TYCHON Quantum Readiness - Comprehensive Cryptographic Security Scanner

What is TYCHON Quantum Readiness?

TYCHON Quantum Readiness is a cross-platform executable that you download and run on your endpoints to scan for cryptographic assets. The binary supports multiple scan modes (network, filesystem, memory, VPN/IPSec detection), outputs results in various formats (JSON, CBOM, HTML, NDJSON), and can send findings directly to integration platforms like Splunk, Elasticsearch, AWS S3, Cloudflare R2, Kafka, or save locally for custom processing.

Show More Details

The Post-Quantum Cryptography Crisis

Quantum computers will break current encryption within the next 10-15 years. When this happens, every RSA key, ECDSA signature, and Diffie-Hellman key exchange protecting your organization today will become instantly vulnerable. This isn't a theoretical future problem—it's an imminent business risk requiring immediate action.

The "Harvest Now, Decrypt Later" Attack

Nation-state adversaries and sophisticated threat actors are already collecting encrypted data today, storing it until quantum computers become available to decrypt it. Your sensitive communications, financial data, and intellectual property from today could be compromised years from now without proper post-quantum preparation. The data you're protecting right now has a shelf life that extends well beyond the quantum timeline.

Immediate Business Risks

• Financial Systems: Banking, payment processing, and financial communications vulnerable
• Healthcare Records: Patient data and medical systems at risk of future exposure
• Intellectual Property: Trade secrets, R&D data, and competitive advantages compromised
• Government Contracts: NIST compliance requirements and security clearance implications
• Supply Chain: Partner communications and vendor integrations vulnerable
• Customer Trust: Brand damage from future data breaches of today's encrypted data

Hidden Cryptographic Debt

• Legacy Applications: Hardcoded crypto in custom software
• Embedded Systems: IoT devices with unfixable crypto implementations
• Third-Party Software: Vendor applications with unknown crypto dependencies
• Cloud Services: Multi-tenant platforms with shared crypto infrastructure
• Mobile Applications: Certificate pinning and embedded keys in mobile apps
• Database Encryption: TDE, column-level, and application-layer crypto

Compliance & Regulatory Timeline

Federal agencies and critical infrastructure must transition to post-quantum cryptography by 2035 per NIST guidelines. Many industries will face earlier requirements:

• 2025-2027: Federal systems (NSM-10)

• 2028-2030: Financial services (emerging regs)

• 2030-2035: Healthcare, critical infrastructure

How TYCHON Quantum Readiness Solves This

The TYCHON Quantum Readiness provides the comprehensive cryptographic asset discovery and analysis capabilities organizations need to prepare for the post-quantum transition. By identifying every cryptographic implementation across your infrastructure—from network services to embedded applications—you can prioritize migration efforts, ensure regulatory compliance, and maintain security during the critical transition period.

Discovery Phase

• Complete Asset Mapping: Find every crypto implementation
• Hidden Dependencies: Discover embedded and inherited crypto
• Risk Prioritization: Identify most critical vulnerable systems
• Compliance Baseline: Document current state for auditors

Analysis Phase

• Quantum Vulnerability: Assess PQC readiness across systems
• Migration Planning: Understand replacement complexity
• Business Impact: Model risks and timeline requirements
• Cost Estimation: Budget for cryptographic upgrades

Transition Phase

• Progress Tracking: Monitor migration completion
• Continuous Monitoring: Detect new vulnerable deployments
• Validation Testing: Verify post-quantum implementations
• Compliance Reporting: Demonstrate regulatory adherence

Primary Use Cases

• Post-Quantum Readiness: Identify quantum-vulnerable cryptographic implementations
• Certificate Discovery: Track X.509 certificates, expiration dates, and trust chains
• Risk Assessment: Evaluate cryptographic strength and identify weak implementations
• Security Assessments: Discover all cryptographic assets across network infrastructure
• Compliance Auditing: Generate comprehensive crypto inventories for regulatory requirements

Key Capabilities

• Network Scanning: TLS/SSL cipher suite enumeration and certificate discovery
• Filesystem Analysis: Discover certificates, private keys, and crypto files
• Memory Inspection: Identify loaded cryptographic libraries in running processes
• SSH Key Discovery: Enumerate SSH host keys and analyze key strength
• VPN Client Detection: Discover installed enterprise VPN clients with PQC assessments
• IPSec Tunnel Analysis: Detect and analyze IPSec tunnel configurations and security
• Multi-Platform: Native support for Windows, Linux, and macOS environments

Why TYCHON Quantum Readiness Matters

As organizations face the imminent threat of quantum computing breaking current cryptographic standards, maintaining complete visibility into cryptographic assets has become critical. TYCHON Quantum Readiness provides the comprehensive discovery and analysis capabilities needed to prepare for the post-quantum transition, ensure regulatory compliance, and maintain robust security postures across complex enterprise environments.

5+

Output Formats

JSON, CBOM, HTML, NDJSON, EventLog

10+

Platform Integrations

Elasticsearch, Splunk, AWS, Azure

5

Scan Modes

Network, Filesystem, Memory, VPN, IPSec

Quick Start

Remote Scanning

Scan external network infrastructure by connecting to remote hosts via TLS/SSL and SSH protocols. Ideal for network security assessments, external certificate monitoring, and infrastructure audits. Supports CIDR ranges, port ranges, wildcard domain enumeration, and bulk host scanning.

# Basic remote scan
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -host example.com

# With cipher enumeration
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -host example.com -cipherscan

# Multiple hosts and ports
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -host example.com,google.com -ports 443,22,8443

# Wildcard domain enumeration
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -host "*.company.com" -ports 443

# Basic remote scan
./certscanner-linux-x64 -license-key "TYCHON-..." -host example.com

# With cipher enumeration
./certscanner-linux-x64 -license-key "TYCHON-..." -host example.com -cipherscan

# Multiple hosts and ports
./certscanner-linux-x64 -license-key "TYCHON-..." -host example.com,google.com -ports 443,22,8443

# Wildcard domain enumeration
./certscanner-linux-x64 -license-key "TYCHON-..." -host "*.company.com" -ports 443

# Basic remote scan (Intel)
./certscanner-darwin-amd64 -license-key "TYCHON-..." -host example.com

# Basic remote scan (Apple Silicon)
./certscanner-darwin-arm64 -license-key "TYCHON-..." -host example.com

# With cipher enumeration
./certscanner-darwin-amd64 -license-key "TYCHON-..." -host example.com -cipherscan

# Multiple hosts and ports
./certscanner-darwin-amd64 -license-key "TYCHON-..." -host example.com,google.com -ports 443,22,8443

# Wildcard domain enumeration
./certscanner-darwin-amd64 -license-key "TYCHON-..." -host "*.company.com" -ports 443

Local Scanning

Analyze the local system for cryptographic assets including filesystem certificates, running process memory, active network connections, and Outlook archives. Perfect for endpoint compliance validation, incident response, and comprehensive system crypto inventory.

# Basic local scan
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -mode local

# Comprehensive local scan (single flag)
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -mode local -fullscan

# Alternative: Manual comprehensive scan
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -mode local -scanfilesystem -scanmemory -scanconnected -scanoutlookarchives

# VPN & IPSec Detection
.\certscanner-windows-amd64.exe -license-key "TYCHON-..." -mode local -detect-vpn-clients -detect-ipsec

# Basic local scan
./certscanner-linux-x64 -license-key "TYCHON-..." -mode local

# Comprehensive local scan (single flag)
./certscanner-linux-x64 -license-key "TYCHON-..." -mode local -fullscan

# Alternative: Manual comprehensive scan
./certscanner-linux-x64 -license-key "TYCHON-..." -mode local -scanfilesystem -scanmemory -scanconnected -scanoutlookarchives

# VPN & IPSec Detection
./certscanner-linux-x64 -license-key "TYCHON-..." -mode local -detect-vpn-clients -detect-ipsec

# Basic local scan (Intel)
./certscanner-darwin-amd64 -license-key "TYCHON-..." -mode local

# Basic local scan (Apple Silicon)
./certscanner-darwin-arm64 -license-key "TYCHON-..." -mode local

# Comprehensive local scan (single flag)
./certscanner-darwin-amd64 -license-key "TYCHON-..." -mode local -fullscan

# Alternative: Manual comprehensive scan
./certscanner-darwin-amd64 -license-key "TYCHON-..." -mode local -scanfilesystem -scanmemory -scanconnected -scanoutlookarchives

# VPN & IPSec Detection
./certscanner-darwin-amd64 -license-key "TYCHON-..." -mode local -detect-vpn-clients -detect-ipsec

Download & Install

Download the latest binary for your platform from the Partner Portal. The scanner is available for the following platforms:

macOS - Intel (amd64) and Apple Silicon (arm64)
Windows - 64-bit (amd64)
Linux - 64-bit (x64)

Contact your account representative for Partner Portal access credentials.

License Configuration

A valid license key is required to activate the full scanning capabilities of TYCHON Quantum Readiness. The license serves as both an authentication mechanism and feature enabler, ensuring authorized deployment across enterprise environments while unlocking comprehensive cryptographic discovery, remote scanning, third-party integrations, and advanced reporting capabilities. Without a license, the utility operates in a restricted trial mode suitable only for basic evaluation.

Trial Mode vs Licensed Mode

TYCHON operates in trial mode by default with limited functionality. A license key unlocks all features, enterprise capabilities, and removes trial restrictions.

Trial Mode (No License)

Single port scan only (port 443)
Local mode only (no remote scanning)
No filesystem scanning
No memory scanning
No VPN/IPSec detection
No quantum readiness scoring
JSON output only

Licensed Mode

Remote scanning - Network infrastructure
Filesystem scanning - All certificate stores
Memory scanning - Running processes
VPN/IPSec detection - Tunnel configuration
Quantum readiness - PQC assessment
Outlook archives - PST/OST scanning
All output formats - JSON, HTML, CBOM, SIEM
Unlimited hosts - Based on license tier

How to Apply Your License Key

TYCHON supports multiple methods for license activation, listed in priority order:

1 Command-line Flag (Highest Priority)

Pass the license key directly as a command-line argument. Best for testing or one-time scans.

Windows:

.\certscanner-windows-amd64.exe -license-key "TYCHON-xxxxxxxxxxxxxxxxxxxxx" -host example.com

Linux/macOS:

./certscanner-linux-amd64 -license-key "TYCHON-xxxxxxxxxxxxxxxxxxxxx" -host example.com

2 Environment Variable

Set the TYCHON_LICENSE_KEY environment variable. Recommended for automation and container deployments.

⚠️ Windows Users: Important Note

Use $env:TYCHON_LICENSE_KEY = "..." for immediate use in the current session. If you use [Environment]::SetEnvironmentVariable(), you MUST close PowerShell completely and open a NEW window for the variable to be available. The permanent method does NOT work in the same session where you set it.

Windows (PowerShell):

# Option 1: Temporary (current session only) - Works immediately
$env:TYCHON_LICENSE_KEY = "TYCHON-xxxxxxxxxxxxxxxxxxxxx"

# Option 2: Permanent (current user) - REQUIRES RESTART OF POWERSHELL
[Environment]::SetEnvironmentVariable("TYCHON_LICENSE_KEY", "TYCHON-xxxxxxxxxxxxxxxxxxxxx", "User")
# ⚠️ IMPORTANT: Close PowerShell completely and open a NEW window for this to take effect!

# Option 3: Permanent AND works immediately (RECOMMENDED)
$key = "TYCHON-xxxxxxxxxxxxxxxxxxxxx"
[Environment]::SetEnvironmentVariable("TYCHON_LICENSE_KEY", $key, "User")
$env:TYCHON_LICENSE_KEY = $key  # Also set for current session

# Verify it's set:
$env:TYCHON_LICENSE_KEY

Linux/macOS (Bash):

# Temporary (current session)
export TYCHON_LICENSE_KEY="TYCHON-xxxxxxxxxxxxxxxxxxxxx"

# Permanent (add to ~/.bashrc or ~/.zshrc)
echo 'export TYCHON_LICENSE_KEY="TYCHON-xxxxxxxxxxxxxxxxxxxxx"' >> ~/.bashrc
source ~/.bashrc

Docker/Kubernetes:

# Docker (Remote Mode Only)
docker pull tychoncorp/cryptographic-analyzer
docker run -e TYCHON_LICENSE_KEY="TYCHON-xxxxxxxxxxxxxxxxxxxxx" tychoncorp/cryptographic-analyzer

# Kubernetes Secret
kubectl create secret generic tychon-license --from-literal=license-key="TYCHON-xxxxxxxxxxxxxxxxxxxxx"

Docker Hub: tychoncorp/cryptographic-analyzer

3 User Configuration File

Store the license in your home directory. Best for individual user workstations.

Location:

• Windows: C:\Users\YourName\.tychon\license.key
• Linux/macOS: ~/.tychon/license.key

Setup:

# Windows (PowerShell)
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.tychon"
Set-Content -Path "$env:USERPROFILE\.tychon\license.key" -Value "TYCHON-xxxxxxxxxxxxxxxxxxxxx"

# Linux/macOS
mkdir -p ~/.tychon
echo "TYCHON-xxxxxxxxxxxxxxxxxxxxx" > ~/.tychon/license.key
chmod 600 ~/.tychon/license.key

4 System Configuration File (Lowest Priority)

System-wide license for all users. Requires administrator/root privileges. Best for enterprise deployments.

Location:

• Windows: C:\ProgramData\tychon\license.key
• Linux/macOS: /etc/tychon/license.key

Setup:

# Linux/macOS (requires root)
sudo mkdir -p /etc/tychon
echo "TYCHON-xxxxxxxxxxxxxxxxxxxxx" | sudo tee /etc/tychon/license.key
sudo chmod 644 /etc/tychon/license.key

License Information

Grace Period: Licenses include a 60-day grace period after expiration date
License Format: Keys are 52 characters starting with TYCHON-
Validation: License keys are validated locally - no internet connection required
Contact: For licensing inquiries: sales@tychon.io

Troubleshooting Windows Environment Variables

If the TYCHON_LICENSE_KEY environment variable is not working on Windows, follow these steps:

1. Verify the Environment Variable is Set

Open a new PowerShell window and check if the variable exists:

# Check if the variable is set
$env:TYCHON_LICENSE_KEY

# Should output your license key, e.g.: TYCHON-xxxxxxxxxxxxxxxxxxxxx
# If it outputs nothing, the variable is not set

Most Common Issue: If you used [Environment]::SetEnvironmentVariable(), you are likely still in the same PowerShell session where you set it. This method sets the registry value but does NOT update the current session. You MUST close all PowerShell windows and open a completely new one.

2. Common Issues and Solutions

Issue: Variable only works in the current PowerShell session

# Solution: Set permanently for current user
[Environment]::SetEnvironmentVariable("TYCHON_LICENSE_KEY", "TYCHON-xxxxxxxxxxxxxxxxxxxxx", "User")

# Then close and reopen PowerShell to apply changes

Issue: Running executable from Command Prompt (cmd.exe) instead of PowerShell

# Solution: Set system-wide (requires Administrator privileges)
# Open PowerShell as Administrator, then run:
[Environment]::SetEnvironmentVariable("TYCHON_LICENSE_KEY", "TYCHON-xxxxxxxxxxxxxxxxxxxxx", "Machine")

# Or set in cmd.exe for current session:
set TYCHON_LICENSE_KEY=TYCHON-xxxxxxxxxxxxxxxxxxxxx

Issue: Variable not available after setting it permanently

# Solution: You MUST close and reopen your terminal/PowerShell window
# Environment variables are loaded when the shell starts
# Simply setting it in one window won't affect other windows already open

Issue: Running from a different shell than where you set it

# Solution: Use the -license-key flag instead
.\certscanner-windows-amd64.exe -license-key "TYCHON-xxxxxxxxxxxxxxxxxxxxx" -host example.com

Best Practice for Windows: If environment variables continue to cause issues, use the file-based method instead (Method 3: User Configuration File). This is more reliable across different shells and terminal sessions.

Container Platforms

Deploy TYCHON for network scanning on Kubernetes, Docker, and cloud platforms:

Kubernetes Deployment

EKS, AKS, GKE, Rancher, on-premise

Configure K8s →

Docker Deployment

Docker Compose, standalone containers

Configure Docker →

Docker Hub: tychoncorp/cryptographic-analyzer

Note: Container deployments are optimized for remote mode network scanning only. Production Docker image available at Docker Hub. For local filesystem and memory scanning, use the native binaries above.

Core Features

🔐

TLS/SSL Scanning

Complete certificate analysis with detailed X.509 parsing and certificate chain validation

🛡️

Post-Quantum Crypto

Advanced PQC detection including hybrid groups like X25519MLKEM768

🔑

SSH Host Keys

Extract SSH host keys, banners, and algorithm negotiation details

💾

Memory Scanning

Detect cryptographic libraries in process memory with API analysis

📁

Filesystem Scanning

Discover certificate files and Outlook archives throughout the filesystem

📊

Multiple Output Formats

JSON, NDJSON, CBOM, HTML, EventLog, and Tychon formats

Architecture Diagram

View the comprehensive architecture diagram showing how TYCHON Quantum Readiness integrates with your infrastructure and various platforms.

View Architecture Diagram →

Usage Examples

Note: All commands below assume a valid license key is configured. See License Configuration for setup instructions.

Network Security Assessment

Scan remote hosts and networks to identify TLS configurations, detect post-quantum vulnerable cipher suites, and assess quantum readiness across your infrastructure. Supports CIDR ranges, multiple hosts, and comprehensive cipher enumeration.

# Comprehensive network scan with PQC detection
.\certscanner-windows-amd64.exe -host 192.168.1.0/24 -ports 443,22,8443,993,995 -cipherscan -outputformat html

# Quick security assessment
.\certscanner-windows-amd64.exe -host example.com,mail.example.com -quickscan -outputformat json

# Resource-friendly cipher scan (low CPU usage)
.\certscanner-windows-amd64.exe -host example.com -cipherscan -cputhrottle low -outputformat json

# Generate CBOM for compliance
.\certscanner-windows-amd64.exe -host example.com -cipherscan -outputformat cbom -output compliance-report.cbom.json

# Comprehensive network scan with PQC detection
./certscanner-linux-x64 -host 192.168.1.0/24 -ports 443,22,8443,993,995 -cipherscan -outputformat html

# Quick security assessment
./certscanner-linux-x64 -host example.com,mail.example.com -quickscan -outputformat json

# Resource-friendly cipher scan (low CPU usage)
./certscanner-linux-x64 -host example.com -cipherscan -cputhrottle low -outputformat json

# Generate CBOM for compliance
./certscanner-linux-x64 -host example.com -cipherscan -outputformat cbom -output compliance-report.cbom.json

# Comprehensive network scan with PQC detection
./certscanner-darwin-amd64 -host 192.168.1.0/24 -ports 443,22,8443,993,995 -cipherscan -outputformat html

# Quick security assessment
./certscanner-darwin-amd64 -host example.com,mail.example.com -quickscan -outputformat json

# Resource-friendly cipher scan (low CPU usage)
./certscanner-darwin-amd64 -host example.com -cipherscan -cputhrottle low -outputformat json

# Generate CBOM for compliance
./certscanner-darwin-amd64 -host example.com -cipherscan -outputformat cbom -output compliance-report.cbom.json

Local System Audit

Inventory all certificates and cryptographic libraries on the local system. Scans certificate stores, filesystem paths, running process memory, Outlook archives (PST/OST), and active TLS connections. Ideal for endpoint compliance and vulnerability assessment.

# Complete system audit
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory -scanconnected -scanoutlookarchives -outputformat html

# Focus on cryptographic libraries
.\certscanner-windows-amd64.exe -mode local -scanmemory -outputformat flatndjson

# Certificate inventory
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -outputformat cbom

# Complete system audit
./certscanner-linux-x64 -mode local -scanfilesystem -scanmemory -scanconnected -scanoutlookarchives -outputformat html

# Focus on cryptographic libraries
./certscanner-linux-x64 -mode local -scanmemory -outputformat flatndjson

# Certificate inventory
./certscanner-linux-x64 -mode local -scanfilesystem -outputformat cbom

# Complete system audit
./certscanner-darwin-amd64 -mode local -scanfilesystem -scanconnected -scanoutlookarchives -outputformat html

# Certificate inventory
./certscanner-darwin-amd64 -mode local -scanfilesystem -outputformat cbom

# Note: Memory scanning not available on macOS

SIEM Integration

Stream scan results directly to security information and event management (SIEM) platforms. Supports Elasticsearch, Splunk, Kafka, and native Windows EventLog. Use flat NDJSON format for log aggregators and real-time streaming for monitoring dashboards.

# Stream to Elasticsearch
.\certscanner-windows-amd64.exe -host example.com -posttoelastic -elasticnode "https://elastic.company.com:9200" -elasticapikey "key"

# Stream to Kafka (real-time events)
.\certscanner-windows-amd64.exe -host example.com -posttokafka -kafkabrokers "kafka1:9092,kafka2:9092" -kafkatopic "crypto-events"

# Windows EventLog integration
.\certscanner-windows-amd64.exe -mode local -outputformat eventlog

# Flat format for log aggregation
.\certscanner-windows-amd64.exe -host example.com -outputformat flatndjson -output C:\logs\crypto-scan.ndjson

# Stream to Elasticsearch
./certscanner-linux-x64 -host example.com -posttoelastic -elasticnode "https://elastic.company.com:9200" -elasticapikey "key"

# Stream to Kafka (real-time events)
./certscanner-linux-x64 -host example.com -posttokafka -kafkabrokers "kafka1:9092,kafka2:9092" -kafkatopic "crypto-events"

# Flat format for log aggregation
./certscanner-linux-x64 -host example.com -outputformat flatndjson -output /var/log/crypto-scan.ndjson

# Stream to Elasticsearch
./certscanner-darwin-amd64 -host example.com -posttoelastic -elasticnode "https://elastic.company.com:9200" -elasticapikey "key"

# Stream to Kafka (real-time events)
./certscanner-darwin-amd64 -host example.com -posttokafka -kafkabrokers "kafka1:9092,kafka2:9092" -kafkatopic "crypto-events"

# Flat format for log aggregation
./certscanner-darwin-amd64 -host example.com -outputformat flatndjson -output /var/log/crypto-scan.ndjson

Secure Configuration (FIPS 140-3)

Securely store API keys, credentials, and secrets using FIPS 140-3 certified encryption. Configure once with the -config flag to encrypt and save credentials locally, then run scans without exposing sensitive data in command-line arguments or environment variables.

# One-time credential setup (FIPS 140-3 encrypted storage)
# Example: Configuring Elasticsearch integration
.\certscanner-windows-amd64.exe -config `
  -config-elasticnode "https://elastic.company.com:9200" `
  -config-elasticapikey "your-elastic-api-key"

# Simplified usage afterwards - credentials loaded automatically
.\certscanner-windows-amd64.exe -host example.com -posttoelastic -elasticindex "production"

# One-time credential setup (FIPS 140-3 encrypted storage)
# Example: Configuring Elasticsearch integration
./certscanner-linux-x64 -config \
  -config-elasticnode "https://elastic.company.com:9200" \
  -config-elasticapikey "your-elastic-api-key"

# Simplified usage afterwards - credentials loaded automatically
./certscanner-linux-x64 -host example.com -posttoelastic -elasticindex "production"

# One-time credential setup (FIPS 140-3 encrypted storage)
# Example: Configuring Elasticsearch integration
./certscanner-darwin-amd64 -config \
  -config-elasticnode "https://elastic.company.com:9200" \
  -config-elasticapikey "your-elastic-api-key"

# Simplified usage afterwards - credentials loaded automatically
./certscanner-darwin-amd64 -host example.com -posttoelastic -elasticindex "production"

Command Reference

Core Options

Flag	Description	Environment Variable	Default
-mode	Scan mode: 'remote' or 'local'	SCAN_MODE	remote
-license-key	License key for full feature access (trial mode if not provided)	TYCHON_LICENSE_KEY	-
-version	Display version information and exit	-	-
-config	Enter configuration mode to securely store credentials	-	-
-disable-quantum-readiness	Disable quantum readiness assessment	-	false

Scanning Options (Both Modes)

Flag	Description	Environment Variable	Default
-ports	Ports to scan (comma-separated, ranges like 1000-1024)	PORTS	443 (remote)
-quickscan	Quick scan mode: only report preferred connection per port	-	true
-cipherscan	Perform detailed cipher suite enumeration (for TLS connections)	-	false
-cputhrottle	CPU throttling level: none, low, medium, high (controls concurrency for resource management)	-	medium
-include-empty-ports	Include ports even if no TLS or SSH detected	-	false
-disable-quantum-readiness	Disable host (os + hardware) quantum readiness assessment	-	false

Remote Mode Features

Flag	Description	Environment Variable	Default
-host	Target host(s)/IP(s)/CIDR/Range/Wildcard domains	HOST	-
-exclude-file	Path to file containing IPs/ranges/CIDRs to exclude from scan	-	-

Local Mode Features

Flag	Description	Environment Variable	Platform Support
-fullscan	Enable comprehensive local scanning: cipherscan, scanmemory, scanfilesystem, scanoutlookarchives, detect-vpn-clients, detect-ipsec	-	All platforms
-scanmemory	Scan process memory for cryptographic libraries	-	Windows, Linux (basic)
-scanconnected	Scan active external connections	-	All platforms
-scanfilesystem	Scan filesystem for certificate files	-	All platforms
-scanoutlookarchives	Scan for encrypted Outlook archives (.pst, .ost, .pab)	-	All platforms
-arpscan	Scan IPs from local ARP table (22,443,8443,etc.)	-	All platforms
-detect-vpn-clients	Discover enterprise VPN clients with PQC assessments PRE-RELEASE	-	All platforms
-detect-ipsec	Detect IPSec tunnel configurations and security analysis PRE-RELEASE	-	All platforms

Note: Features marked as PRE-RELEASE may have inaccuracies or incomplete functionality. Please report any issues with VPN client detection directly to support@tychon.io.

Output & Reporting

Flag	Description	Environment Variable	Default
-output	File to save report	-	scan_report.json
-outputformat	json, flatndjson, cbom, tychon, eventlog, html	OUTPUT_FORMAT	json
-logfile	Path to detailed log file	-	-
-tags	Custom tags (comma-separated: prod,webserver,critical)	-	-

Integration & Tracking

Flag	Description	Environment Variable	Default
-disable-database	Disable tracking for active/inactive status	-	false
-bolt-path	Path to BoltDB tracking database file	-	./scan_tracking.db
-posttoelastic	Post report to Elasticsearch	-	false
-elasticnode	Elasticsearch URL (https://localhost:9200)	ELASTIC_HOST	-
-elasticapikey	Elasticsearch API Key	ELASTIC_USERNAME:ELASTIC_PASSWORD	-
-elasticindex	Elasticsearch index suffix (adds to pattern: tychon-pqc-{dataset}_{elasticindex})	-	tychon-pqc-{dataset}
-posttokafka	Post report to Kafka	-	false
-kafkabrokers	Kafka broker addresses (broker1:9092,broker2:9092)	KAFKA_BROKERS	-
-kafkatopic	Kafka topic name for events	KAFKA_TOPIC	tychon-crypto-assets
-kafkausername	Kafka SASL username	KAFKA_USERNAME	-
-kafkapassword	Kafka SASL password	KAFKA_PASSWORD	-
-kafkasecurityprotocol	Security protocol (PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL)	KAFKA_SECURITY_PROTOCOL	-
-kafkasaslmechanism	SASL mechanism (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512)	KAFKA_SASL_MECHANISM	PLAIN
-kafkasslcalocation	Kafka SSL CA certificate file path	KAFKA_SSL_CA_LOCATION	-
-kafkasslcertlocation	Kafka SSL client certificate file path	KAFKA_SSL_CERT_LOCATION	-
-kafkasslkeylocation	Kafka SSL client private key file path	KAFKA_SSL_KEY_LOCATION	-
-kafkasslkeypassword	Password for encrypted SSL client private key	KAFKA_SSL_KEY_PASSWORD	-
-kafkasslkeystorelocation	Kafka SSL keystore file path (JKS format)	KAFKA_SSL_KEYSTORE_LOCATION	-
-kafkasslkeystorepassword	Password for Kafka SSL keystore	KAFKA_SSL_KEYSTORE_PASSWORD	-
-kafkassltruststorelocation	Kafka SSL truststore file path (JKS format)	KAFKA_SSL_TRUSTSTORE_LOCATION	-
-kafkassltruststorepassword	Password for Kafka SSL truststore	KAFKA_SSL_TRUSTSTORE_PASSWORD	-
-kafkasslenabledprotocols	Comma-separated list of enabled SSL protocols	KAFKA_SSL_ENABLED_PROTOCOLS	TLSv1.2,TLSv1.3
-kafkasslendpointidentificationalgorithm	SSL endpoint identification algorithm	KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM	-
-kafkaclientid	Kafka client ID (defaults to hostname)	-	-
-posttosplunk	Post report to Splunk HEC	-	false
-splunkurl	Splunk server URL (https://splunk.company.com:8088)	SPLUNK_URL	-
-splunktoken	Splunk HEC authentication token	SPLUNK_TOKEN	-
-splunkusername	Splunk basic auth username (alternative to token)	SPLUNK_USERNAME	-
-splunkpassword	Splunk basic auth password (alternative to token)	SPLUNK_PASSWORD	-
-splunkindex	Splunk index name for events	SPLUNK_INDEX	tychon-crypto
-splunksource	Splunk source name	SPLUNK_SOURCE	tychon-scanner
-splunksourcetype	Splunk source type	SPLUNK_SOURCETYPE	tychon-acdi:crypto_assets
-splunkbatch	Batch size for HEC events	SPLUNK_BATCH	100
-splunktimeout	HEC request timeout in seconds	SPLUNK_TIMEOUT	30
-upload-s3	Upload report file to S3	-	false
-s3bucket	S3 bucket name for uploads	S3_BUCKET	-
-s3region	S3 region for bucket access	S3_REGION	us-east-1
-s3prefix	S3 key prefix for organization	S3_PREFIX	-
-s3accesskey	AWS Access Key ID for S3 authentication	AWS_ACCESS_KEY_ID	-
-s3secretkey	AWS Secret Access Key for S3 authentication	AWS_SECRET_ACCESS_KEY	-
-s3endpoint	Custom S3 endpoint URL (for R2, MinIO, etc.)	-	-
-insecure	Skip SSL certificate verification for Elasticsearch, Kafka, and Splunk connections	-	false

Secure Configuration (FIPS 140-3)

Flag	Description	Environment Variable
-config	Configure and encrypt credentials for reuse	-
-config-elasticnode	Elasticsearch node URL to store encrypted	-
-config-elasticapikey	Elasticsearch API Key to store encrypted	-
-config-kafkabrokers	Kafka broker addresses to store encrypted	-
-config-kafkausername	Kafka SASL username to store encrypted	-
-config-kafkapassword	Kafka SASL password to store encrypted	-
-config-kafkasecurityprotocol	Kafka security protocol (PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL) to store encrypted	-
-config-kafkasaslmechanism	Kafka SASL mechanism (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512) to store encrypted	-
-config-kafkasslcalocation	Kafka SSL CA certificate path to store encrypted	-
-config-kafkasslcertlocation	Kafka SSL client certificate path to store encrypted	-
-config-kafkasslkeylocation	Kafka SSL client private key path to store encrypted	-
-config-kafkasslkeypassword	Kafka SSL client private key password to store encrypted	-
-config-kafkasslkeystorelocation	Kafka SSL keystore file path to store encrypted	-
-config-kafkasslkeystorepassword	Kafka SSL keystore password to store encrypted	-
-config-kafkassltruststorelocation	Kafka SSL truststore file path to store encrypted	-
-config-kafkassltruststorepassword	Kafka SSL truststore password to store encrypted	-
-config-kafkasslenabledprotocols	Kafka SSL enabled protocols list to store encrypted	-
-config-kafkasslendpointidentificationalgorithm	Kafka SSL endpoint identification algorithm to store encrypted	-
-config-s3region	S3 region to store encrypted	-
-config-s3accesskey	S3 Access Key to store encrypted	-
-config-s3secretkey	S3 Secret Key to store encrypted	-
-config-s3endpoint	S3 endpoint URL to store encrypted	-
-config-webapikey	Web API Key to store encrypted	-

🔒 Security Features

• AES-256-GCM encryption with FIPS 140-3 compliance
• PBKDF2-SHA256 key derivation (600,000 rounds)
• Cross-platform storage in OS-appropriate secure directories

Performance Optimization

CPU Throttling for Resource Management

The scanner includes intelligent CPU throttling controls to manage system resource usage during intensive cipher enumeration scans.

Throttling Levels

• none - Original behavior (up to 25 concurrent workers)
• low - 50% of CPU cores, conservative resource usage
• medium - 75% of CPU cores, balanced performance (default)
• high - 100% of CPU cores, maximum performance

Adaptive Features

• Dynamic concurrency adjustment based on system load
• Performance monitoring and logging when enabled
• Intelligent throttle delays to reduce CPU pressure
• Automatic scaling based on available CPU cores

CPU Throttling Examples

# Conservative resource usage for production environments
./certscanner -host example.com -cipherscan -cputhrottle low

# Balanced performance (recommended default)
./certscanner -host example.com -cipherscan -cputhrottle medium

# Maximum performance with monitoring
./certscanner -host example.com -cipherscan -cputhrottle high -logfile performance.log

# Performance monitoring comparison
./certscanner -host example.com -cipherscan -cputhrottle none -logfile baseline.log

Performance Impact

Testing shows that -cputhrottle low reduces CPU usage from 100% to approximately 68% while maintaining scan effectiveness. This makes it ideal for production environments where system stability is prioritized over scan speed.

CPU Throttling Guide

Optimize TYCHON Quantum Readiness's resource usage and performance with CPU throttling controls for large-scale scanning operations.

Performance Management

Learn how to control CPU usage, optimize scan performance, and manage system resources during network-wide cryptographic discovery operations. Configure throttling parameters to balance speed with system stability.

View Detailed Documentation

PQC Support

Advanced PQC Detection

TYCHON Quantum Readiness provides comprehensive detection and analysis of post-quantum cryptographic implementations, preparing your infrastructure for the quantum-safe future.

Key Exchange Algorithms (ML-KEM / Kyber)

Pure ML-KEM

• MLKEM512
• MLKEM768
• MLKEM1024
• KYBER* (legacy)

MLKEM512 Hybrids

• X25519MLKEM512
• P256MLKEM512
• P384MLKEM512
• P521MLKEM512
• SECP*MLKEM512

MLKEM768 Hybrids

• X25519MLKEM768
• P256MLKEM768
• P384MLKEM768
• P521MLKEM768
• SECP*MLKEM768

MLKEM1024 Hybrids

• X25519MLKEM1024
• P256MLKEM1024
• P384MLKEM1024
• P521MLKEM1024
• SECP*MLKEM1024

Classical Algorithms

• P-256, P-384, P-521
• X25519, X448
• DH-1024 to DH-4096
• SECP curves

Key Analysis Features

• Public key size tracking
• Hybrid key composition
• Underscore normalization
• Pattern-based extraction

Digital Signature Algorithms

Falcon (NIST FIPS 206)

• falcon512
• falcon1024
• falconpadded512
• falconpadded1024

Dilithium (NIST FIPS 204)

• dilithium2
• dilithium3
• dilithium5

MAYO (Multivariate)

• mayo1
• mayo2
• mayo3
• mayo5

SPHINCS+ (Hash-based)

• sphincssha2*
• sphincsshake*
• 128/192/256 variants
• fsimple/ssimple modes

Complete Cipher Suite Intelligence Database

Explore our comprehensive, searchable database of 300+ cipher suites with detailed security analysis, quantum readiness assessments, and compliance information.

View Cipher Database →

Quantum Readiness Scoring

Learn how TYCHON Quantum Readiness evaluates your organization's readiness for the post-quantum cryptography transition through comprehensive scoring algorithms.

Comprehensive PQC Assessment

The Quantum Readiness Scoring system provides detailed analysis of cryptographic implementations across your infrastructure, evaluating quantum vulnerability, migration complexity, and overall preparedness for the post-quantum era.

View Detailed Documentation

CVE Coverage & Vulnerability Assessment

Understand how TYCHON Quantum Readiness identifies and reports cryptographic vulnerabilities, including CVE mappings and security risk assessments.

Vulnerability Intelligence

Explore comprehensive CVE tracking, vulnerability scoring, and security assessments for cryptographic implementations. Learn how to identify weak algorithms, expired certificates, and known vulnerabilities across your infrastructure.

View Detailed Documentation

Platform Support

Platform	TLS	SSH	Local Discovery	Connected Scan	Memory Scan	Filesystem	ARP Scan	VPN Detection	IPSec Detection	Quantum Readiness
Windows 11 (x64)	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
Windows 10 (x64)	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
Windows Server 2016+ (x64)	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
macOS Monterey+ (Intel x64)	✅	✅	✅	✅	❌	✅	✅	✅	✅	✅
macOS Monterey+ (Apple Silicon ARM64)	✅	✅	✅	✅	❌	✅	✅	✅	✅	✅
Ubuntu 20.04+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
RHEL/CentOS 7+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
Debian 11+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
SUSE Enterprise 15+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
Alpine Linux 3.15+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
Amazon Linux 2 (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅
Fedora 35+ (x64)	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅

Windows Family

• Windows 10 (build 1909+)
• Windows 11 (all builds)
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Windows Server Core

Full feature support including memory scanning

macOS Family

• macOS Monterey (12.0+)
• macOS Ventura (13.0+)
• macOS Sonoma (14.0+)
• macOS Sequoia (15.0+)

Intel x64 and Apple Silicon ARM64

Linux Distributions

• Ubuntu 20.04 LTS+
• RHEL/CentOS 7+
• Debian 11 (Bullseye)+
• SUSE Enterprise 15+
• Alpine Linux 3.15+
• Amazon Linux 2
• Fedora 35+

Memory scanning requires elevated privileges

VPN Detection: Identifies installed VPN clients

IPSec Detection: Discovers IPSec tunnel configurations

Quantum Readiness: 100-point scoring system for PQC preparedness (local mode only)

Container & Orchestration Support

Docker Engine 20.10+

Kubernetes 1.21+

Amazon EKS

Azure AKS

Google GKE

Rancher Kubernetes

On-Premise Kubernetes

Docker Compose

Output Formats

TYCHON Quantum Readiness supports multiple output formats for seamless integration with your security infrastructure, SIEM platforms, and compliance workflows.

JSON Format

Structured JSON output for API integrations and programmatic analysis

FlatNDJSON Format

Newline-delimited JSON for streaming data and bulk processing

CBOM Format

Cryptographic Bill of Materials for supply chain security

Tychon Format

Native TYCHON format for platform integration and reporting

EventLog Format

Event-based logging for SIEM and security monitoring platforms

HTML Format

Human-readable reports with interactive visualizations

VPN Client Support Matrix

Comprehensive VPN client detection and PQC readiness assessment

Integration Guides

The TYCHON Quantum Readiness provides comprehensive integration capabilities with enterprise security platforms, deployment systems, SIEM solutions, and data analytics tools. These integration guides are designed to help security teams, system administrators, and DevOps engineers quickly deploy and integrate TYCHON into their existing enterprise infrastructure.

What You'll Find in These Integration Guides

• Step-by-step deployment instructions for each platform with screenshots and configuration examples
• Security best practices including authentication, authorization, and secure communication protocols
• Output format specifications optimized for each integration target (JSON, CEF, syslog, etc.)
• Automation and scheduling examples for continuous monitoring and compliance reporting
• Troubleshooting guides with common issues and solutions for each integration
• Performance tuning recommendations for enterprise-scale deployments

For Security Teams

Integrate TYCHON with your existing SIEM platforms (Splunk, QRadar, LogRhythm, Elasticsearch) for centralized crypto asset visibility, automated alerting, and compliance reporting.

Key Benefits: Real-time threat detection, automated incident response, compliance dashboards

For IT Operations

Deploy TYCHON at scale using enterprise management platforms (SCCM, Intune, Kubernetes) with automated scheduling, centralized configuration, and result aggregation.

Key Benefits: Centralized management, automated deployment, inventory integration

Need a New Integration or Have Suggestions?

We're continuously expanding our integration library based on customer needs and enterprise requirements. If you need an integration that's not listed here, or if you have suggestions for improving existing documentation, we'd love to hear from you.

Contact our integration team:

support@tychon.io

Include in your email: Platform name, version, deployment environment, and specific integration requirements or suggestions.

Deployment & Management

Enterprise-scale deployment solutions for distributing TYCHON across your organization. These integrations enable centralized management, automated distribution, compliance monitoring, and seamless integration with existing endpoint management platforms. Deploy TYCHON to thousands of endpoints with scheduled scans, policy-based configurations, and automated result collection.

Microsoft Intune

Windows-focused deployment using Intune with Azure Sentinel integration and automated scheduling.

View Guide →

• Win32 app packaging
• Azure Sentinel integration
• Ad-hoc scanning options

SCCM/MECM Enterprise

Large-scale deployment using System Center Configuration Manager with hardware inventory integration and compliance monitoring.

View Guide →

• SCCM Application deployment
• Hardware inventory extension
• Group Policy integration
• Windows Event Forwarding

Cloudflare R2

S3-compatible object storage with zero egress fees, automated deployment scripts, and multi-platform orchestration support.

View Guide →

• Zero egress fees
• PowerShell/Bash/Python scripts
• S3-compatible API
• Global edge deployment

VMware Workspace ONE

Unified endpoint management with application deployment, device compliance, and automated crypto security monitoring for mobile and desktop endpoints.

View Guide →

• Cross-platform app deployment
• Device compliance policies
• Automated security monitoring

BigFix / HCL Endpoint Manager

Enterprise endpoint management with cross-platform deployment, comprehensive system scans, property extraction, and quantum readiness tracking.

View Guide →

• Cross-platform deployment
• JSON result parsing
• BigFix property extraction
• Quantum readiness scoring

Orchestration & Automation

Infrastructure automation and configuration management integrations for DevOps and SecOps teams. These platforms enable automated deployment, coordinated scan execution across distributed environments, configuration management, and result aggregation. Integrate TYCHON into your existing infrastructure-as-code workflows with declarative configurations and automated compliance enforcement.

Ansible Automation

Enterprise-scale deployment and orchestration with automated scanning workflows, configuration management, and result aggregation.

View Guide →

• Mass deployment automation
• Coordinated scan orchestration
• AWX/Tower integration

Puppet Enterprise

Configuration management and continuous compliance with declarative infrastructure automation, Puppet Forge modules, and enterprise reporting.

View Guide →

• Declarative configuration
• Continuous compliance
• Puppet Enterprise Console

Security & Monitoring

Network Access Control (NAC), Endpoint Detection and Response (EDR), and Zero Trust security platform integrations. These solutions enable policy-based deployment, automatic device discovery, risk-based access control, and real-time security posture assessment. Integrate cryptographic asset intelligence into your security enforcement and incident response workflows for dynamic policy enforcement based on crypto compliance status.

Forescout Platform

Network Access Control deployment with automatic device discovery and policy enforcement.

View Guide →

• Automatic device discovery
• Policy-based deployment
• Zero Trust integration

Cisco ISE

Identity Services Engine integration with pxGrid API, custom attributes, and policy-driven crypto compliance enforcement.

View Guide →

• pxGrid real-time integration
• Risk-based access policies
• CoA remediation actions

CrowdStrike Falcon

EDR-based deployment via Real Time Response with Falcon LogScale SIEM integration.

View Guide →

• Real Time Response (RTR)
• Falcon LogScale integration
• Incident response automation

SIEM & Analytics

Security Information and Event Management (SIEM) and analytics platform integrations for centralized logging, correlation, and threat detection. These integrations enable real-time cryptographic security event monitoring, automated alerting on weak crypto algorithms, compliance reporting, and advanced analytics with ML-powered anomaly detection. Stream TYCHON scan results directly to your SIEM for correlation with other security events and automated incident response workflows.

Datadog Platform

Comprehensive observability platform integration with custom Agent checks, APM tracing, and intelligent alerting.

View Guide →

• Custom Agent checks
• APM & distributed tracing
• ML-powered alerting

Elasticsearch

Native Elasticsearch integration using built-in switches for direct crypto asset indexing and powerful search analytics.

View Guide →

• Built-in Bulk API support
• Kibana dashboards
• Elasticsearch Watchers

Splunk Enterprise

Enterprise SIEM integration with structured log ingestion, SPL analytics, and automated alerting for crypto security events.

View Guide →

• HTTP Event Collector (HEC)
• Custom data models
• SPL search analytics

Amazon OpenSearch

AWS managed OpenSearch service with direct indexing, OpenSearch Dashboards, and ML-powered security analytics for crypto asset monitoring.

View Guide →

• AWS managed service
• OpenSearch Dashboards
• ML anomaly detection

IBM QRadar

Enterprise SIEM platform integration with QRadar DSM, custom log sources, and automated security incident response for crypto asset security events.

View Guide →

• Custom DSM integration
• Security event correlation
• Incident response automation

LogRhythm SIEM

Next-generation SIEM platform integration with log source configuration, analytics rules, and automated threat response for crypto asset security monitoring.

View Guide →

• Custom message processing
• AI-powered analytics
• SOAR integration

Palo Alto XDR

Deploy TYCHON via Cortex XDR and integrate scan results into Cortex XSIAM with XQL queries, automation rules, and dashboards for comprehensive crypto asset management.

View Guide →

• XDR Live Terminal deployment
• XSIAM HTTP Event Collector
• XQL queries & correlation rules

Data Storage

Cloud storage, data lake, and event streaming platform integrations for long-term data retention and analytics. These solutions enable scalable storage of scan results, real-time event streaming architectures, data warehouse integration for historical trend analysis, and seamless connectivity with Business Intelligence tools. Store and analyze cryptographic asset data at scale with automated ingestion pipelines and advanced analytics capabilities.

Kafka Integration

Real-time event streaming with Apache Kafka and Confluent Platform for event-driven crypto security architectures.

View Guide →

• Real-time event streaming
• SASL/SSL authentication
• Kafka Streams processing

AWS S3

Centralized cloud storage with automatic uploads, lifecycle management, and integration with AWS analytics services.

View Guide →

• Direct S3 upload capability
• Lambda event processing
• Lifecycle management

Snowflake Data Warehouse

Enterprise data warehouse integration with S3-based ingestion, advanced analytics, and BI platform connectivity.

View Guide →

• S3 → Snowpipe auto-ingestion
• SQL analytics & ML
• BI tool integration

Advanced Examples

Note: All commands below assume a valid license key is configured. See License Configuration for setup instructions.

Enterprise Security Assessment

Large-scale cryptographic asset discovery across enterprise networks. Scan entire subnets, generate compliance reports (CBOM), and tag scans for tracking and audit trails. Ideal for quarterly security audits, risk assessments, and post-quantum readiness evaluations.

# Complete enterprise scan with tracking
.\certscanner-windows-amd64.exe -host 10.0.0.0/16 -ports 443,22,993,995,636,8443 `
  -cipherscan -tags "enterprise,quarterly-audit" `
  -outputformat tychon -output Q4-crypto-audit.tychon.ndjson

# Generate compliance report
.\certscanner-windows-amd64.exe -host critical-servers.txt -cipherscan `
  -outputformat cbom -output compliance-cbom.json

# Stream to SIEM
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory `
  -outputformat flatndjson | your-siem-ingester

# Complete enterprise scan with tracking
./certscanner-linux-x64 -host 10.0.0.0/16 -ports 443,22,993,995,636,8443 \
  -cipherscan -tags "enterprise,quarterly-audit" \
  -outputformat tychon -output Q4-crypto-audit.tychon.ndjson

# Generate compliance report
./certscanner-linux-x64 -host critical-servers.txt -cipherscan \
  -outputformat cbom -output compliance-cbom.json

# Stream to SIEM
./certscanner-linux-x64 -mode local -scanfilesystem -scanmemory \
  -outputformat flatndjson | your-siem-ingester

# Complete enterprise scan with tracking
./certscanner-darwin-amd64 -host 10.0.0.0/16 -ports 443,22,993,995,636,8443 \
  -cipherscan -tags "enterprise,quarterly-audit" \
  -outputformat tychon -output Q4-crypto-audit.tychon.ndjson

# Generate compliance report
./certscanner-darwin-amd64 -host critical-servers.txt -cipherscan \
  -outputformat cbom -output compliance-cbom.json

# Stream to SIEM (no memory scanning on macOS)
./certscanner-darwin-amd64 -mode local -scanfilesystem \
  -outputformat flatndjson | your-siem-ingester

Incident Response & Forensics

Rapid cryptographic asset discovery during security incidents and breach investigations. Capture complete system state including active connections, in-memory cryptographic libraries, filesystem certificates, and email archives. Generate forensic reports for incident response teams and compliance documentation.

# Complete system crypto inventory
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory -scanconnected `
  -scanoutlookarchives -outputformat html -output system-crypto-report.html

# Quick compromise assessment  
.\certscanner-windows-amd64.exe -mode local -scanconnected -quickscan `
  -outputformat json -output active-connections.json

# Memory forensics for crypto libraries
.\certscanner-windows-amd64.exe -mode local -scanmemory `
  -outputformat flatndjson -output crypto-libs-memory.ndjson

# Complete system crypto inventory
./certscanner-linux-x64 -mode local -scanfilesystem -scanmemory -scanconnected \
  -scanoutlookarchives -outputformat html -output system-crypto-report.html

# Quick compromise assessment  
./certscanner-linux-x64 -mode local -scanconnected -quickscan \
  -outputformat json -output active-connections.json

# Memory forensics for crypto libraries
./certscanner-linux-x64 -mode local -scanmemory \
  -outputformat flatndjson -output crypto-libs-memory.ndjson

# Complete system crypto inventory (no memory scanning)
./certscanner-darwin-amd64 -mode local -scanfilesystem -scanconnected \
  -scanoutlookarchives -outputformat html -output system-crypto-report.html

# Quick compromise assessment  
./certscanner-darwin-amd64 -mode local -scanconnected -quickscan \
  -outputformat json -output active-connections.json

# Note: Memory scanning not available on macOS

Continuous Monitoring

Automated scanning for continuous security monitoring and compliance tracking. Stream results to SIEM platforms (Elasticsearch, Kafka, Splunk), integrate with Windows EventLog, enable ARP-based network discovery, and upload reports to S3 for centralized storage. Perfect for scheduled jobs, real-time alerting, and DevSecOps pipelines.

# Automated daily scans with tracking
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
  -tags "automated,daily-scan" -outputformat tychon `
  -posttoelastic -elasticnode "https://elastic.company.com:9200" `
  -elasticapikey "$env:ELASTIC_KEY"

# Real-time Kafka streaming
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
  -tags "automated,realtime-stream" -posttokafka `
  -kafkabrokers "kafka1:9092,kafka2:9092,kafka3:9092" `
  -kafkatopic "tychon-crypto-assets" -kafkausername "$env:KAFKA_USER" `
  -kafkapassword "$env:KAFKA_PASSWORD" -kafkasecurityprotocol "SASL_SSL"

# Windows EventLog integration
.\certscanner-windows-amd64.exe -mode local -outputformat eventlog

# ARP-based network discovery
.\certscanner-windows-amd64.exe -mode local -arpscan -quickscan -outputformat flatndjson `
  -output network-discovery.ndjson

# Upload reports to S3 for centralized storage
.\certscanner-windows-amd64.exe -host example.com -cipherscan -outputformat tychon `
  -upload-s3 -s3bucket "company-security-reports" `
  -s3prefix "certscanner/production" -s3region "us-west-2"

# Automated daily scans with tracking
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
  -tags "automated,daily-scan" -outputformat tychon \
  -posttoelastic -elasticnode "https://elastic.company.com:9200" \
  -elasticapikey "$ELASTIC_KEY"

# Real-time Kafka streaming
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
  -tags "automated,realtime-stream" -posttokafka \
  -kafkabrokers "kafka1:9092,kafka2:9092,kafka3:9092" \
  -kafkatopic "tychon-crypto-assets" -kafkausername "$KAFKA_USER" \
  -kafkapassword "$KAFKA_PASSWORD" -kafkasecurityprotocol "SASL_SSL"

# ARP-based network discovery
./certscanner-linux-x64 -mode local -arpscan -quickscan -outputformat flatndjson \
  -output network-discovery.ndjson

# Upload reports to S3 for centralized storage
./certscanner-linux-x64 -host example.com -cipherscan -outputformat tychon \
  -upload-s3 -s3bucket "company-security-reports" \
  -s3prefix "certscanner/production" -s3region "us-west-2"

# Automated daily scans with tracking
./certscanner-darwin-amd64 -host production-hosts.txt -cipherscan \
  -tags "automated,daily-scan" -outputformat tychon \
  -posttoelastic -elasticnode "https://elastic.company.com:9200" \
  -elasticapikey "$ELASTIC_KEY"

# Real-time Kafka streaming
./certscanner-darwin-amd64 -host production-hosts.txt -cipherscan \
  -tags "automated,realtime-stream" -posttokafka \
  -kafkabrokers "kafka1:9092,kafka2:9092,kafka3:9092" \
  -kafkatopic "tychon-crypto-assets" -kafkausername "$KAFKA_USER" \
  -kafkapassword "$KAFKA_PASSWORD" -kafkasecurityprotocol "SASL_SSL"

# ARP-based network discovery
./certscanner-darwin-amd64 -mode local -arpscan -quickscan -outputformat flatndjson \
  -output network-discovery.ndjson

# Upload reports to S3 for centralized storage
./certscanner-darwin-amd64 -host example.com -cipherscan -outputformat tychon \
  -upload-s3 -s3bucket "company-security-reports" \
  -s3prefix "certscanner/production" -s3region "us-west-2"

Security Considerations

Scanning Considerations

• Memory scanning requires elevated privileges
• Network scanning may trigger security monitoring
• Large CIDR ranges generate significant traffic
• Cipher enumeration involves multiple TLS handshakes

Data & Privacy

• Cloud downloads only when explicitly enabled
• Web service integration transmits scan results
• Filesystem scanning requires read access
• Database tracking stores asset history locally

Antivirus Configurations

Enterprise antivirus solutions may flag TYCHON components due to their network scanning capabilities and cryptographic analysis functions. Configure your antivirus policies to trust the following files and certificates to prevent false positives and ensure proper operation.

TYCHON Scanner Executables

Add these file patterns to antivirus exclusions:

Windows:

• cryptographic-analyzer-windows-*-*.exe

• certscanner-windows-*.exe

• certscanner.exe

Linux:

• cryptographic-analyzer-linux-*-*

• certscanner-linux-*

• certscanner

macOS:

• cryptographic-analyzer-darwin-*-*

• certscanner-darwin-*

OpenSSL Components

Bundled OpenSSL 3.5.4 binaries extracted to temporary directories:

The scanner extracts OpenSSL to a temporary directory pattern. Add these paths to antivirus exclusions:

Windows:

• %TEMP%\certscanner_openssl_*\openssl.exe

SHA256: 61857d55998dfaf7e855c00c3afbf9e2b7e024f44cd854180da330b0623c1635

Linux:

• /tmp/certscanner_openssl_*/openssl

SHA256: 89677c4272fac1aead18dd65143dc3c0bc13f0c1c22f19a538be59db0a30d2e8

macOS (Intel):

• /tmp/certscanner_openssl_*/openssl

SHA256: 8702d163004c63d84c0d589d11291f23ac230ad2495f3243a26e720373a6fbb5

macOS (Apple Silicon):

• /tmp/certscanner_openssl_*/openssl

SHA256: 9fb92ca4f707b7d452b2ca8dd2a293c3cb0789e47d80f1acdda06c0042a59f73

Note: The * represents a random suffix generated by the operating system for each execution.

Code Signing Certificates

TYCHON executables are signed with the following certificates. Configure your antivirus to trust these certificate authorities and signatures:

Windows Code Signing Certificate

Subject:

CN=TYCHON, LLC

OU=Engineering

O=TYCHON, LLC

L=Fredericksburg

S=Virginia

C=US

Certificate Details:

Serial: 068E0290AC164B8C1151C071B7CAE96A

SHA-256 Thumbprint:

D24DCF9372E73CAE4D93B8D34E43E3E24BDADC83

Issuer:

DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

Valid: Sep 25, 2023 - Nov 10, 2026

macOS Code Signing Certificate

Developer ID:

Developer ID Application: Tychon, LLC

Team Identifier:

XSTMP7MDL9

Certificate Chain:

Developer ID Certification Authority

Apple Root CA

CDHash (SHA-256):

f1254bc1837276097dfa758325abb5e92a5bb698

Full SHA-256:

f1254bc1837276097dfa758325abb5e92a5bb69873260b37cf4a19fd64cb9614

Runtime:

Hardened Runtime Enabled (v12.0.0)

Common Antivirus Platform Configuration

Windows Defender:

• Add folder exclusions for TYCHON installation directory
• Configure process exclusions for certscanner*.exe
• Allow certificate-based trust for signed binaries

CrowdStrike Falcon:

• Create IOA exclusions for TYCHON processes
• Add certificate-based allow policies
• Configure custom hash-based exclusions

Symantec Endpoint:

• Add application control exceptions
• Configure file exclusions in real-time scan
• Trust publisher certificates in policy

McAfee/Trellix:

• Configure VirusScan exclusions
• Add DLP policy exceptions for scan output
• Set application control trusted publishers

Release Notes - Version 2.0.0.169

What's New in This Release

Core Features:

Output & Integration:

What is TYCHON Quantum Readiness?

The Post-Quantum Cryptography Crisis

The "Harvest Now, Decrypt Later" Attack

Immediate Business Risks

Hidden Cryptographic Debt

Compliance & Regulatory Timeline

How TYCHON Quantum Readiness Solves This

Discovery Phase

Analysis Phase

Transition Phase

Primary Use Cases

Key Capabilities

Why TYCHON Quantum Readiness Matters

Quick Start

Remote Scanning

Local Scanning

Download & Install

License Configuration

Trial Mode vs Licensed Mode

Trial Mode (No License)

Licensed Mode

How to Apply Your License Key

1 Command-line Flag (Highest Priority)

2 Environment Variable

3 User Configuration File

4 System Configuration File (Lowest Priority)

License Information

Troubleshooting Windows Environment Variables

1. Verify the Environment Variable is Set

2. Common Issues and Solutions

Container Platforms

Kubernetes Deployment

Docker Deployment

Core Features

TLS/SSL Scanning

Post-Quantum Crypto

SSH Host Keys

Memory Scanning

Filesystem Scanning

Multiple Output Formats

Architecture Diagram

Usage Examples

Network Security Assessment

Local System Audit

SIEM Integration

Secure Configuration (FIPS 140-3)

Command Reference

Core Options

Scanning Options (Both Modes)

Remote Mode Features

Local Mode Features

Output & Reporting

Integration & Tracking

Secure Configuration (FIPS 140-3)

🔒 Security Features

Performance Optimization

CPU Throttling for Resource Management

Throttling Levels

Adaptive Features

CPU Throttling Examples

Performance Impact

CPU Throttling Guide

Performance Management

PQC Support

Advanced PQC Detection

Key Exchange Algorithms (ML-KEM / Kyber)

Pure ML-KEM

MLKEM512 Hybrids

MLKEM768 Hybrids

MLKEM1024 Hybrids

Classical Algorithms

Key Analysis Features

Digital Signature Algorithms

Falcon (NIST FIPS 206)

Dilithium (NIST FIPS 204)

MAYO (Multivariate)