Upload a CycloneDX manifest. We inventory every cryptographic asset — algorithms, keys, certificates, protocols — grade each against NIST post-quantum guidance, and show you exactly what breaks before the December 31, 2030 federal deadline.
The check is free and uncapped. No account, nothing retained, no card. You never pay to find out what's broken.
You pay when someone else has to believe you. The check is a report — unsigned, and editable by anyone holding it. A signed receipt is the same findings, bound to your manifest, that your auditor can verify against a public key without contacting us.
Most tools give you a report. A report is a snapshot — it tells you what was true when you ran it. That's it.
A NextGenRails receipt is a living artifact. The cryptographic proof is fixed at issuance. On the Advanced tier, paste that same receipt back here in 30, 60, or 180 days and the system re-checks your components against current CVE intelligence. Same receipt. Current risk.
That's not a report. That's infrastructure.
Every receipt is SHA-384 fingerprinted, Merkle-committed, and signed twice — RS256 for the tooling you already run, and ML-DSA-65 (FIPS 204) for the decade after RSA stops meaning anything. Your cryptographic findings are fixed at the moment you issue them: immutable, portable, and verifiable by anyone holding the public key.
Advanced receipts query OSV, NVD, and GHSA at issuance time. Every component is checked for known CVEs, EPSS exploit probability scored, and license risk flagged. Not a cached scan — live intelligence at the moment of signing.
Paste any previously issued Advanced receipt back into the workbench. The system re-runs intelligence against current CVE databases and returns a fresh risk assessment — without issuing a new receipt or changing the original proof. Standard receipts cannot be re-evaluated.
Compare two signed receipts to see exactly what changed between deploys — which quantum-vulnerable assets you removed, which survived, and what appeared. Signed proof that the migration happened, not a claim that it did. Advanced tier only.
Every agency named one within 30 days of the order, and their first job is a cryptographic inventory. You cannot sequence, prioritize, or prove a migration you cannot see. This is the discovery step, and it costs nothing to run.
EO 14412 directs the FAR Council to propose a rule extending FIPS compliance — including post-quantum FIPS — to covered contractors by the end of 2030. If you sell to the government, or to someone who does, this reaches you. Find out where you stand now, not in 2029.
Most teams can list their open-source libraries. Far fewer can answer where RSA is running right now and what breaks if it has to come out. Drop in a manifest and get the answer, per asset, with a date attached.
Executive Order 14412 gives CISA and NIST 270 days to publish the minimum elements for a CBOM. That guidance is due around March 19, 2027. It is not out. Nobody can check your CBOM against it, and anyone claiming otherwise is selling you something.
But the order already states the functional requirement the elements have to satisfy, in §5(d): a CBOM must enable the automated assessment of a component's cryptographic assets. That is a testable property, and it is testable today.
So that is what we test. Not conformance to an unpublished document — conformance to the requirement the document must implement. Ten versioned rules, run locally, on every check, free:
primitive? Without it, we cannot tell RSA-for-signatures (2031) from RSA-for-key-transport (2030), and the deadline you get is a guess.A CBOM that fails these rules cannot be automatically assessed, which means it will not satisfy the elements whatever they turn out to say. You can fix that now, over the eight months before the guidance lands, instead of discovering it afterward.
Every receipt this service issues is signed twice: once with RS256, and once with ML-DSA-65 (FIPS 204), a NIST post-quantum signature. The classical signature is what your existing tooling verifies today. The post-quantum one is what still means something in 2035.
This matters more than it sounds. A tool that hands you a receipt saying "your RSA is quantum-vulnerable, replace it by 2031" — and signs that receipt with RSA — has not understood its own finding. We were doing exactly that. We stopped.
Both keys are published. Verify either one without asking us for anything.
Built for federal contractors, software vendors, and security teams working to Executive Order 14412, the EU Cyber Resilience Act, and CMMC 2.0. No support tickets. No account managers. The check is free; the receipt is the deliverable.
By purchasing you agree to our Terms of Service and Privacy Policy. All sales final.
By purchasing you agree to our Terms of Service and Privacy Policy. All sales final.
By subscribing you agree to our Terms of Service and Privacy Policy. Cancel anytime.
By subscribing you agree to our Terms of Service and Privacy Policy. Cancel anytime.
Include your organization,
use case, volume, and deadline.
Free receipts capped at 3 per IP address per day (IP hashed, never stored). Paid packs add vulnerability intelligence and higher volume. | Questions: ngr.admin@proton.me
The free check tells you what breaks. It cannot prove to anyone else that you ran it. A signed receipt can — dual-signed with RS256 and ML-DSA-65, verifiable by your auditor against a public key, without contacting us. No account. No card. Leave the access code blank to try it free.