PQ-SAT

Overview

PQ-SAT is a TLS analytics and cryptographic readiness platform designed to help organizations understand the security posture of encrypted connections and prepare for post-quantum migration.

The platform analyzes large-scale TLS telemetry from enterprise environments, maps connection-level cryptographic usage, evaluates security levels, and produces readiness reports for audit, compliance, and migration planning.

By transforming raw network observations into structured cryptographic intelligence, PQ-SAT helps security teams identify weak, outdated, or migration-relevant cryptographic usage across real network traffic.

---

Discovery Gap

Modern organizations often have limited visibility into the cryptographic technologies deployed across their infrastructure.

As post-quantum cryptography transitions from research to industry adoption, organizations must first answer a fundamental question:

Which encrypted connections are already using acceptable cryptography, and which ones need remediation or upgrade before PQC migration?

Traditional discovery and audit processes are typically manual, time-consuming, and difficult to scale across millions of network records.

Without accurate inventory data, compliance assessment and PQC migration planning become significantly more challenging.

---

System Approach

PQ-SAT automates the end-to-end process of cryptographic asset discovery and assessment.

The platform ingests TLS telemetry collected from network sensors, extracts cryptographic metadata, normalizes cipher suite information, and generates compliance-oriented assessments and reporting artifacts.

This enables security teams to continuously monitor cryptographic exposure while building the foundation for future post-quantum migration efforts.

---

Architecture

The system follows a telemetry-driven processing pipeline:

PQ-SAT processing architecture.

Core responsibilities of the platform include:

• TLS telemetry ingestion
• Cryptographic metadata extraction
• Data enrichment with cipher suite-to-cryptography mappings
• Security-level and risk assessment
• PQC readiness reporting
• CBOM generation

---

My Contributions

I owned the backend and data engineering work for PQ-SAT, from TLS telemetry ingestion through cryptographic enrichment, assessment logic, and automated reporting.

My work included:

• Building the large-scale TLS ingestion and processing pipeline
• Enriching connection records with cipher suite and cryptographic component mappings
• Researching and mapping 348 TLS cipher suites across key exchange, signature, encryption, and hash components
• Designing backend data models for cryptographic posture, risk assessment, and report generation
• Implementing compliance and PQC readiness assessment workflows
• Generating readiness reports and CBOM outputs from analyzed network telemetry
• Designing selected Figma pages for analyst-facing dashboard workflows

---

Technical Challenges

Processing Large-Scale TLS Data

Enterprise network environments generate substantial amounts of TLS telemetry.

To support practical assessment workflows, the platform needed to process millions of records efficiently while maintaining reasonable execution times.

DuckDB and Polars were used extensively to optimize large-scale aggregation and transformation workloads.

---

Cryptographic Normalization

TLS cipher suites encode multiple cryptographic components within a single identifier.

To support inventory generation and compliance assessment, cipher suites were decomposed into individual cryptographic primitives including:

• Key exchange algorithms
• Digital signature algorithms
• Symmetric encryption algorithms
• Hash functions

This normalization process enabled consistent analysis across TLS versions and deployment environments.

---

Compliance-Oriented Assessment

Raw TLS observations alone provide limited value for decision makers.

The platform translates network-level observations into actionable assessment outputs that support:

• Cryptographic inventory generation
• Risk identification
• Compliance reporting
• PQC readiness evaluation
• Migration planning

---

Results

The final platform successfully demonstrated:

• Analysis of more than 8 million TLS network records
• Automated summaries of cryptographic inventories
• Support for 348 cipher suites
• Endpoint-level CBOM generation
• Automated compliance reporting workflows
• Approximately 50% reduction in audit effort

---

Key Learnings

Building cybersecurity tooling often becomes a data engineering challenge.

The most difficult aspect was not collecting TLS telemetry, but transforming fragmented cryptographic observations into a reliable and actionable inventory that could support compliance assessment and future migration planning.

This project reinforced the importance of data modeling, normalization, and scalable processing when building security analytics systems.

---

Future Directions

Potential future improvements include:

• Expanded post-quantum algorithm support
• Automated migration recommendation engines
• Continuous cryptographic monitoring
• Integration with SBOM and asset management systems
• Enhanced visualization and reporting capabilities