Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ProductsCBOM

Know every cryptographic asset in your software

O3 CBOM scans your entire infrastructure and automatically generates a continuous, audit-ready inventory of every cryptographic asset. Stay compliant with CERT-In, RBI, and SEBI mandates at all times.

Get started
cryptographic_inventory.json
$ npx o3-crypto scan --json
// Audit summary of cryptographic assets
{
"totalAssets": 672,
"algorithms": {
"secure": ["AES-256", "ML-KEM"],
"deprecated": ["SHA-1", "MD5"]
},
"keys": {
"rsa_2048": 12,
"ecc_p256": 48
}
}
CRYPTO RADAR
PQC READY
94%
Overall Security ScorePost-Quantum AlignedFIPS 203/204 Compliant
AlgorithmsSecure
ML-KEM · AES-256 · ML-DSA
Risk Assets2 Legacy
SHA-1 · MD5 (Flagged for migration)
Key ProtectionHSM
612 keys stored in secure KMS
Discovery Engine

Complete infrastructure coverage

O3 CBOM automatically discovers and inventories every algorithm, key, certificate, protocol, and secret across your entire infrastructure.

QUEUED

Source Code

— —

SCANNED

Source Code

4,128 algorithms

QUEUED

Container Images

— —

SCANNED

Container Images

11,402 images

QUEUED

Live Databases

— —

SCANNED

Live Databases

14 databases

QUEUED

Cloud Infrastructure

— —

SCANNED

Cloud Infrastructure

84 resources

QUEUED

Hardware Security Modules

— —

SCANNED

Hardware Security Modules

612 keys

QUEUED

Web Servers & Network

— —

SCANNED

Web Servers & Network

8,917 endpoints

QUEUED

TLS Certificates

— —

SCANNED

TLS Certificates

1,204 certs

QUEUED

Software Libraries

— —

SCANNED

Software Libraries

2,491 libraries

SCAN.RUN
0%
Quantum Readiness

Know your quantum risk before it becomes a breach

Identify vulnerable legacy algorithms and map immediate migration paths to post-quantum standards across all infrastructure assets.

#AssetRisk LevelPQC StatusVulnerableMigration Path
01
RSA-2048
auth-svc / jwt
CriticalDeprecatedYESML-DSA-65
02
ECDSA-P256
tls / edge
HighDeprecatedYESML-DSA-65
03
3DES
legacy-db / storage
CriticalDeprecatedYESAES-256-GCM
04
SHA-1
web / legacy-signature
HighDeprecatedYESML-DSA-87
Cryptographic Reference

All CERT-In Parameters. Out of the Box.

Every data point mandated by CERT-In for CBOM - across algorithms, keys, certificates, and protocols - is automatically captured and included in every inventory O3 generates.

Secure your Algorithms

ParametersO3 Supports
Name
The name of the cryptographic algorithm or asset, such as "AES-128-GCM".
Asset Type
Specifies the type of cryptographic asset. For algorithms, the asset type is "algorithm".
Primitive
Describes the cryptographic primitive, such as "signature" or "hash".
Mode
The operational mode used by the algorithm, such as "gcm" or "cbc".
Crypto Functions
The cryptographic functions supported by the asset, such as encryption and decryption.
Classical security level
The strength of the asset in terms of its resistance to classical attacks (e.g. 128 bits).
OID
Globally unique Object Identifier (OID) used to distinguish algorithms across systems.
List
Lists all cryptographic algorithms employed by a device or system for security audits.
Compliance & Audit

Built for Compliance From the Ground Up

Every operational requirement defined by CERT-In — not just the data fields, but how the CBOM is generated, shared, stored, and audited.

CI / CD

Runs in every pipeline.

Automatic on every push — no manual triggers, no gaps between deployments.

Push
Build
Scan
Ship
Access Control

Role-based views.

Separate views for security teams, compliance officers, and auditors.

SSecurity
scoped
CCompliance
scoped
AAuditor
scoped
Standards

SPDX & CycloneDX.

Industry-standard formats accepted by regulators and supply-chain partners.

SPDX
CycloneDX
Export

JSON & CSV.

Audit-ready exports — ready for your auditor or regulator.

cbom.json
{
"algorithm": "SHA-1",
"status": "deprecated"
}
Sharing

Public & private BOMs.

Share with regulators without exposing internal details. Granular disclosure.

PUBLIC
PRIVATE
Ingestion

Source & binary.

Catches assets that only appear after the build process.

SOURCE
.go.py.ts.java
BINARY
.jar.bin.dll
Versioning

Every CBOM, versioned.

Full history of how your cryptographic posture has changed over time — immutable and auditable.

v2.1 (Active)
now
v2.0Jul 09
v1.2Apr 28
Data Residency

Stored inside India.

Three sovereign data centres meet localisation requirements for BFSI entities.

Mumbai
ap-south-1
Chennai
ap-south-2
Deployment

Multiple deployment options.

Deploy as SaaS or on-premise depending on your organization's data policies and infrastructure requirements. Full support for air-gapped secure local environments.

SaaS CloudFully Managed
On-PremSelf-Hosted
HybridSaaS + On-Prem
CLI Integration

Running in minutes, not days

O3 CBOMkit ships as a single binary with no agents, no instrumentation, and no code changes required. Drop it into any pipeline and your first CBOM is ready immediately.

Scan a codebase
scan.sh
1# Scans all source files and configs, produces a CBOM and migration report in one pass
2
$o3cbomkit scan ./myapp --output cbom.json --report report.pdf
Scan a container image
image.sh
1# Pulls from any registry, analyses every layer without running the container
2
$o3cbomkit image nginx:latest --output cbom.json
Inventory hardware key stores
hsm.sh
1# Connects read-only to your HSM and lists every key with its quantum risk rating
2
$o3cbomkit hsm --pin $HSM_PIN --output hsm-inventory.json
Run in CI/CD
pipeline.sh
1# Privacy mode keeps your codebase off our servers while still producing a full assessment
2
$o3cbomkit scan . --privacy-mode --output cbom.json
Send results to O3 platform
upload.sh
1# Results appear in your O3 dashboard with risk timeline, migration priorities, and compliance status tracked over time.
2
$o3cbomkit scan . --api-key $O3_KEY --project $PROJECT_ID

Ready to Get Compliant?

Book a demo with our team and see O3 Security CBOM give you a clear picture of your compliance gaps, quantum exposure, and what it takes to get audit-ready.

Book a Demo →
FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • A CBOM is an inventory of every cryptographic algorithm, key size, library, and protocol used across your codebase, dependencies, containers, and cloud infrastructure. It lets security teams identify quantum-vulnerable algorithms like RSA-2048 and plan migration to NIST-approved post-quantum cryptography (PQC) standards before quantum computers break current encryption.
  • NIST and leading cryptographers estimate cryptographically-relevant quantum computers capable of breaking RSA-2048 could arrive between 2030 and 2035. Organizations need to complete crypto migrations before that window. CBOM discovery is the mandatory first step to understand scope and prioritize migration.
  • O3 CBOMkit uses a 4-layer discovery engine: static AST analysis of source code, dependency graph traversal (100+ crypto libraries), container and infrastructure scanning, and HSM/PKCS#11 hardware key store enumeration. It identifies 100+ algorithms and produces a prioritized migration roadmap with break-year estimates.
  • The EU Cyber Resilience Act (CRA), NIST SP 800-208, US Executive Order 14028, NSA CNSA 2.0, and emerging DoD quantum-readiness mandates all require or strongly recommend cryptographic inventory as a prerequisite for post-quantum compliance.
  • An SBOM (Software Bill of Materials) lists software components and their known CVEs. A CBOM specifically inventories cryptographic algorithms, key sizes, and protocols, including ones with no CVE but that are quantum-vulnerable. Both are complementary: SBOM for dependency risk, CBOM for cryptographic risk.