Number Generation

Evaluation of entropy sources and random number generators used in cryptographic operations.

Certificate Chain Validation

Review of PKI implementation, certificate validation logic, and trust anchor management.

Quantum Vulnerability

Classification of each cryptographic component by quantum threat level and migration urgency.

This Audit Satisfies

Our deliverables map directly to regulatory requirements your auditors care about.

NIS2

Executive Summary + Risk Register satisfies NIS2 Article 21 risk management documentation requirements.

DORA

Remediation Roadmap meets DORA ICT risk framework requirements for cryptographic resilience.

NCSC

Quantum Readiness Score supports UK NCSC 2035 migration planning and demonstrates progress.

Our Methodology

A rigorous, systematic approach to cryptographic assessment.

Scope Definition

We work with your team to define the audit scope, including systems, applications, and network segments to be examined.

Automated Scanning

Automated scanning across 24 programming languages, Linux and Windows servers, containers, and protocol configurations. Our tools perform reachability analysis to identify which cryptographic calls are actually executed, not just present in code.

Manual Review

Our experts manually examine critical systems, code, and configurations that require deeper analysis.

Risk Scoring

Each finding is scored using CVSS v3.1 with quantum-specific extensions for HNDL (Harvest Now, Decrypt Later) exposure. Scores reflect both current severity and future quantum vulnerability.

Reporting & Remediation

You receive a detailed report with prioritised recommendations and remediation guidance.

Common Findings

Issues we frequently discover during cryptographic audits.

High Severity

  • Use of deprecated algorithms (MD5, SHA-1, DES)
  • Hardcoded cryptographic keys in source code
  • Weak TLS configurations allowing downgrade attacks
  • Insufficient key lengths for asymmetric encryption
  • Missing certificate validation checks

Medium Severity

  • Non-standard initialization vectors (IVs)
  • Poor key rotation practices
  • Weak random number generators in non-critical paths
  • Certificate expiration monitoring gaps
  • Mixed use of quantum-vulnerable algorithms

Audit Deliverables

Executive Summary

High-level overview of findings, risk ratings, and strategic recommendations for leadership.

Technical Report

Detailed findings with evidence, root cause analysis, and specific remediation steps.

Risk Register

Prioritised list of vulnerabilities with CVSS scores and business impact assessment.

Remediation Roadmap

Phased plan for addressing findings based on risk level and implementation complexity.

Quantum Readiness Score

Assessment of your organisation's preparedness for the post-quantum transition.

Findings Workshop

Interactive session to walk through findings and answer technical questions.

Related Services

Continue your post-quantum journey with our complementary services.

CBOM Generation

Start with a complete inventory of all cryptographic assets across your infrastructure.

Learn More

PQC Training

Empower your team with the knowledge to understand and implement post-quantum cryptography.

Learn More

QRIM Assessment

Measure your quantum readiness and benchmark your progress against industry peers.

Learn More

Assess Your Cryptographic Security

Understand your cryptographic landscape. Get a comprehensive assessment of your cryptographic implementations and dependencies.

Request Security Audit