PQC-MAT · CyFORT project

VECTOR: automated cryptographic inventory and quantum risk scoring

VECTOR discovers and classifies cryptographic assets across source code and live network services. It runs CodeQL-based static analysis and testssl.sh / ZGrab2 network scans, converts all findings to standardized CycloneDX 1.6 CBOMs, and applies a quantum risk catalog aligned with NIST FIPS 203/204/205, BSI TR-02102, and ANSSI to help organizations plan their post-quantum cryptography migration. Built for security practitioners, auditors, and researchers under the CyFORT project and EU IPCEI-CIS initiative.

Open quick start Browse user manual

Python · C · C++ Source languages for static analysis

TLS · SSH Network protocols for live scanning

CycloneDX 1.6 Standardized CBOM output format

NIST · BSI · ANSSI Traceable specs & quantum risk catalog

Core capabilities

From code and network to quantum risk

VECTOR-Code — CodeQL static analysis

Analyzes Python, C, and C++ source code for cryptographic API usage. Orchestrates cloc, CodeQL (Santander queries), and cryptobom-forge into a single containerized command. Also accepts GitHub repository URLs directly.

CodeQL Python / C / C++ cryptobom-forge

VECTOR-Network · TLS — cipher suite inventory

Enumerates all TLS protocol versions, cipher suites, elliptic curves, signature algorithms, and certificate properties. Decomposes cipher suites into individual algorithm components and detects hybrid and standalone post-quantum KEMs.

testssl.sh TLS 1.3 Hybrid PQC KEMs

VECTOR-Network · SSH — algorithm enumeration

Performs an SSH handshake via ZGrab2 and records all offered KEX, host key, cipher, and MAC algorithms, together with the negotiated suite, host key fingerprint, and server software banner.

ZGrab2 SSH key exchange Host key fingerprint

VECTOR-Score — quantum risk classification

Classifies every CBOM component into one of six quantum risk categories using a data-driven YAML catalog covering NIST FIPS 203/204/205, BSI TR-02102, and ANSSI. Produces an annotated CBOM and a Markdown risk report.

6 risk categories YAML catalog Risk report

Web interface — scan submission & monitoring

Browser-based Flask interface for submitting VECTOR-Code and VECTOR-Network scans, monitoring progress with live terminal output streaming, and reviewing results — risk report, CBOM explorer, and raw scanner output — without touching the CLI.

Flask Real-time streaming CBOM explorer

Open architecture — composable & extensible

Built on established open-source tools: CodeQL, testssl.sh, ZGrab2, and cryptobom-forge. VECTOR-Network's custom parsers fill the CBOM conversion gap, including full cipher suite decomposition and hybrid PQC KEM detection not available in existing tools.

Open source CycloneDX Dev Container

Product screenshot gallery

Click any screenshot to zoom

VECTOR-Code scan submission form with source path and application name fields — VECTOR-Code scan form: provide a local path or GitHub URL and an optional application name. Supported languages (Python, C, C++) are listed; Java is flagged as not yet supported.

VECTOR-Network scan form showing TLS and SSH protocol tabs, target and port fields — VECTOR-Network scan form: select TLS or SSH protocol, enter the target hostname or IP and port. A notes section reminds users to scan only systems they are authorized to scan.

VECTOR-Network live scan view showing scan details panel and real-time terminal output of TLS cipher enumeration — Live scan view: scan details (ID, type, target, submitted time, running status) alongside real-time terminal output streaming the full TLS cipher suite enumeration from testssl.sh.

Risk report view showing a donut chart with 27 algorithms scored: 13 quantum-vulnerable, 7 quantum-safe, 6 unknown, and 1 classically-deprecated, with a summary table below — Risk report: a donut chart summarizes the quantum risk distribution across all scored algorithm components; the summary table lists each risk classification with its score and count, followed by per-algorithm detail.

CBOM explorer showing algorithm cards for ChaCha20-Poly1305, ECDHE, RSA, AES-128-GCM, and RSA-KeyTransport with quantum risk categories, migration guidance, and filter buttons — CBOM explorer: each algorithm component is displayed as a card showing its primitive type, key size, quantum risk category, migration recommendation, and references to NIST, BSI, and ANSSI standards. Filter buttons narrow results by risk class.

Scan history table showing columns for type, target, app name, submitted time, duration, and status, with one completed Network-TLS scan against github.com:443 — Scan history: lists all scans submitted in the current session with their type, target, application name, submission timestamp, duration, and status. A Detail button opens the full result for any past scan.

PQC inventory pipeline

From asset discovery to migration baseline

1. Select

Choose VECTOR-Code for source analysis or VECTOR-Network for TLS/SSH scanning. Provide a local path, GitHub URL, or target hostname / IP address.

2. Scan

VECTOR-Code runs cloc and CodeQL with cryptographic queries; VECTOR-Network runs testssl.sh (TLS) or ZGrab2 (SSH) against the live endpoint to enumerate offered configurations.

3. Inventory

Results are parsed and converted to a CycloneDX 1.6 CBOM JSON. Cipher suites are decomposed into individual algorithm components; hybrid KEMs are split into their EC and PQC parts.

4. Score

VECTOR-Score reads the CBOM and classifies each component against the quantum risk catalog: quantum-vulnerable, classically-deprecated, non-hybrid, quantum-safe, hybrid, or unknown.

5. Report

An annotated CBOM and a Markdown risk report are generated, providing a clear PQC migration baseline with file paths, line numbers, risk categories, and algorithm-level detail.