Post-quantum TLS,
drop-in.
Scrutari PQ Gateway terminates hybrid X25519MLKEM768 on the public side and forwards traffic to whatever you run behind it. No application changes, no rewrites, no second TLS terminator to replace.
Built for the NIST IR 8547 deadline. Live today at app.edge.scrutari.ai.
Three reasons the migration takes a CNAME, not a quarter.
Hybrid PQ by default
Every connection negotiates X25519MLKEM768. Chrome 131+ clients pick it up automatically. No configuration flag, no opt-in. Classical clients still complete via the X25519 half of the hybrid construction.
Your stack stays
Point a CNAME at our edge. We terminate the public TLS connection and forward to whatever your backend speaks: classical TLS, plain HTTP on a trusted network, mTLS to your existing terminator. Your nginx, Envoy, ALB, application code, none of it has to change.
Audit-ready by construction
100% Rust on the data plane. Memory-safe by construction. Every TLS handshake, every routing decision, every config change emits a structured audit row. Tenant-scoped RLS keeps multi-tenant traffic isolated at the database layer.
The same edge governs your AI traffic.
This gateway is also a full LLM governance boundary: one OpenAI-compatible, Anthropic-native API across five providers, with automatic failover, response caching, boundary PHI redaction, per-tenant token budgets, and a signed, Merkle-anchored audit log for every call.
Explore the AI GatewayYour TLS stack is on a five-year clock.
NIST IR 8547 deprecates RSA, ECDH, ECDSA, and Ed25519 for federal use by 2030; full disallow by 2035. SOC 2 controls follow federal procurement on a ~2-year lag. The commercial deadline isn't 2030, it's 2028.
Pilot hybrid PQ on one customer-facing endpoint. Measure handshake latency, CPU, observability.
SOC 2 / ISO 27001 audits start asking about PQC readiness as a positive finding.
Federal contractors stop accepting classical-only TLS from upstream services.
Full operational read: What the 2030 NIST PQC deadline actually means for your TLS stack
Post-quantum, now over HTTP/3.
Every connection inherits QUIC (HTTP/3), terminated with the same hybrid X25519MLKEM768 key exchange as the TCP edge. HTTP/3-capable clients upgrade automatically; everyone else stays on post-quantum TLS 1.3 over TCP. No client changes, and no CDN in the path.
HTTP/3 and the post-quantum handshake are terminated on the gateway itself. The hybrid X25519MLKEM768 key exchange protects the client-to-gateway hop across the public internet, where harvest-now decrypt-later applies.
It runs behind an ordinary cloud layer-4 load balancer. Managed cloud front ends do not terminate HTTP/3, and service-mesh proxies are pinned to crypto stacks that cannot negotiate ML-KEM. Scrutari terminates both directly.
Open your browser developer tools and see h3 with X25519MLKEM768 on a live connection. The same transport surface is attested in your downloadable CycloneDX cryptography bill of materials for assessors.
Three steps to live.
Sign up
Self-serve checkout at app.edge.scrutari.ai. Starter, Growth, and Enterprise tiers. Workspace provisioned within seconds.
Add a domain
Point a CNAME at your assigned edge target. We provision a hybrid PQ TLS certificate automatically via ACME-DNS-01.
Inherit the migration
Every Chrome 131+ client negotiates X25519MLKEM768 on the next visit. Classical clients still complete. The AI Insights brief tracks your hybrid-vs-classical ratio daily.
Technical deep-dive: Building a Post-Quantum TLS Gateway in Rust
Ready to migrate?
Talk to engineering about your stack, or start the self-serve flow. Either path lands you with hybrid X25519MLKEM768 in production within the day.