Executive Order 14412 · Signed June 22, 2026Free Check · No Account

Find the cryptography
quantum computers will break.

Upload a CycloneDX manifest. We inventory every cryptographic asset — algorithms, keys, certificates, protocols — grade each against NIST post-quantum guidance, and show you exactly what breaks before the December 31, 2030 federal deadline.

The check is free and uncapped. No account, nothing retained, no card. You never pay to find out what's broken.

You pay when someone else has to believe you. The check is a report — unsigned, and editable by anyone holding it. A signed receipt is the same findings, bound to your manifest, that your auditor can verify against a public key without contacting us.

RS256 + ML-DSA SignedMerkle-CommittedPublished KeysetZero Manifest RetentionIndependently Verifiable
NGR
CBOM Receipt
NextGenRails CBOM Receipt
Valid · Verified
Receipt ID
NGR-CBOM-468173C4446A
Protocol
NGR-TEC-CBM-002 · Advanced Tier
Issued
2026-06-08T15:39:54.534Z
Format
CycloneDX · 14 components
SHA-384
7cec1997da3f467f…ff4ae96
Merkle Root
000a13e914321a96…8f9255
Verification
Published keyset · no account needed
Sources
InternalOSVNVDGHSA
Components
@netlify/blobs@10.7.4Clean
stripe@16.10.0Clean
qs@6.13.03 CVEs
elliptic@6.6.11 CVE
+ 10 moreAnalyzed
Risk
VULNERABLE · 5 issues · high confidence
Signature
RS256 + ML-DSA-65 · dual-signed
Protocol NGR-TEC-CBM-002 · Verifiable against the published keysetIllustrative · Issue a real one after your free check
2030PQC key establishment deadline
2031PQC digital signature deadline
Mar 2027CISA CBOM minimum elements due
$0To check your exposure
ZeroData retained after processing
What makes this different

Your receipt doesn't expire.
It evolves.

Most tools give you a report. A report is a snapshot — it tells you what was true when you ran it. That's it.

A NextGenRails receipt is a living artifact. The cryptographic proof is fixed at issuance. On the Advanced tier, paste that same receipt back here in 30, 60, or 180 days and the system re-checks your components against current CVE intelligence. Same receipt. Current risk.

That's not a report. That's infrastructure.

1
Run the free check
Drop in a CycloneDX manifest. Every algorithm, key, certificate and protocol is graded against NIST post-quantum guidance and mapped to its EO 14412 deadline. Free, uncapped, nothing retained. You now know what breaks.
2
Turn the finding into evidence
The check is unsigned — anyone can edit the PDF. A receipt binds those exact findings to that exact manifest at that exact moment: SHA-384 fingerprinted, Merkle-committed, and dual-signed with RS256 and ML-DSA-65 (FIPS 204). Your auditor verifies it against a public key without contacting us. It supports your compliance process; it is not a certification.
3
Come back in 30 days · Advanced
Paste the same receipt. The system re-queries OSV, NVD and GHSA against your original component list and tells you what changed. New CVEs, new risk — same original proof, re-read against today. (Advanced-tier receipts; the free and Standard tiers issue the receipt without intelligence.)
4
Compare two receipts for drift · Advanced
Run a new receipt after a migration. Compare it against the old one — which quantum-vulnerable assets you actually removed, which you did not, and what appeared. Proof of progress, not a claim of it. Requires Advanced-tier receipts on both sides; Standard receipts do not carry the component detail a comparison needs.
Capabilities

Built for environments where the evidence gets challenged

Dual-Signed at Issuance

Every receipt is SHA-384 fingerprinted, Merkle-committed, and signed twice — RS256 for the tooling you already run, and ML-DSA-65 (FIPS 204) for the decade after RSA stops meaning anything. Your cryptographic findings are fixed at the moment you issue them: immutable, portable, and verifiable by anyone holding the public key.

Live Vulnerability Intelligence

Advanced receipts query OSV, NVD, and GHSA at issuance time. Every component is checked for known CVEs, EPSS exploit probability scored, and license risk flagged. Not a cached scan — live intelligence at the moment of signing.

Time-Aware Re-evaluation

Paste any previously issued Advanced receipt back into the workbench. The system re-runs intelligence against current CVE databases and returns a fresh risk assessment — without issuing a new receipt or changing the original proof. Standard receipts cannot be re-evaluated.

Drift Detection

Compare two signed receipts to see exactly what changed between deploys — which quantum-vulnerable assets you removed, which survived, and what appeared. Signed proof that the migration happened, not a claim that it did. Advanced tier only.

Who needs this

EO 14412

PQC migration leads

Every agency named one within 30 days of the order, and their first job is a cryptographic inventory. You cannot sequence, prioritize, or prove a migration you cannot see. This is the discovery step, and it costs nothing to run.

Federal supply chain

Contractors & vendors

EO 14412 directs the FAR Council to propose a rule extending FIPS compliance — including post-quantum FIPS — to covered contractors by the end of 2030. If you sell to the government, or to someone who does, this reaches you. Find out where you stand now, not in 2029.

Security / Compliance

Security engineers

Most teams can list their open-source libraries. Far fewer can answer where RSA is running right now and what breaks if it has to come out. Drop in a manifest and get the answer, per asset, with a date attached.

The part nobody can do yet

Grading a CBOM against a spec that doesn't exist

Executive Order 14412 gives CISA and NIST 270 days to publish the minimum elements for a CBOM. That guidance is due around March 19, 2027. It is not out. Nobody can check your CBOM against it, and anyone claiming otherwise is selling you something.

But the order already states the functional requirement the elements have to satisfy, in §5(d): a CBOM must enable the automated assessment of a component's cryptographic assets. That is a testable property, and it is testable today.

So that is what we test. Not conformance to an unpublished document — conformance to the requirement the document must implement. Ten versioned rules, run locally, on every check, free:

  • Is this actually a CBOM, or an SBOM with cryptography hiding inside its libraries?
  • Does every algorithm asset declare its primitive? Without it, we cannot tell RSA-for-signatures (2031) from RSA-for-key-transport (2030), and the deadline you get is a guess.
  • Are key sizes, certificate signature algorithms, and protocol versions present and machine-readable?
  • Can a machine — not a person with a spreadsheet — reach a verdict on every asset?

A CBOM that fails these rules cannot be automatically assessed, which means it will not satisfy the elements whatever they turn out to say. You can fix that now, over the eight months before the guidance lands, instead of discovering it afterward.

And the receipt signs itself honestly

Every receipt this service issues is signed twice: once with RS256, and once with ML-DSA-65 (FIPS 204), a NIST post-quantum signature. The classical signature is what your existing tooling verifies today. The post-quantum one is what still means something in 2035.

This matters more than it sounds. A tool that hands you a receipt saying "your RSA is quantum-vulnerable, replace it by 2031" — and signs that receipt with RSA — has not understood its own finding. We were doing exactly that. We stopped.

Both keys are published. Verify either one without asking us for anything.

Verification Access

Pricing

Built for federal contractors, software vendors, and security teams working to Executive Order 14412, the EU Cyber Resilience Act, and CMMC 2.0. No support tickets. No account managers. The check is free; the receipt is the deliverable.

Free — Try It Now
No Card Required
$0 · Free
Run the full cryptographic assessment on any CycloneDX or SPDX manifest — every quantum-vulnerable algorithm, key, certificate, and protocol, with its EO 14412 deadline, plus a CBOM conformance report. The check is complete and uncapped. No account, no card, nothing retained.

You can also issue up to 3 signed receipts per day for free. They are real and independently verifiable — but they carry a trial marking, visible to anyone who verifies them, and we do not offer them as compliance or audit evidence. A paid pack removes the marking and adds vulnerability intelligence.
Try It Free →
One-Time Packs
One-Time
Standard Pack
$49
10 signed receipts · no vulnerability intelligence
  • Signed proof of your cryptographic findings, at a fixed point in time
  • SHA-384 Merkle commitment
  • Dual-signed: RS256 + ML-DSA-65 (FIPS 204)
  • Zero retention processing
  • Independent public-key verification
  • CycloneDX / SPDX JSON input
  • No comparison or re-evaluation — those need Advanced

By purchasing you agree to our Terms of Service and Privacy Policy. All sales final.

Monthly Subscriptions
Subscription
Professional
$299/mo
25 receipts per month · Standard tier
  • Continuous issuance of audit-ready cryptographic evidence
  • Standard tier: no vulnerability intelligence, comparison, or re-evaluation
  • Standard tier receipts
  • Recurring monthly access
  • Access code issued on purchase
  • Zero retention architecture
  • Cancel anytime

By subscribing you agree to our Terms of Service and Privacy Policy. Cancel anytime.

Subscription
Professional Plus
$999/mo
100 receipts per month · Standard & Advanced
  • High-volume issuance with continuous re-evaluation capability
  • Standard and Advanced tier
  • Full vulnerability intelligence
  • Time-aware re-evaluation
  • Access code issued on purchase
  • Cancel anytime

By subscribing you agree to our Terms of Service and Privacy Policy. Cancel anytime.

Enterprise
Enterprise Contract
Enterprise Contract
Custom Pricing
Annual contracts · Volume licensing · Custom DID integration
  • Integrated into compliance workflows and audit pipelines
  • Unlimited receipts — Standard and Advanced
  • Custom DID integration
  • Annual contract · Volume pricing
  • Contact for scope and terms
Send Enterprise Inquiry →

Include your organization,
use case, volume, and deadline.

Free receipts capped at 3 per IP address per day (IP hashed, never stored). Paid packs add vulnerability intelligence and higher volume.  |  Questions: ngr.admin@proton.me

Step two · Free to try

You found what breaks. Now prove you found it.

The free check tells you what breaks. It cannot prove to anyone else that you ran it. A signed receipt can — dual-signed with RS256 and ML-DSA-65, verifiable by your auditor against a public key, without contacting us. No account. No card. Leave the access code blank to try it free.

Open the Workbench →
Free: 3 receipts per IP per day · IP hashed, never stored