Shipping in production · Hybrid X25519MLKEM768

Post-quantum TLS,
drop-in.

Scrutari PQ Gateway terminates hybrid X25519MLKEM768 on the public side and forwards traffic to whatever you run behind it. No application changes, no rewrites, no second TLS terminator to replace.

Built for the NIST IR 8547 deadline. Live today at app.edge.scrutari.ai.

Talk to engineeringSelf-serve · Starter plan
2030
NIST IR 8547 Deadline
X25519MLKEM768
Default Key Exchange
DNS CNAME
Migration Surface
100% Rust
Memory-Safe Termination
What you get

Three reasons the migration takes a CNAME, not a quarter.

Hybrid PQ by default

Every connection negotiates X25519MLKEM768. Chrome 131+ clients pick it up automatically. No configuration flag, no opt-in. Classical clients still complete via the X25519 half of the hybrid construction.

Your stack stays

Point a CNAME at our edge. We terminate the public TLS connection and forward to whatever your backend speaks: classical TLS, plain HTTP on a trusted network, mTLS to your existing terminator. Your nginx, Envoy, ALB, application code, none of it has to change.

Audit-ready by construction

100% Rust on the data plane. Memory-safe by construction. Every TLS handshake, every routing decision, every config change emits a structured audit row. Tenant-scoped RLS keeps multi-tenant traffic isolated at the database layer.

The 2030 Clock

Your TLS stack is on a five-year clock.

NIST IR 8547 deprecates RSA, ECDH, ECDSA, and Ed25519 for federal use by 2030; full disallow by 2035. SOC 2 controls follow federal procurement on a ~2-year lag. The commercial deadline isn't 2030, it's 2028.

2026

Pilot hybrid PQ on one customer-facing endpoint. Measure handshake latency, CPU, observability.

2028

SOC 2 / ISO 27001 audits start asking about PQC readiness as a positive finding.

2030

Federal contractors stop accepting classical-only TLS from upstream services.

Full operational read: What the 2030 NIST PQC deadline actually means for your TLS stack

How it works

Three steps to live.

01

Sign up

Self-serve checkout at app.edge.scrutari.ai. Starter, Growth, and Enterprise tiers. Workspace provisioned within seconds.

02

Add a domain

Point a CNAME at your assigned edge target. We provision a hybrid PQ TLS certificate automatically via ACME-DNS-01.

03

Inherit the migration

Every Chrome 131+ client negotiates X25519MLKEM768 on the next visit. Classical clients still complete. The AI Insights brief tracks your hybrid-vs-classical ratio daily.

Technical deep-dive: Building a Post-Quantum TLS Gateway in Rust

Ready to migrate?

Talk to engineering about your stack, or start the self-serve flow. Either path lands you with hybrid X25519MLKEM768 in production within the day.

Talk to engineeringStart with the Starter plan