Assessments that end with evidence, not opinions.
Two fixed-fee engagements from the team that ships hybrid ML-KEM TLS and boundary PHI redaction in production. Know exactly where your cryptography and your AI traffic stand, in two to three weeks, with artifacts your auditor accepts.
Offer 01
Quantum-Readiness Assessment
Know exactly where your cryptography stands. In two weeks, with evidence.
Why now
- EO 14412 (June 22, 2026): agencies name PQC migration leads within 30 days, OMB guidance lands within 90 days, and CISA and NIST publish minimum CBOM elements within 270 days. A proposed FAR rule would require covered federal contractors to meet NIST FIPS, including post-quantum standards, by December 31, 2030.
- PCI DSS 4.0 requirement 12.3.3: a documented, annually reviewed inventory of all cryptographic cipher suites and protocols, mandatory since March 31, 2025.
- FIPS 140-2 certificates move to NIST’s Historical List on September 21, 2026, which affects federal procurement now.
- NIST’s draft transition timeline (IR 8547): RSA, ECDSA and ECDH deprecated after 2030, disallowed after 2035. The EU roadmap expects national transition plans by end of 2026.
What you get
- Full cryptographic inventory (CBOM). Every TLS endpoint, cipher suite, protocol version, certificate, key type and key length, exported as CycloneDX 1.6. Machine-readable, auditor-ready.
- Gap analysis against EO 14412, PCI DSS 12.3.3 and the NIST IR 8547 draft timeline: what is quantum-vulnerable, where, and how much it matters.
- Prioritized migration roadmap, including what your vendors will and will not support, and where hybrid key exchange gives you real coverage today.
- Board-ready one-pager in language your CFO and your auditor both accept.
Core
$9,500
- 2 weeks, fully remote
- CBOM inventory + gap analysis
- Migration roadmap (summary)
- 1-hour executive briefing
Plus
$15,000
- 3 weeks, fully remote
- Everything in Core
- Full roadmap with vendor-dependency map
- Half-day briefing + migration workshop
- One re-scan within 6 months
100% of your assessment fee credits toward a Scrutari design partnership or first-year subscription signed within 60 days. Start free: our automated CBOM scan of your external estate, with a summary report at no cost. Request the free scan.
Offer 02
AI Boundary Audit
Find every place AI touches your PHI. Prove you looked.
Why now
- Roughly 12% of US hospitals have a formal AI governance framework, while 57% of healthcare professionals report unauthorized AI tool use. Shadow AI now appears in about one in five breaches.
- ACA Section 1557 is in force: covered entities must identify and mitigate discrimination risk from AI-based patient care decision support tools (since May 1, 2025).
- The proposed HIPAA Security Rule update brings ePHI in AI training data, models and algorithms into scope. It is not final yet, which makes now the cheap time to close the gap.
- The existing Security Rule already requires an accurate and thorough risk analysis. Ungoverned LLM traffic carrying PHI is exactly what an investigator looks for after an incident. EU exposure? EU AI Act GPAI enforcement begins August 2, 2026.
What you get
- Shadow AI discovery: which AI tools, endpoints and integrations your organization actually uses, sanctioned or not.
- PHI exposure map: where protected health information can reach an external model, with evidence per finding.
- Risk memo mapped to the HIPAA risk-analysis requirement, Section 1557, and your BAA posture with each AI vendor. Written for your compliance file. Advisory, not legal advice; your counsel will like it.
- AI use policy pack: acceptable-use policy, vendor-intake checklist, and enforcement-mode recommendations (audit, redact or block, per data category).
- Remediation architecture: a concrete, vendor-neutral design for governing AI traffic at the boundary. Redaction, per-tenant budgets, audit evidence, provider failover.
Core
$15,000
- 3 weeks, fully remote
- Discovery + PHI exposure map
- Risk memo (HIPAA + 1557 mapping)
- Template-based policy pack
- 1-hour executive readout
Plus
$25,000
- 4 weeks
- Everything in Core
- Tailored policy pack with rollout plan
- 90-day implementation plan
- Half-day readout, on-site option
- Weekly Q&A call for 30 days
100% of your audit fee credits toward a Scrutari design partnership or first-year subscription signed within 60 days.
Why Scrutari
We are not analysts reading NIST PDFs. Scrutari builds and operates a production gateway that terminates hybrid X25519 + ML-KEM-768 TLS today, performs HIPAA-mapped PHI detection on live AI traffic, and exports CycloneDX CBOMs as a product feature. The people doing your assessment are the people who shipped the primitives, in Rust, in production.
Straight answers you will get from us: post-quantum coverage at the network perimeter is achievable today; full end-to-end coverage depends on your upstream vendors, and we will show you exactly which ones and when. No one should sell you “quantum-proof.”
And when an audit finds something (it will), the remediation design is included. If you want it implemented, the assessment fee credits toward the gateway that fixes what we find.
Two weeks from now, you could know.
Book a 20-minute scoping call, or start with the free CBOM scan of your external estate. We respond within one business day.