KavachQ Platform — Quantum-Safe Migration for India's BFSI & CII

SEE IT ON YOUR OWN DOMAIN

Scan any public domain free, in seconds — no login, nothing stored. A live TLS read returns a PQC-readiness score (0–100), a risk tier (Critical / High / Medium / Low), the certificate key type and size, and any quantum-vulnerable algorithms (RSA, ECDSA, DSA) or weak TLS (1.0/1.1) it negotiates.

Run the free scan

FRAMEWORKS WE MAP TO NQM Task Force · May 2026 NIST FIPS 203/204/205/206 TEC / STQC / BIS CERT-In · NCCS

The Lifecycle

Five stages, one platform

KavachQ implements the full quantum-safe lifecycle defined in the DST Task Force report — discover, score, plan, migrate, prove.

01

Crypto discovery (BOMs)

Automated SBOM and CBOM generation across applications and infrastructure. Inventory intake from certificate stores and CBOM uploads (CycloneDX 1.6).

Outputs CBOM in CycloneDX 1.6

02

Quantum risk analysis

HNDL exposure flagging and Mosca-inequality prioritisation against the DST Persona framework (Urgent / Regular / Vendor). Findings are cited against verbatim clauses from the mandates for Indian CII and BFSI — DST/NQM, RBI, SEBI CSCRF, CERT-In — with a grounded “Ask the Regulation” view that answers only from that corpus.

Mosca X+Y vs Z · cited to DST · RBI · SEBI

03

Migration plan

Phased roadmap aligned to the DST milestones (CII 2027/28/29 · Enterprise 2028/30/33), broken down by system, owner, dependency, and supplier. A crypto dependency graph computes blast radius — which downstream systems break when an algorithm falls — so sequencing follows real impact.

Auto-aligned to DST milestones

04

Hybrid PQC roll-out

Phased migration workspace to plan and track the hybrid (classical + PQC) roll-out across TLS, PKI, and code-signing chains. Recommended replacements are named where relevant — ML-KEM-768 (FIPS 203) for key establishment, ML-DSA-65 (FIPS 204) for signatures.

ML-KEM · ML-DSA · SLH-DSA · FN-DSA

05

Assurance & reporting

Reporting aligned to the DST L1–L4 assurance framework, with board-ready dashboards and regulator-facing exports. Every CBOM and report is digitally signed (ML-DSA-65, FIPS 204) and independently verifiable — tamper-evident attestation a regulator can check.

L1 (3y) → L4 (10y) certificate validity

Architecture

How KavachQ fits in

Deployed inside your environment as a customer-installed appliance. Air-gap-compatible.

Hybrid (classical + PQC) is the default approach. Algorithm coverage expands as NIST standards finalise.

Capability Map

What KavachQ covers, line by line

Mapped one-to-one against the DST Task Force recommendations and Sub-Group I/II frameworks.

Capability	DST reference	KavachQ module	Output
Cryptographic asset repository	Section 9.0 A — Short-term	Discovery + BOM Engine	SBOM / CBOM
Quantum risk analysis	Sub-Group II — Phase 1	Risk Scoring	Mosca-graded asset list + dependency blast-radius
Crypto-agile design	Section 9.0 — Critical Principles	Design principle	Algorithm-agnostic data model
L1–L4 assurance framework	Sub-Group I — Assurance Levels	Reporting	DST-aligned report, ML-DSA-65 signed
Sectoral persona prioritisation	Sub-Group II — Personas	Persona Profile	Urgent / Regular / Vendor tagging

Who it's for

Three personas, one platform

Urgent

Urgent Adopters (CII)

Power, telecom, transport, defence, ISRO, DRDO, ONGC, banking core. Compressed CII timeline: foundations 2027, high-priority migration 2028, full PQC 2029.

L4 assurance · air-gap modes

Regular

Regular Enterprise

Government, financial services, healthcare, insurance, IT services. Standard timeline: foundations 2028, high-priority 2030, full PQC 2033.

L2 / L3 assurance · hybrid by default

Vendor

Technology Vendors

HSM and KMS makers, cloud providers, PKI operators, network equipment vendors. The DST advisory roadmap recommends vendor CBOM disclosure from FY 2027–28.

CycloneDX

Algorithm Support

Aligned to the NIST PQC standards

KavachQ is designed around the NIST-standardised PQC algorithms and the latest selections. Algorithm coverage expands as standards finalise.

FIPS 203

ML-KEM

Module-Lattice KEM (formerly Kyber). Sizes 512 / 768 / 1024.

FIPS 204

ML-DSA

Module-Lattice Signatures (formerly Dilithium). Sizes 44 / 65 / 87.

FIPS 205

SLH-DSA

Stateless Hash-based Signatures (formerly SPHINCS+). Conservative.

FIPS 206 (Draft)

FN-DSA

FFT NTRU Signatures (formerly Falcon). Smallest lattice signatures.

5th Selection

HQC

Code-based KEM, selected March 2025 for algorithmic diversity.

Hybrid

X25519 + ML-KEM

Default hybrid key exchange during the transition window.

Hybrid

ECDSA + ML-DSA

Hybrid signatures for code and certificate chains.

Symmetric

AES-256 · SHA-384/512

Doubled symmetric strength, hardened against Grover.

Get Started

Start with a discovery scan

A 30-minute call to scope a KavachQ Discovery engagement — the first deliverable in any DST-aligned migration plan.

Book a demo Scan a domain free Run the maturity scan

KavachQ is available for evaluation as a customer-installed, air-gap-compatible appliance — request evaluation access.

Scope a pilot engagement — a Discover → Score → Plan pilot in your environment.