Schema Reference: -cipherscanquick -scanfilesystem -scanmemory -scanconnected

How To Read This Page

This page documents one specific scan shape: local mode with -cipherscanquick -scanfilesystem -scanmemory -scanconnected. It is meant to answer two questions quickly: what can appear in the hierarchical JSON report and what can appear as event datasets in Flat NDJSON.

JSON

Use this when you want the canonical nested report. Arrays and objects stay intact, and repeated structures like certificates and keystores are reused across the report.

Flat NDJSON

Use this when you want one object per event for pipelines and SIEM ingestion. Nested values are flattened into dot-notation fields or serialized strings.

Coverage rule

The page lists fields that can appear for this flag combination. Many are conditional and only show up when a relevant port, certificate, keystore, or memory artifact is actually found.

Reuse rule

When a field says "same fields as CertificateDetails", "same fields as KeystoreInfo", and similar, the structure is reused exactly rather than redefined differently.

Omitted versus null

Most optional fields are omitted when empty. That is especially important when comparing the JSON report to Flat NDJSON output.

Start with the JSON root or the NDJSON base fields, then jump to the structures or event datasets you care about.

JSON Output (hierarchical report)

Root fields
scanning_system_info
results[] -> HostScanResult
PortResult
CertificateDetails
MainCipherNegotiationInfo
QuickCipherScanResult
SSHScanResult
SSHCryptoNegotiationInfo
filesystem_scan_results[]
process_memory_scan_results[]
keystore_results[]
app_report (AppCentricReport)
quantum_readiness
connected_quick_results[] -> ConnectedQuickResult

Flat NDJSON Events (one object per line)

Overview

Running with -cipherscanquick -scanfilesystem -scanmemory -scanconnected in local mode produces:

-cipherscanquick

Fast 3-loop TLS enumeration per listening port. Builds AppCentricReport. Emits port_detail, tychon.cipher_quick, tychon.application, tychon.pqc_inventory.

-scanfilesystem

Walks filesystem for certificates, private keys, and keystores. Emits certificate, private_key, keystore_certificate, keystore.

-scanmemory

Scans running process memory for crypto libraries. Emits memory_scan (native) and java_crypto (JVM).

-scanconnected

Enumerates active outbound network connections, probes each for TLS, and records the result. Emits tychon.connected_quick. Browser processes are excluded automatically.

A quantum_assessment event is emitted as part of readiness scoring, while unrelated scan families such as Outlook, VPN, and IPSec remain outside this switch set.

Quick Crosswalk

Scan feature	Primary JSON section	Primary Flat NDJSON dataset(s)	What to expect
`-cipherscanquick`	`results[]`, `app_report`, `quantum_readiness`	`port_detail`, `tychon.cipher_quick`, `tychon.application`, `tychon.pqc_inventory`, `quantum_assessment`	Quick TLS enumeration drives the application-centric output in local mode.
`-scanfilesystem`	`filesystem_scan_results[]`, `keystore_results[]`, related portions of `app_report`	`certificate`, `private_key`, `keystore_certificate`, `keystore`	Filesystem findings can belong to an application or remain under orphan findings.
`-scanmemory`	`process_memory_scan_results[]`, related portions of `app_report`	`memory_scan`, `java_crypto`	Memory findings are process-centric and may overlap with the same application already represented elsewhere.
`-scanconnected`	`connected_quick_results[]`	`tychon.connected_quick`	One record per active outbound connection (non-browser). Records remote IP, port, source process, and whether TLS was confirmed. Full cipher details are not captured.

Legend and Reading Shortcuts

Provenance badges

Source Which switch produces the field or section.

Conditional Present only when the relevant artifact was found or the value was non-empty.

Platform Windows-only, macOS-only, or Linux-only nuances.

Format JSON canonical structure versus NDJSON flattened or serialized output.

Three fast rules

1. JSON sections are the source of truth for nested shapes.

2. NDJSON usually flattens those same shapes into dot-path fields or serialized JSON strings.

3. When an NDJSON section says it reuses CertificateDetails, KeystoreInfo, or Application, jump to that canonical section first.

Example Payloads

These are intentionally small examples meant to show shape, not every possible field. Use them to orient yourself before diving into the full tables.

Minimal JSON shape

{
  "scan_type": "local",
  "results": [
    {
      "hostname": "localhost",
      "ports": [
        {
          "port": 443,
          "leaf_certificate": { "...": "CertificateDetails" },
          "quick_cipher_scan": { "...": "QuickCipherScanResult" }
        }
      ]
    }
  ],
  "filesystem_scan_results": [
    { "...": "CertificateDetails" }
  ],
  "process_memory_scan_results": [
    { "...": "ProcessCryptoInfo" }
  ],
  "keystore_results": [
    { "...": "KeystoreInfo" }
  ],
  "app_report": {
    "applications": [
      { "...": "Application" }
    ]
  }
}

Representative NDJSON lines

{"event.dataset":"port_detail","port":443,"tls.version":"tls1.2"}
{"event.dataset":"certificate","certificate.subject_common_name":"example.local"}
{"event.dataset":"memory_scan","process.pid":4120,"library.crypto_type":"OpenSSL"}
{"event.dataset":"keystore","file.path":"C:/app/keystore.p12"}
{"event.dataset":"tychon.application","tychon.application.name":"nginx"}

Repeated Structures You Will See Often

Most of the apparent duplication in this schema comes from the same small set of shared structures being reused in multiple places. Use these as your anchor definitions, then treat later references as placements of the same shape.

CertificateDetails

Reused for TLS leaf certificates, certificate chains, filesystem certificates, SSH certificate-backed host keys, and application-level certificate attachments.

KeystoreInfo

Reused for top-level filesystem keystore results, orphan findings, and keystores attached to individual applications.

ProcessCryptoInfo

Defines the memory-scan process view and the crypto library material that later shows up summarized in application-centric output.

SSHScanResult and SSHCryptoNegotiationInfo

Used when SSH is present instead of TLS, both in per-port JSON results and in references from application ports.

Field Search

Filter the full schema by field name, dataset, type, or description. Matching rows remain visible across both JSON and Flat NDJSON tables.

Showing all fields.

Part 1 - JSON Output (`ScanReport`)

The JSON file is the canonical hierarchical representation. Every field listed here maps directly to a Go struct JSON tag, and later sections often reference the shared structures defined earlier instead of redefining them from scratch.

ScanReport - root object

Field	Type	Description
`scanning_system_info`	object	Machine and scanner identity. See ScanningSystemInfo.
`database_schema_version`	string	Version of the intel database schema embedded in the binary.
`output_schema_version`	string	Version of the JSON output schema. Increment when field names or structure changes break consumers.
`scan_type`	string	Scan mode: `"local"`, `"remote"`, or `"connected"`.
`target_input_string`	string	Raw value of the `-host` flag or `"localhost"` for local scans.
`timestamp`	time	RFC3339 scan start timestamp.
`tags`	[]string	User-supplied tags from the `-tags` flag.
`results`	[]HostScanResult	Per-host port scan results. See HostScanResult.
`process_memory_scan_results`	[]ProcessCryptoInfo	Memory scan results per process. Populated with `-scanmemory`. See ProcessCryptoInfo.
`filesystem_scan_results`	[]CertificateDetails	Filesystem certificates and private keys. Populated with `-scanfilesystem`.
`keystore_results`	[]KeystoreInfo	Keystore files found on disk. See KeystoreInfo.
`outlook_archives`	[]OutlookArchiveInfo	Outlook PST/OST archives. Not emitted by these flags.
`vpn_client_scan_results`	[]VPNClientInfo	VPN clients detected. Not emitted by these flags.
`ipsec_tunnel_scan_results`	[]IPSecTunnelInfo	IPSec tunnels detected. Not emitted by these flags.
`connected_quick_results`	[]ConnectedQuickResult	Active outbound network connections enumerated by `-scanconnected`. One entry per non-browser connection. Omitted when `-scanconnected` was not specified or no connections were found. See ConnectedQuickResult.
`quantum_readiness`	object	Composite quantum readiness assessment. See QuantumReadinessAssessment.
`app_report`	object	Application-centric view. Populated by `-cipherscanquick` in local mode. See AppCentricReport.

ScanningSystemInfo

Field	Type	Description
`software_version`	string	Scanner binary version string.
`hostname`	string	System hostname.
`domain`	string	Active Directory or DNS domain name.
`current_user`	string	Username running the scanner process.
`user_uid`	string	UID of the running user (Linux/macOS).
`user_gid`	string	GID of the running user (Linux/macOS).
`user_home_dir`	string	Home directory path of the running user.
`ip_addresses`	[]string	All IP addresses assigned to the host.
`os`	string	OS name (e.g., "Windows", "linux", "darwin").
`platform`	string	OS platform identifier (e.g., "ubuntu", "windows").
`platform_family`	string	OS family (e.g., "debian", "rhel", "windows").
`platform_version`	string	OS version string.
`kernel_version`	string	Kernel version string.
`kernel_arch`	string	CPU architecture (e.g., "x86_64", "arm64").
`virtualization_system`	string	Virtualization system detected (e.g., "vmware", "kvm").
`virtualization_role`	string	Role in virtualization (e.g., "guest", "host").
`host_id`	string	Stable unique host identifier (machine UUID or derived).
`cpu_vendor_id`	string	CPU vendor string (e.g., "GenuineIntel").
`cpu_model_name`	string	CPU model name string.
`cpu_cores`	int32	Physical CPU core count.
`cpu_logical_cores`	int	Logical CPU core count (includes hyperthreading).
`total_ram_bytes`	uint64	Total installed RAM in bytes.
`ram_used_percent`	float64	RAM utilization percentage at scan time.
`system_uptime_seconds`	uint64	System uptime in seconds.
`openssl_version_used`	string	OpenSSL version string used by the scanner.
`openssl_path_used`	string	Filesystem path to the OpenSSL binary used.
`fips_mode_enabled`	bool	True when the OS FIPS enforcement mode is active.
`error`	string	Error collecting system info (if any).
`machine_serial_number`	string	Hardware serial number (from SMBIOS/DMI).
`bios_serial_number`	string	BIOS serial number.
`organization`	string	Organization name from system configuration.
`bigfix_client_installed`	bool	True when HCL BigFix client is detected on the host.
`bigfix_client_id`	string	BigFix client computer ID.
`tychon_client_id`	string	TYCHON client identifier for asset correlation.
`is_vdi_environment`	bool	True when VDI environment (VMware Horizon, Citrix, RDS) is detected.
`vdi_identity_source`	string	Source of the stable VDI host identity (e.g., "profile_file", "username_hash").
`kerberos_config`	KerberosConfig	Kerberos encryption type configuration. Windows only — `config_source` is `not_applicable` on Linux/macOS.
`kerberos_config.config_source`	string	Where the configuration was read from: `group_policy`, `lsa_direct`, `os_default`, or `not_applicable`.
`kerberos_config.is_explicitly_configured`	bool	True when the `SupportedEncryptionTypes` registry value is explicitly set.
`kerberos_config.supported_types`	[]string	Permitted Kerberos encryption type names (e.g., `["AES256-CTS-HMAC-SHA1-96","RC4-HMAC"]`). `null` when not configured.
`kerberos_config.has_rc4`	bool	True when RC4-HMAC is permitted (deprecated — exploitable via Kerberoasting).
`kerberos_config.has_des`	bool	True when DES-CBC-CRC or DES-CBC-MD5 is permitted (broken — should never be enabled).
`kerberos_config.has_aes128`	bool	True when AES128-CTS-HMAC-SHA1-96 is permitted.
`kerberos_config.has_aes256`	bool	True when AES256-CTS-HMAC-SHA1-96 is permitted.
`kerberos_config.is_quantum_safe`	bool	True only when exclusively AES is permitted (no RC4, no DES) and at least one AES variant is present.
`non_tls_ciphers[]`	NonTlsCipherProfile[]	Cipher profiles for protocols with their own crypto stacks (SMB3, SNMPv3, Kerberos, IBM MQ, NFS, STARTTLS services). Each profile also emits as a `tychon.non_tls_cipher` NDJSON event. See tychon.non_tls_cipher fields.

NonTlsCipherProfile

One entry per detected non-TLS protocol. Field names mirror QuickCipherScanResult for schema consistency. Emitted for SMB3 (port 445), SNMPv3 (port 161), and Kerberos (port 88).

Field	Type	Description
`protocol`	string	Protocol identifier: `SMB3`, `SNMPv3`, or `Kerberos`.
`port`	int	Well-known port (445, 161, 88). Omitted when detection came from a config file only.
`supported_ciphers[]`	string[]	Cipher or enctype strings considered safe (e.g. `AES-256-GCM`, `AES256-CTS-HMAC-SHA1-96`).
`insecure_ciphers[]`	string[]	Broken or banned cipher/enctype strings (e.g. `DES`, `RC4-HMAC`, `3DES`).
`weak_ciphers[]`	string[]	Deprecated but not yet banned cipher strings (e.g. MD5-HMAC, SHA-1 auth in SNMPv3 USM).
`preferred_cipher`	string	Cipher selected during network negotiation. Only present for SMB3 network probes.
`auth_algorithms[]`	string[]	Authentication algorithm names (SNMPv3 USM auth protocols, Kerberos pre-auth types).
`is_encrypted`	bool	Whether the protocol session is encrypted.
`pqc_vulnerable`	bool	True when any cipher is vulnerable to a cryptographically-relevant quantum computer.
`pqc_readiness`	string	One of `safe`, `transitional`, or `vulnerable`.
`quantum_risk`	string	One of `low`, `medium`, `high`, or `critical`.
`migration_priority`	string	One of `low`, `medium`, `high`, or `critical`.
`supported_protocols`	[]string	TLS versions negotiated during a STARTTLS probe, e.g. `["TLS 1.3"]`. Populated by SMTP, IMAP, LDAP, PostgreSQL probes only.
`recommended_action`	string	Human-readable remediation suggestion.
`config_source`	string	Detection method: `network_probe`, `registry`, `registry_group_policy`, `registry_lsa_direct`, `registry_os_default`, `krb5_conf`, `krb5_conf_defaults`, `snmpd_conf`, `starttls_probe`, `not_found`.

results[] -> HostScanResult

Field	Type	Description
`scanned_host`	string	Hostname or IP address scanned.
`domain`	string	Domain associated with this host.
`resolved_ip`	string	Actual IP that responded during the scan (may differ from hostname).
`ports`	[]PortResult	Port scan results. See PortResult.
`scan_type`	string	`"local"`, `"remote"`, or `"connected"`.

PortResult (results[].ports[] and app_report.applications[].ports[])

Field	Type	Description
`port`	int	TCP port number.
`status`	string	Port status: `"open"`, `"closed"`, `"filtered"`, `"error"`.
`error_message`	string	Error detail when connection failed.
`protocol_detected`	string	Detected application protocol (e.g., `"tls"`, `"ssh"`, `"plaintext"`).
`process_info`	object	Process owning this port. See ProcessDetails.
`leaf_certificate`	object	TLS leaf certificate. See CertificateDetails.
`certificate_chain`	[]CertificateDetails	Full TLS certificate chain including intermediates and root.
`supported_cipher_suites`	[]MainCipherNegotiationInfo	All cipher suites probed. See MainCipherNegotiationInfo.
`quick_cipher_scan`	object	Quick cipher enumeration result. See QuickCipherScanResult.
`ssh_info`	object	SSH scan result. See SSHScanResult.
`heartbleed_status`	string	Heartbleed vulnerability status string.
`heartbleed_details`	string	Heartbleed detail message.
`quantum_ready_kx`	bool	True when key exchange is quantum-safe (PQC KEX detected).
`quantum_ready_cipher`	bool	True when cipher suite provides post-Grover resistance (AES-256+).
`quantum_ready_cert`	bool	True when leaf certificate uses a quantum-resistant signature algorithm.
`quantum_ready`	bool	True only when all three quantum dimensions pass.
`quantum_grade`	object	Detailed quantum grade for this port. See PortQuantumGrade.
`iis_site`	object	IIS site info (Windows, PID 4) — site name, bindings, and virtual host identity.
`ibmmq_info`	NonTlsCipherProfile	IBM MQ cipher profile when an IBM MQ channel (plaintext or TLS) is detected on this port. Present only when IBM MQ is identified. See NonTlsCipherProfile fields.
`nfs_info`	NonTlsCipherProfile	NFS cipher profile when a Network File System mount or export is detected on this port. Reflects the negotiated security flavor (e.g. `sys`, `krb5p`, `tls`). Present only when NFS is identified. See NonTlsCipherProfile fields.

ProcessDetails (process_info)

Field	Type	Description
`pid`	int32	Process ID.
`name`	string	Process name.
`command_line`	string	Full command line string.
`username`	string	Username running the process.
`create_time`	time	Process creation timestamp.
`executable_details`	object	File metadata for the process executable. See FileDetails.
`service_info`	object	Windows service metadata when the process is a registered service (Windows only; absent otherwise).
`service_info.name`	string	Windows service short name (registry key name).
`service_info.display_name`	string	Windows service display name shown in the Services console.
`service_info.description`	string	Windows service description text.
`service_info.state`	string	Service run state (lowercase). One of: `running`, `stopped`, `start_pending`, `stop_pending`, `continue_pending`, `pause_pending`, `paused`, `unknown`.
`error`	string	Error collecting process details.

Canonical FileDetails (executable_details, file_details)

Field	Type	Description
`path`	string	Absolute filesystem path.
`size`	int64	File size in bytes.
`sha1_hash`	string	SHA-1 hex digest.
`sha256_hash`	string	SHA-256 hex digest.
`md5_hash`	string	MD5 hex digest.
`mod_time`	time	Last modification time.
`create_time`	time	File creation time.
`access_time`	time	Last access time.
`extension`	string	File extension (e.g., `".pem"`).
`name`	string	Filename without directory.
`attributes`	string	File permission/attribute string.
`file_version`	string	Windows PE file version (e.g., "10.0.19041.1").
`product_version`	string	Windows PE product version.
`product_name`	string	Windows PE product name.
`company_name`	string	Windows PE company name.
`owner`	string	File owner username.
`group`	string	File group name.
`error`	string	Error collecting file metadata.

Canonical CertificateDetails (leaf_certificate, certificate_chain[], filesystem_scan_results[])

Source Appears in network and filesystem findings. Format This is the canonical nested structure reused by JSON and then flattened or serialized in NDJSON.

Field	Type	Description
`universal_id`	string	Stable unique ID for deduplication across outputs.
`source_id`	string	Source-specific unique identifier.
`source_file_path`	string	Filesystem path where this certificate was found.
`version`	int	X.509 certificate version (2 = v3).
`serial_number`	string	Hex-encoded certificate serial number.
`signature_algorithm`	string	Signature algorithm (e.g., "SHA256-RSA", "ECDSA-SHA384").
`issuer`	object	Issuer distinguished name. See DistinguishedName.
`subject`	object	Subject distinguished name. See DistinguishedName.
`validity`	object	Certificate validity period.
`validity.not_before`	time	Certificate valid-from timestamp (RFC3339).
`validity.not_after`	time	Certificate expiry timestamp (RFC3339).
`validity.duration_days`	int	Total validity duration in days (not_after - not_before).
`subject_public_key_info`	object	Public key details. See PublicKeyDetails.
`signature_hex`	string	Raw signature bytes as hex string.
`authority_key_id`	string	Authority Key Identifier extension value.
`subject_key_id`	string	Subject Key Identifier extension value.
`key_usage`	[]string	Key usage bits (e.g., ["Digital Signature", "Key Encipherment"]).
`extended_key_usage`	[]string	Extended key usage OID names (e.g., ["TLS Web Server Authentication"]).
`unknown_extended_key_usage_oids`	[]string	Unrecognized EKU OIDs as dotted strings.
`basic_constraints`	object	X.509 Basic Constraints extension.
`basic_constraints.is_ca`	bool	True when certificate is a Certificate Authority.
`basic_constraints.max_path_len`	int	Maximum CA chain path length (-1 when not constrained).
`basic_constraints.max_path_len_zero`	bool	True when max path length is explicitly set to 0 (leaf CA only).
`subject_alternative_names`	object	Subject Alternative Names (SAN) extension.
`subject_alternative_names.dns_names`	[]string	DNS SANs (e.g., ["example.com", "*.example.com"]).
`subject_alternative_names.email_addresses`	[]string	Email SANs.
`subject_alternative_names.ip_addresses`	[]string	IP address SANs as strings.
`subject_alternative_names.uris`	[]string	URI SANs.
`crl_distribution_points`	[]string	CRL distribution point URLs.
`ocsp_servers`	[]string	OCSP responder URLs.
`issuing_certificate_urls`	[]string	AIA issuing certificate URLs.
`policy_identifiers`	[]string	Certificate policy OIDs.
`unhandled_critical_extensions_oids`	[]string	Critical extensions that could not be parsed.
`permitted_dns_domains_critical`	bool	True when name constraints extension is marked critical.
`permitted_dns_domains`	[]string	Permitted DNS domain name constraints.
`excluded_dns_domains`	[]string	Excluded DNS domain name constraints.
`sha1_fingerprint`	string	SHA-1 fingerprint of the DER-encoded certificate.
`sha256_fingerprint`	string	SHA-256 fingerprint of the DER-encoded certificate.
`is_self_signed`	bool	True when issuer equals subject.
`raw_pem_certificate`	string	PEM-encoded certificate (base64 DER).
`parse_error`	string	Error when certificate could not be fully parsed.
`active`	bool	Asset tracking: written only when `false` (tombstoned asset not seen in current scan); absent when asset is currently active.
`last_seen`	string	ISO8601 timestamp when this cert was last observed (tombstoned assets only).
`is_private_key`	bool	True when this entry is a private key rather than a certificate.
`pqc_vulnerable`	bool	True when the key algorithm is vulnerable to a cryptographically-relevant quantum computer.
`pqc_readiness`	string	PQC readiness classification: `"vulnerable"`, `"transitional"`, `"resistant"`.
`crypto_library`	string	Crypto library that issued this certificate.
`key_strength_assessment`	string	Key strength: `"weak"`, `"adequate"`, `"strong"`.
`quantum_risk`	string	Quantum risk level: `"high"`, `"medium"`, `"low"`.
`recommended_action`	string	Human-readable recommended remediation action.
`migration_priority`	string	Migration urgency: `"critical"`, `"high"`, `"medium"`, `"low"`.
`encryption`	object	Encryption metadata for password-protected private keys. Same sub-fields as KeystoreInfo.encryption (algorithm, kdf, iterations, mac, vulnerable, reason, iv_length, salt_length).
`file_details`	object	File metadata for filesystem certificates. See FileDetails.

DistinguishedName (issuer / subject)

Field	Type	Description
`common_name`	string	CN field.
`serial_number`	string	SERIALNUMBER attribute.
`country`	[]string	C fields.
`organization`	[]string	O fields.
`organizational_unit`	[]string	OU fields.
`locality`	[]string	L fields.
`province`	[]string	ST fields.
`street_address`	[]string	Street address.
`postal_code`	[]string	Postal code.
`raw_string`	string	Full RFC2253 DN string.

PublicKeyDetails (subject_public_key_info)

Field	Type	Description
`algorithm`	string	Algorithm name (e.g., "RSA", "EC", "Ed25519", "ML-DSA-65").
`bit_size`	int	Key size in bits.
`curve`	string	Elliptic curve name (e.g., "P-256", "P-384").
`rsa_exponent`	int64	RSA public exponent.
`rsa_modulus_hex`	string	RSA modulus as hex string.
`raw_der_base64`	string	Raw DER-encoded public key as base64.
`ecdsa_x_hex`	string	ECDSA public key X coordinate as hex.
`ecdsa_y_hex`	string	ECDSA public key Y coordinate as hex.
`eddsa_public_key_hex`	string	EdDSA public key bytes as hex.

MainCipherNegotiationInfo (supported_cipher_suites[])

Field	Type	Description
`universal_id`	string	Stable unique ID for this cipher observation.
`source_id`	string	Source-specific unique identifier.
`protocol`	string	TLS protocol version (e.g., "TLSv1.3", "TLSv1.2").
`cipher_suite`	string	IANA cipher suite name (e.g., "TLS_AES_256_GCM_SHA384").
`key_length_bits`	int	Negotiated key length in bits.
`negotiated_group`	string	Key exchange group (e.g., "X25519", "X25519MLKEM768", "P-256").
`ephemeral_key_length_bits`	int	Ephemeral key length in bits.
`peer_signing_digest`	string	Hash algorithm used in the server's CertificateVerify.
`alpn_protocol`	string	Negotiated ALPN protocol (e.g., "h2", "http/1.1").
`session_id`	string	TLS session ID (hex).
`session_ticket_lifetime_hint_seconds`	int	Session ticket lifetime hint in seconds.
`extended_master_secret_supported`	bool	True when Extended Master Secret (RFC 7627) is negotiated.
`tls13_early_data_supported`	bool	True when 0-RTT early data is supported.
`renegotiation_forbidden`	bool	True when renegotiation is disabled by the server.
`compression_method`	string	TLS compression method (usually "none").
`is_preferred`	bool	True for the server's preferred (anchor) cipher suite.
`source`	string	How this entry was discovered: `"anchor"`, `"swarm"`, or `"swarm+intel"`.
`probe_method`	string	Probe technique: `"openssl"`, `"utls_standard"`, or `"utls_hrr"`.
`intel`	map	Cipher intelligence data. See Intel Map fields below.
`active`	bool	Asset tracking: written only when `false` (tombstoned); absent when cipher is currently observed.
`last_seen`	string	Last observation timestamp for tombstoned entries.

intel map - cipher intelligence fields

Key	Type	Description
`cipher_name`	string	IANA cipher suite name.
`OpenSSL_Name`	string	OpenSSL cipher name equivalent.
`Security_Category`	string	Security category string.
`nist_security_category`	string	NIST security category.
`overall_risk`	string	Risk level: Low, Medium, High, Critical.
`Description`	string	Human-readable cipher description.
`recommendations`	string	Recommended action for this cipher.
`is_nist_approved`	bool	True when cipher is NIST-approved.
`is_fips140_2_compliant`	bool	FIPS 140-2 compliant cipher algorithms.
`is_fips140_3_compliant`	bool	FIPS 140-3 compliant cipher algorithms.
`is_cipher_quantum_resistant`	bool	True for AES-256 and ChaCha20 (>=128-bit post-Grover resistance).
`is_cipher_quantum_resistant`	bool	True for AES-256 and ChaCha20 (>=128-bit post-Grover resistance).
`cipher_quantum_resistance_bits`	int	Effective post-Grover bits: AES-256->256, AES-128->64, 3DES->56, broken->0.
`is_pci_dss_compliant`	bool	PCI DSS v4.0 compliant.
`is_cis_compliant`	bool	CIS Benchmarks L1 compliant.
`is_nist_800_131a_compliant`	bool	NIST SP 800-131A rev2 compliant.
`is_hipaa_compliant`	bool	HIPAA guidance compliant.
`is_cnsa_20_compliant`	bool	NSA CNSA 2.0 cipher dimension only (AES-256-GCM-SHA-384).
`is_tls13_only`	bool	True for the 5 TLS 1.3-exclusive cipher suites.
`protocols`	string	Supported TLS protocol versions for this cipher.
`Vulnerabilities`	string	Known vulnerabilities (e.g., "BEAST, POODLE").
`Recommended_IANA`	string	Recommended replacement cipher.
`rfc_reference`	string	Defining RFC number.
`Key_Exchange_Algorithm`	string	Key exchange algorithm (e.g., "ECDHE", "RSA").
`authentication_algorithm`	string	Authentication algorithm (e.g., "RSA", "ECDSA").
`Encryption_Algorithm`	string	Symmetric encryption algorithm (e.g., "AES-256-GCM").
`encryption_bits`	int	Symmetric key size in bits.
`aead_mac`	string	AEAD/MAC algorithm (e.g., "SHA-384").
`DTLS_OK`	string	"Yes"/"No" - whether cipher is usable with DTLS.
`kex_quantum_safe`	bool	True when the negotiated key exchange is quantum-safe.
`kex_family`	string	KEX family: pure_pqc, hybrid_pqc, ecdh, dh_ff, rsa_kex, null_anon.
`kex_cnsa_20_level`	string	KEX CNSA 2.0 level: full, transition, classical_acceptable, none.
`kex_display_name`	string	Human-readable KEX name (e.g., "X25519 + ML-KEM-768").
`kex_is_pqc_hybrid`	bool	True for hybrid PQC+classical key exchanges.
`kex_pqc_component`	string	PQC algorithm component (e.g., "ML-KEM-768").
`kex_security_bits_pqc`	int	PQC security bits of the key exchange.
`kex_nist_standard`	string	NIST PQC standard (e.g., "FIPS-203").
`kex_overall_risk`	string	KEX risk level: Low, Medium, High, Critical.
`kex_fips140_2_compliant`	bool	KEX FIPS 140-2 compliant.
`kex_fips140_3_compliant`	bool	KEX FIPS 140-3 compliant.
`kex_pci_dss_compliant`	bool	KEX PCI DSS v4.0 compliant.
`kex_cis_compliant`	bool	KEX CIS Benchmarks compliant.
`kex_nist_800_131a_compliant`	bool	KEX NIST SP 800-131A compliant.
`kex_hipaa_compliant`	bool	KEX HIPAA guidance compliant.
`protocol_pqc_capable`	bool	True when protocol supports PQC key exchange groups (TLS 1.3 only).
`protocol_cnsa_20_approved`	bool	True when protocol is CNSA 2.0 approved (TLS 1.2+).
`protocol_deprecated`	bool	True for deprecated protocols (TLS 1.0, 1.1, SSL 3.0, SSL 2.0).
`protocol_fips140_2_compliant`	bool	Protocol FIPS 140-2 compliant.
`protocol_fips140_3_compliant`	bool	Protocol FIPS 140-3 compliant.
`protocol_pci_dss_compliant`	bool	Protocol PCI DSS v4.0 compliant.
`protocol_cis_compliant`	bool	Protocol CIS Benchmarks compliant.
`protocol_nist_800_131a_compliant`	bool	Protocol NIST SP 800-131A compliant.
`protocol_hipaa_compliant`	bool	Protocol HIPAA guidance compliant.
`connection_quantum_safe`	bool	True when all three dimensions (protocol + KEX + cipher) are quantum-safe.
`connection_cnsa_20_level`	string	Connection-level CNSA 2.0: full, transition, partial, none.
`connection_security_score`	int	Composite security score 0-100.
`connection_overall_risk`	string	Connection risk: Low, Medium, High, Critical.
`connection_findings`	[]string	Human-readable findings list.
`connection_fips140_2_compliant`	bool	All three dimensions FIPS 140-2 compliant.
`connection_fips140_3_compliant`	bool	All three dimensions FIPS 140-3 compliant.
`connection_pci_dss_compliant`	bool	All three dimensions PCI DSS compliant.
`connection_cis_compliant`	bool	All three dimensions CIS compliant.
`connection_nist_800_131a_compliant`	bool	All three dimensions NIST 800-131A compliant.
`connection_hipaa_compliant`	bool	All three dimensions HIPAA compliant.

QuickCipherScanResult (quick_cipher_scan)

Field	Type	Description
`supported_protocols`	[]string	All TLS protocol versions accepted by the server.
`supported_cipher_suites`	[]string	All cipher suites accepted by the server.
`supported_key_exchanges`	[]string	All key exchange groups accepted by the server.
`preferred_protocol`	string	Server's preferred TLS protocol version.
`preferred_cipher`	string	Server's preferred cipher suite.
`preferred_key_exchange`	string	Server's preferred key exchange group.
`total_probes`	int	Total number of TLS handshakes attempted during enumeration.
`duration_ms`	int64	Time taken for the quick cipher scan in milliseconds.
`insecure_ciphers`	[]string	Cipher suites assessed as High risk or not NIST-approved.
`weak_ciphers`	[]string	Cipher suites assessed as Medium risk.

Canonical SSHScanResult (ssh_info)

Field	Type	Description
`status`	string	SSH probe status (e.g., "connected", "error", "timeout").
`error_message`	string	Error detail if the SSH probe failed.
`banner`	string	SSH server version banner string (e.g., "SSH-2.0-OpenSSH_8.9").
`host_key`	object	SSH host key details.
`host_key.type`	string	Host key type (e.g., "ecdsa-sha2-nistp256", "ssh-ed25519", "rsa-sha2-512").
`host_key.public_key`	string	Base64-encoded public key blob.
`host_key.fingerprint_sha256`	string	SHA-256 fingerprint string (e.g., "SHA256:abc123...").
`host_key.bits`	int	Host key size in bits.
`host_key.x509_certificate`	object	X.509 certificate for host keys that use certificates (e.g., ssh-rsa-cert-v01). See CertificateDetails.
`algorithms`	object	SSH algorithm negotiation. See SSHEnhancedNegotiationInfo.
`supported_crypto_suites`	[]SSHCryptoNegotiationInfo	Per-algorithm crypto asset records. See SSHCryptoNegotiationInfo.

SSHEnhancedNegotiationInfo (algorithms)

Field	Type	Description
`server_offered_kex`	[]string	Key exchange algorithms offered by server in KEXINIT.
`server_offered_host_key_algos`	[]string	Host key algorithms offered by server.
`server_offered_ciphers_c2s`	[]string	Encryption algorithms offered by server (client-to-server direction).
`server_offered_ciphers_s2c`	[]string	Encryption algorithms offered by server (server-to-client direction).
`server_offered_macs_c2s`	[]string	MAC algorithms offered by server (c2s).
`server_offered_macs_s2c`	[]string	MAC algorithms offered by server (s2c).
`server_offered_compression`	[]string	Compression methods offered by server.
`negotiated_kex`	string	Actually negotiated key exchange algorithm.
`negotiated_host_key_algo`	string	Actually negotiated host key algorithm.
`negotiated_cipher_c2s`	string	Actually negotiated cipher (client-to-server).
`negotiated_cipher_s2c`	string	Actually negotiated cipher (server-to-client).
`negotiated_mac_c2s`	string	Actually negotiated MAC (client-to-server).
`negotiated_mac_s2c`	string	Actually negotiated MAC (server-to-client).
`negotiated_compression`	string	Actually negotiated compression method.
`client_offered_kex`	[]string	Key exchange algorithms offered by scanner client.
`client_offered_host_key_algos`	[]string	Host key algorithms offered by scanner client.
`client_offered_ciphers`	[]string	Ciphers offered by scanner client.
`client_offered_macs`	[]string	MACs offered by scanner client.

Canonical SSHCryptoNegotiationInfo (supported_crypto_suites[])

Field	Type	Description
`source_id`	string	Source-specific unique identifier for this crypto asset record.
`protocol`	string	SSH protocol version string (always "SSH-2.0").
`asset_type`	string	Type of SSH cryptographic asset. Values: `"kex"`, `"cipher"`, `"mac"`, `"host_key"`.
`algorithm`	string	Algorithm name for this asset (e.g., "curve25519-sha256", "aes256-ctr", "hmac-sha2-256", "ssh-ed25519").
`key_length_bits`	int	Key length in bits (when known).
`ephemeral_key_length_bits`	int	Ephemeral key length in bits (KEX assets).
`kex_algorithm`	string	Key exchange algorithm name (kex assets).
`encryption_cipher`	string	Encryption cipher name (cipher assets).
`mac_algorithm`	string	MAC algorithm name (mac assets).
`compression_method`	string	Compression method (e.g., "none", "zlib").
`host_key_algorithm`	string	Host key algorithm (host_key assets).
`host_key_fingerprint`	string	SHA-256 fingerprint of the host key (host_key assets).
`is_preferred`	bool	True when this algorithm was the negotiated (preferred) choice.
`is_legacy`	bool	True when the algorithm is considered legacy or deprecated.
`is_post_quantum`	bool	True when the algorithm provides post-quantum resistance.
`security_level`	string	Security level assessment. Values: `"high"`, `"medium"`, `"low"`, `"weak"`.
`source`	string	Discovery source: `"negotiated"` (actually used) or `"offered"` (server-advertised).
`intel`	map	Algorithm intelligence data (same structure as cipher intel map; present when intel DB entry exists for this algorithm).
`active`	bool	Asset tracking: written only when `false` (tombstoned); absent when this algorithm is currently observed.
`last_seen`	string	RFC3339 timestamp when this algorithm was last observed (tombstoned entries only).

Canonical ProcessCryptoInfo (process_memory_scan_results[])

Field	Type	Description
`pid`	uint32	Process ID.
`name`	string	Process name.
`path`	string	Process executable path.
`service_info`	object	Windows service metadata when the process is a registered service (Windows only; absent otherwise).
`service_info.name`	string	Windows service short name (registry key name).
`service_info.display_name`	string	Windows service display name shown in the Services console.
`service_info.description`	string	Windows service description text.
`service_info.state`	string	Service run state: `"running"`, `"stopped"`, `"start_pending"`, `"stop_pending"`, `"continue_pending"`, `"pause_pending"`, `"paused"`, or `"unknown"`.
`modules`	[]CryptoLibrary	Native crypto libraries loaded in this process. See CryptoLibrary.
`java_crypto_libs`	[]JavaCryptoLibrary	Java crypto providers found in this process.

CryptoLibrary (modules[])

Field	Type	Description
`universal_id`	string	Stable unique ID for this library observation.
`name`	string	Library file name (e.g., "libssl.so.3", "openssl.exe").
`path`	string	Full filesystem path to the library.
`file_version`	string	PE file version string (Windows).
`product_version`	string	PE product version string (Windows).
`company_name`	string	PE company name (Windows).
`product_name`	string	PE product name (Windows).
`description`	string	PE file description (Windows).
`copyright`	string	PE copyright string (Windows).
`pid`	uint32	PID of the owning process.
`process_name`	string	Name of the owning process.
`base_addr`	uintptr	Base load address in process memory.
`size`	uint32	Size of the mapped module in bytes.
`crypto_type`	string	Identifies the cryptographic library. Value depends on platform and detection path (casing differs between memory scan and PE/dylib scan). Possible values: `openssl` \| `OpenSSL` \| `boringssl` \| `BoringSSL` \| `libressl` \| `LibreSSL` \| `gnutls` \| `GnuTLS` \| `nss` \| `NSS` \| `mbedtls` \| `mbedTLS` \| `wolfssl` \| `wolfSSL` \| `apple_security` (macOS: Security.framework / CommonCrypto / CoreCrypto / CryptoKit) \| `Schannel` \| `BCrypt (CNG)` \| `windows_bcrypt` \| `NCrypt (CNG)` \| `windows_ncrypt` \| `Crypt32 (CAPI)` \| `windows_crypt32` \| `windows_schannel` \| `Botan` \| `GenericCrypto/TLS` (Windows memory fallback for unrecognized ssl/tls/crypto DLLs) \| `generic` (Linux fallback) \| `Unknown` (Windows memory: pattern matched but name unrecognized).
`detected_apis`	[]string	Detected cryptographic API symbols found in the library.
`version_details`	map[string]string	Additional version metadata as arbitrary key/value string pairs. Keys and values are library-specific (e.g., `{"version": "3.0.2", "fips": "true"}`). May be absent.
`pqc_status`	string	PQC capability: `"capable"`, `"partial"`, `"not_capable"`, `"unknown"`.
`pqc_algorithms`	[]string	PQC algorithm names supported by this library (if pqc_status is capable/partial).
`active`	bool	Asset tracking: written only when `false` (tombstoned); absent when library is currently loaded.
`last_seen`	string	Last observation timestamp for tombstoned entries.

Canonical KeystoreInfo (keystore_results[])

Source Produced by -scanfilesystem. Format NDJSON reuses this shape by flattening selected fields and pairing them with ECS file metadata.

Field	Type	Description
`path`	string	Filesystem path to the keystore file.
`type`	string	Keystore format (e.g., "jks", "pkcs12", "pem_bundle", "nss", "windows_cert_store").
`accessible`	bool	True when the scanner could open and read the keystore.
`requires_auth`	bool	True when keystore is password-protected.
`cert_count`	int	Number of certificates found in the keystore.
`owner`	string	File owner username.
`permissions`	string	File permission string.
`size`	int64	File size in bytes.
`last_modified`	time	Last modification timestamp.
`error_message`	string	Error when keystore could not be parsed.
`encryption`	object	Keystore encryption metadata (when accessible and password-protected).
`encryption.algorithm`	string	Encryption algorithm (e.g., "AES-256-CBC", "PBEWithSHAAndRC2").
`encryption.kdf`	string	Key derivation function (e.g., "PBKDF2", "PKCS12KDF").
`encryption.iterations`	int	KDF iteration count.
`encryption.mac`	string	MAC algorithm used for integrity (e.g., "SHA256", "SHA1").
`encryption.vulnerable`	bool	True when encryption scheme uses weak or deprecated parameters.
`encryption.reason`	string	Reason the encryption is considered vulnerable.
`encryption.iv_length`	int	Initialization vector length in bytes.
`encryption.salt_length`	int	Salt length in bytes.
`certificates`	[]KeystoreCertificate	Certificates contained in this keystore. See KeystoreCertificate.

KeystoreCertificate (certificates[])

Field	Type	Description
`alias`	string	Certificate alias within the keystore (JKS/PKCS12).
`subject`	string	Subject distinguished name string.
`issuer`	string	Issuer distinguished name string.
`serial_number`	string	Certificate serial number.
`not_before`	time	Certificate validity start.
`not_after`	time	Certificate validity end.
`key_algorithm`	string	Public key algorithm (e.g., "RSA", "EC").
`key_size`	int	Public key size in bits.
`signature_algorithm`	string	Certificate signature algorithm (e.g., "SHA256-RSA", "ECDSAWithSHA384").
`thumbprint`	string	SHA-1 thumbprint of the certificate.
`version`	int	X.509 version number (always 3 for modern certificates).
`is_ca`	bool	True when basic constraints mark this as a CA certificate.
`is_self_signed`	bool	True when issuer equals subject.
`has_private_key`	bool	True when a matching private key is present in the keystore.
`key_usage`	[]string	Key usage extension values (e.g., "Digital Signature", "Key Encipherment"). Omitted when empty.
`ext_key_usage`	[]string	Extended key usage OID names (e.g., "TLS Web Server Authentication"). Omitted when empty.
`chain_length`	int	Number of certificates in the chain. Omitted when 0.
`chain_complete`	bool	True when the full certificate chain was verified. Omitted when chain_length is 0.
`vulnerable`	bool	True when a known CVE applies to this certificate's parameters.
`risk_level`	string	Risk level: Low, Medium, High, Critical.
`risk_reason`	string	Reason for the assigned risk level.
`cve_list`	[]string	CVE identifiers applicable to this certificate.
`fixed_in_version`	string	Version in which the reported CVE is fixed. Omitted when absent.
`pqc_vulnerable`	bool	True when algorithm is quantum-vulnerable.
`pqc_reason`	string	Reason this certificate is PQC-vulnerable.
`active`	bool	Asset tracking: written only when `false` (tombstoned); absent when certificate is currently observed.
`last_seen`	time	Last observation timestamp (tombstoned assets only).

AppCentricReport (app_report) - populated by -cipherscanquick in local mode

Source Produced by -cipherscanquick. Conditional Only present in local mode when application-centric aggregation runs. Format Several nested members here are later serialized into tychon.application NDJSON fields.

Field	Type	Description
`system_quantum_grade`	object	System-wide quantum grade summary (SystemQuantumGrade). Absent when no ports were graded.
`system_quantum_grade.score`	int	Weighted average quantum readiness score across all applications (0-100).
`system_quantum_grade.grade`	string	System letter grade: A+, A, B, C, D, or F.
`system_quantum_grade.network_score`	int	Port-count-weighted average of per-application scores before OS bonus is applied.
`system_quantum_grade.os_bonus`	int	Bonus points added for OS-level PQC support (e.g., PQC-capable kernel).
`system_quantum_grade.app_count`	int	Number of applications included in the grade.
`system_quantum_grade.graded_ports`	int	Total number of ports that contributed to the system score.
`system_quantum_grade.os_limitation`	bool	True when OS-level constraints cap the system score below what applications achieve.
`system_quantum_grade.os_findings`	[]string	OS-level findings that caused score deductions or limitations. Omitted when empty.
`applications`	[]ApplicationSummary	All application-centric crypto summaries found. See ApplicationSummary below.
`orphan_findings`	object	Crypto findings not associated with any running process.
`orphan_findings.filesystem_certificates`	[]CertificateDetails	Certificates and private keys discovered on the filesystem not claimed by any process. See CertificateDetails.
`orphan_findings.keystores`	[]KeystoreInfo	Keystore files found on the filesystem not owned by any running process. See KeystoreInfo.

The application-centric view is intentionally concise and PQC-focused. It summarizes the crypto posture for each app across listening ports, outbound connected destinations discovered by -scanconnected, in-memory crypto, and data-at-rest findings. Use the dedicated datasets elsewhere in this page for full raw certificate, keystore, memory, and per-port detail.

ApplicationSummary (applications[])

Field	Type	Description
`pid`	int32	Primary process PID (lowest PID when multiple processes share a path).
`name`	string	Process or application name.
`path`	string	Full executable path.
`app_root`	string	Inferred application root directory.
`file_version`	string	PE file version (Windows).
`product_version`	string	PE product version (Windows).
`product_name`	string	PE product name (Windows).
`company_name`	string	PE company name (Windows).
`source`	string	Entry origin: `"process"`, `"vpn_client"`, or `"ipsec_tunnel"`.
`service_info`	object	Windows service metadata when this application is a registered service (Windows only; absent otherwise).
`service_info.service_name`	string	Service short name.
`service_info.service_display_name`	string	Service display name shown in the Services console.
`service_info.service_description`	string	Service description text.
`quantum_grade`	object	Aggregate quantum grade for this application (AppQuantumGrade). Absent when no ports were scored.
`quantum_grade.score`	int	Composite quantum readiness score for this application (0-100).
`quantum_grade.grade`	string	Letter grade: A+, A, B, C, D, or F.
`quantum_grade.port_count`	int	Number of listening ports that contributed to the score.
`quantum_grade.worst_port_score`	int	Score of the weakest port (determines the application grade).
`quantum_grade.best_port_score`	int	Score of the strongest port.
`quantum_grade.os_deductions`	int	Score deductions caused by OS-level findings.
`quantum_grade.os_findings`	[]string	OS-level findings that caused deductions. Omitted when empty.
`ports`	[]PortSummary	Concise listening-port crypto summaries for this application. See PortSummary below. The full `PortResult` data is available in `results[].ports[]`; this view flattens quick-scan fields to the top level and replaces the leaf certificate with a concise summary.
`port_count`	int	Count of listening ports included in the application summary.
`crypto_libraries`	[]CryptoLibrarySummary	Concise list of crypto libraries in use, keeping library identity and PQC posture rather than repeating full raw library details.
`crypto_library_count`	int	Count of crypto libraries associated with this application.
`in_memory_certificates`	[]CertificateCryptoSummary	Concise in-memory certificate findings for this application. Each entry keeps subject and issuer identity, subject/issuer organization hints, issuer country, self-signed status, validity dates, key, signature, PQC, and source path details rather than the full certificate object.
`in_memory_cert_count`	int	Count of in-memory certificates associated with this application.
`private_keys`	[]PrivateKeySummary	Concise private key findings containing key type, size, curve, and whether the key is encrypted.
`private_key_count`	int	Count of private keys associated with this application.
`keystores`	[]KeystoreSummary	Concise keystore findings containing path, type, certificate count, and encryption posture.
`keystore_count`	int	Count of keystores associated with this application.
`encrypted_files`	[]EncryptedFileInfo	Encrypted data-at-rest findings associated with this application.
`encrypted_file_count`	int	Count of encrypted files associated with this application.
`connected_to`	[]ConnectedDestination	Outbound connections found when `-scanconnected` is used with `-cipherscanquick`. Each entry records the remote IP, remote port, and whether crypto was detected on that connection.
`connected_to[].remote_ip`	string	Remote IP address of the connection.
`connected_to[].port`	int	Remote port number.
`connected_to[].has_crypto`	bool	True when a TLS or crypto library was observed handling this connection.
`connected_to_count`	int	Count of outbound connected destinations included in this application summary.
`keychain_identities`	[]KeychainIdentitySummary	macOS Keychain certificate+key pairs accessible to this application via the Security framework. Each entry includes label, access group, key type/bits/curve, and a `CertificateCryptoSummary` with PQC assessment. Absent on non-macOS platforms.
`keychain_identities[].label`	string	Human-readable keychain item label (often the cert CN, e.g. `"Microsoft.AAD"`, `"GlobalProtect"`).
`keychain_identities[].access_group`	string	App access group for sandboxed items (`"<TeamID>.<BundleID>"`). Empty for legacy non-sandboxed items.
`keychain_identities[].key_type`	string	Private key algorithm: `"RSA"`, `"EC"`, or `"ED25519"`. Sourced from `SecKeyCopyAttributes`.
`keychain_identities[].key_bits`	int	Private key size in bits (e.g. `2048` for RSA, `256` for P-256).
`keychain_identities[].curve`	string	EC curve name when key_type is `"EC"` (e.g. `"P-256"`, `"P-384"`, `"P-521"`).
`keychain_identities[].certificate`	CertificateCryptoSummary	Concise X.509 cert view including subject, issuer, validity, key algorithm, PQC vulnerability, quantum risk, and migration priority.
`keychain_identities[].certificate.pqc_vulnerable`	bool	True when the key algorithm (RSA/EC/Ed25519) is vulnerable to Shor's algorithm.
`keychain_identities[].certificate.pqc_readiness`	string	`"vulnerable"` / `"transitional"` based on key type and size.
`keychain_identities[].certificate.quantum_risk`	string	`"high"` / `"medium"` quantum risk level.
`keychain_identities[].certificate.migration_priority`	string	`"critical"` / `"high"` / `"medium"` migration urgency.
`keychain_identities[].certificate.is_expired`	bool	True when the certificate's NotAfter date is in the past.
`keychain_identities[].certificate.is_weak_signature`	bool	True when the certificate uses a weak signature algorithm (e.g., SHA-1, MD5).
`keychain_identity_count`	int	Count of Keychain identities accessible to this application (macOS only).

PortSummary (ports[] — concise JSON view used in application-centric output)

Field	Type	Description
`ports[].port`	int	TCP/UDP port number.
`ports[].protocol_detected`	string	Detected protocol (for example `"tls"` or `"ssh"`). Omitted when empty.
`ports[].quantum_grade`	object	Detailed quantum grade for this port (PortQuantumGrade).
`ports[].quantum_grade.kex_score`	int	Key exchange component score contribution.
`ports[].quantum_grade.cipher_score`	int	Cipher suite component score contribution.
`ports[].quantum_grade.cert_score`	int	Certificate component score contribution.
`ports[].quantum_grade.protocol_score`	int	Protocol version component score contribution.
`ports[].quantum_grade.sig_hash_score`	int	Signature hash component score contribution.
`ports[].quantum_grade.findings`	[]string	Human-readable findings that influenced the grade. Omitted when empty.
`ports[].preferred_protocol`	string	Preferred negotiated protocol from the quick cipher scan (for example `"TLSv1.3"`).
`ports[].preferred_cipher`	string	Preferred negotiated cipher suite.
`ports[].preferred_key_exchange`	string	Preferred negotiated key exchange group.
`ports[].supported_protocol_count`	int	Count of supported protocols observed by the quick cipher scan.
`ports[].supported_cipher_count`	int	Count of supported cipher suites observed by the quick cipher scan.
`ports[].supported_key_exchange_count`	int	Count of supported key exchange groups observed by the quick cipher scan.
`ports[].insecure_cipher_count`	int	Count of supported cipher suites flagged as insecure.
`ports[].weak_cipher_count`	int	Count of supported cipher suites flagged as weak.
`ports[].supported_protocols`	[]string	All TLS protocol versions accepted by the server (e.g. `["TLSv1.3","TLSv1.2"]`). Omitted when empty.
`ports[].supported_cipher_suites`	[]string	All cipher suites accepted by the server. Omitted when empty.
`ports[].supported_key_exchanges`	[]string	All key exchange groups accepted by the server. Omitted when empty.
`ports[].insecure_ciphers`	[]string	Cipher suites flagged as high-risk or not NIST-approved. Omitted when empty.
`ports[].weak_ciphers`	[]string	Cipher suites flagged as medium-risk (deprecated but not yet banned). Omitted when empty.
`ports[].certificate`	object	Concise leaf certificate summary. Fields: `subject_common_name`, `subject`, `subject_organization`, `issuer_common_name`, `issuer`, `issuer_country`, `issuer_organization`, `serial_number`, `not_before`, `not_after`, `is_self_signed`, `key_algorithm`, `key_size`, `signature_algorithm`, `pqc_vulnerable`, `pqc_readiness`, `quantum_risk`, `migration_priority`, and `source_file_path`.
`ports[].ssh_status`	string	SSH scan status when this port was identified as SSH. Omitted when not applicable.
ports[].omb_assessment - OmbFields (omitempty; OMB M-23-02 inventory fields)
`ports[].omb_assessment.system_name`	string	Canonical system name for this application port inventory entry.
`ports[].omb_assessment.vulnerability_status`	string	OMB vulnerability status string for this port (for example `"Vulnerable"`, `"Not Vulnerable"`, or `"Partially Remediated"`).
`ports[].omb_assessment.module_name`	string	Crypto module name responsible for this port's cipher negotiation.
`ports[].omb_assessment.crqc_vuln_algos`	string	Comma-separated list of algorithms on this port that are vulnerable to a cryptographically relevant quantum computer (CRQC).
`ports[].omb_assessment.pqc_algos`	string	Comma-separated list of post-quantum cryptography algorithms in use on this port.
`ports[].omb_assessment.symmetric_algos`	string	Comma-separated list of symmetric algorithms in use on this port.
`ports[].omb_assessment.software_package_name`	string	Name of the software package serving this port. Omitted when empty.
`ports[].omb_assessment.software_package_version`	string	Version of the software package. Omitted when empty.
`ports[].omb_assessment.vendor`	string	Vendor of the software package. Omitted when empty.
`ports[].omb_assessment.operating_system`	string	Operating system identifier for the host. Omitted when empty.
`ports[].omb_assessment.additional_notes`	string	Free-text additional notes for this inventory entry. Omitted when empty.
`ports[].omb_assessment.kex_protocols`	string	Key exchange protocols in use (for example `"ECDHE"` or `"DHE"`). Omitted when empty.
`ports[].omb_assessment.kex_ciphersuites`	string	Cipher suites negotiated for key exchange. Omitted when empty.
`ports[].omb_assessment.kex_primary_group`	string	Primary key exchange group (for example `"X25519"` or `"P-256"`). Omitted when empty.
`ports[].omb_assessment.other_protocols`	string	Other protocols beyond TLS or SSH observed on this port. Omitted when empty.
`ports[].omb_assessment.other_protocols_params`	string	Parameters for other protocols. Omitted when empty.
`ports[].omb_assessment.kem_algorithms`	string	Key encapsulation mechanism algorithms in use. Omitted when empty.
`ports[].omb_assessment.kem_parameters`	string	KEM algorithm parameters. Omitted when empty.
`ports[].omb_assessment.dsa_algorithms`	string	Digital signature algorithms in use. Omitted when empty.
`ports[].omb_assessment.dsa_parameters`	string	DSA algorithm parameters. Omitted when empty.
`ports[].omb_assessment.dsa_hash_algorithms`	string	Hash algorithms used with DSA. Omitted when empty.
`ports[].omb_assessment.block_ciphers`	string	Block cipher algorithms in use. Omitted when empty.
`ports[].omb_assessment.block_cipher_key_lengths`	string	Block cipher key lengths (for example `"128"` or `"256"`). Omitted when empty.
`ports[].omb_assessment.block_cipher_modes`	string	Block cipher modes of operation (for example `"GCM"` or `"CBC"`). Omitted when empty.
`ports[].omb_assessment.hash_algorithms`	string	Hash algorithms in use. Omitted when empty.
`ports[].omb_assessment.hash_algorithm_parameters`	string	Hash algorithm parameters. Omitted when empty.
`ports[].omb_assessment.mac_algorithms`	string	MAC algorithms in use. Omitted when empty.
`ports[].omb_assessment.mac_algorithm_parameters`	string	MAC algorithm parameters. Omitted when empty.
`ports[].omb_assessment.other_crypto_details`	string	Other cryptographic details not captured by the above fields. Omitted when empty.
`ports[].omb_assessment.certifications`	string	Applicable certifications (for example `"FIPS 140-3"`). Omitted when empty.
ports[].previous_cipher_state - PortCipherState (omitempty; only present when a cipher change was detected)
`ports[].previous_cipher_state.host`	string	Hostname or IP at the time of the last recorded cipher change.
`ports[].previous_cipher_state.port`	int	Port number.
`ports[].previous_cipher_state.first_seen`	time	Timestamp when this port was first observed (RFC3339).
`ports[].previous_cipher_state.last_seen`	time	Timestamp when this port was most recently observed (RFC3339).
`ports[].previous_cipher_state.last_changed`	time	Timestamp when the cipher configuration last changed (RFC3339). Omitted when no change has been detected.
`ports[].previous_cipher_state.preferred_protocol`	string	Current preferred TLS protocol at the time of the last change detection. Omitted when empty.
`ports[].previous_cipher_state.supported_protocols`	[]string	Current list of supported TLS protocols. Omitted when empty.
`ports[].previous_cipher_state.preferred_cipher`	string	Current preferred cipher suite. Omitted when empty.
`ports[].previous_cipher_state.supported_ciphers`	[]string	Current list of supported cipher suites. Omitted when empty.
`ports[].previous_cipher_state.preferred_key_exchange`	string	Current preferred key exchange group. Omitted when empty.
`ports[].previous_cipher_state.supported_key_exchanges`	[]string	Current list of supported key exchange groups. Omitted when empty.
`ports[].previous_cipher_state.previous_preferred_protocol`	string	Preferred protocol from before the most recent change. Omitted when empty for first discovery.
`ports[].previous_cipher_state.previous_supported_protocols`	[]string	Supported protocols from before the most recent change. Omitted when empty.
`ports[].previous_cipher_state.previous_preferred_cipher`	string	Preferred cipher from before the most recent change. Omitted when empty.
`ports[].previous_cipher_state.previous_supported_ciphers`	[]string	Supported ciphers from before the most recent change. Omitted when empty.
`ports[].previous_cipher_state.previous_preferred_key_exchange`	string	Preferred key exchange group from before the most recent change. Omitted when empty.
`ports[].previous_cipher_state.previous_supported_key_exchanges`	[]string	Supported key exchange groups from before the most recent change. Omitted when empty.

QuantumReadinessAssessment (quantum_readiness)

Field	Type	Description
`assessment_id`	string	Unique identifier for this assessment instance (e.g., "qa-a1b2c3d4e5f6").
`timestamp`	time	Assessment timestamp (RFC3339).
`assessment_type`	string	Assessment scope: "local" or "remote".
`system_type`	string	Detected system category. Values: `server`, `workstation`, `embedded`, `unknown`.
`system_role`	string	Detected role (e.g., "server", "workstation", "domain_controller", "ca_server").
`criticality_level`	string	Business criticality. Values: `critical`, `important`, `standard`, `low`.
`fips_mode_enabled`	bool	True when OS FIPS enforcement is active.
`overall_score`	int	Composite quantum readiness score (0-100).
`max_possible_score`	int	Maximum achievable score (always 100).
`readiness_status`	string	Status label. Values: `Quantum Ready`, `Partially Ready`, `Update Required`, `Not Ready`.
`status_color`	string	Hex color for dashboard rendering (e.g., "#22c55e", "#f97316", "#ef4444").
`ready_timeline`	string	Estimated readiness horizon (e.g., "Ready Now", "6-12 months", "12-24 months").
`recommendations`	[]string	Ordered list of prioritized recommendation strings.
`detailed_report`	string	Extended narrative report text suitable for display.
`assessment_duration_ms`	int64	Milliseconds elapsed to complete the assessment (`time.Duration.Milliseconds()`). The struct field is a `time.Duration` but the JSON and NDJSON outputs both call `.Milliseconds()` before writing.
hardware_score - HardwareAssessment
`hardware_score`	HardwareAssessment	Hardware capability sub-assessment (CPU, RAM, TPM, Secure Boot).
`hardware_score.details`	object	Detailed hardware inventory (CPU arch, instruction sets, RAM, TPM version, Secure Boot, NTLM level).
`hardware_score.cpu_score`	int	CPU sub-score contribution.
`hardware_score.cpu_max_score`	int	Maximum possible CPU sub-score.
`hardware_score.memory_score`	int	Memory sub-score contribution.
`hardware_score.memory_max_score`	int	Maximum possible memory sub-score.
`hardware_score.security_hw_score`	int	Security hardware (TPM/HSM) sub-score contribution.
`hardware_score.security_hw_max_score`	int	Maximum possible security hardware sub-score.
`hardware_score.total_score`	int	Sum of all hardware sub-scores.
`hardware_score.total_max_score`	int	Sum of all hardware max sub-scores.
`hardware_score.details.architecture`	string	CPU architecture (e.g., "x86_64", "arm64").
`hardware_score.details.instruction_sets`	[]string	Supported CPU instruction sets (e.g., ["AVX2", "AES-NI"]).
`hardware_score.details.cores`	int	Physical CPU core count.
`hardware_score.details.logical_cores`	int	Logical CPU core count (includes hyperthreading).
`hardware_score.details.base_frequency_ghz`	float64	Base CPU frequency in GHz.
`hardware_score.details.total_ram_gb`	float64	Total installed RAM in gigabytes.
`hardware_score.details.available_ram_gb`	float64	Available RAM in gigabytes at scan time.
`hardware_score.details.has_tpm`	bool	Trusted Platform Module detected.
`hardware_score.details.tpm_version`	string	TPM version string (e.g., "2.0"). Empty when no TPM.
`hardware_score.details.has_hsm`	bool	Hardware Security Module detected.
`hardware_score.details.has_secure_boot`	bool	Secure Boot enabled.
`hardware_score.details.has_aes_ni`	bool	AES-NI instruction set present.
`hardware_score.details.has_avx2`	bool	AVX2 instruction set present (accelerates PQC lattice operations).
`hardware_score.details.has_neon`	bool	ARM NEON SIMD present (ARM equivalent of AVX2).
`hardware_score.details.ntlm_lm_compat_level`	int	Windows LmCompatibilityLevel registry value (0–5). 0–3 = RC4/DES-based auth (vulnerable); 4–5 = NTLMv2 only (acceptable). Omitted on non-Windows.
`hardware_score.details.ntlm_protocol`	string	Human-readable NTLM auth protocol in use, e.g. `NTLMv2-only`, `LM+NTLMv1`. Omitted on non-Windows.
`hardware_score.details.ntlm_pqc_vulnerable`	bool	`true` when NTLM level ≤ 3 (allows RC4 or DES-based authentication). Omitted on non-Windows.
`hardware_score.details.secure_boot_firmware`	string	Firmware type detected: `UEFI`, `Legacy BIOS`, or `Unknown`. Legacy BIOS systems cannot enable Secure Boot.
`hardware_score.details.pqc_benchmark`	PQCBenchmarkSuite	conditional Present only when `-hardware-benchmark` flag is specified. Contains live ML-DSA and ML-KEM throughput measurements. See Hardware PQC Benchmark.
`hardware_score.details.pqc_benchmark.overall_passed`	bool	True if all 15 algorithm/operation benchmarks met their minimum ops/sec threshold.
`hardware_score.details.pqc_benchmark.measurement_ms`	int	Measurement window per operation in milliseconds (default 100).
`hardware_score.details.pqc_benchmark.timestamp_utc`	time	RFC 3339 UTC timestamp when benchmarks were run.
`hardware_score.details.pqc_benchmark.results[]`	[]PQCAlgoBenchmark	Per-algorithm throughput results. Each entry has: `algorithm`, `operation`, `ops_per_sec`, `latency_microsec`, `passed`, `threshold`.
operating_system_score - OSAssessment
`operating_system_score`	OSAssessment	Operating system readiness sub-assessment (version, crypto API, PQC framework).
`operating_system_score.details`	object	Detailed OS inventory (version, build, kernel, crypto framework, PQC framework, SymCrypt presence).
`operating_system_score.os_version_score`	int	OS version recency sub-score.
`operating_system_score.os_version_max_score`	int	Maximum OS version sub-score.
`operating_system_score.crypto_api_score`	int	Crypto API capability sub-score.
`operating_system_score.crypto_api_max_score`	int	Maximum crypto API sub-score.
`operating_system_score.total_score`	int	Sum of OS sub-scores.
`operating_system_score.total_max_score`	int	Sum of OS max sub-scores.
`operating_system_score.details.family`	string	OS family (e.g., "debian", "windows", "rhel").
`operating_system_score.details.version`	string	OS version string.
`operating_system_score.details.build`	string	OS build number (Windows: e.g., "22631").
`operating_system_score.details.kernel_version`	string	Kernel version string.
`operating_system_score.details.native_pqc_support`	bool	OS natively supports PQC algorithms without add-on providers.
`operating_system_score.details.crypto_framework`	string	Primary crypto framework (e.g., "CNG", "OpenSSL", "CommonCrypto").
`operating_system_score.details.pqc_framework`	string	PQC-capable framework if present (e.g., "SymCrypt", "liboqs").
`operating_system_score.details.symcrypt_present`	bool	Microsoft SymCrypt detected (Windows PQC engine).
`operating_system_score.details.modern_crypto_api`	bool	Modern crypto API available (CNG on Windows, OpenSSL 3.x on Linux/macOS).
crypto_library_score - CryptoAssessment
`crypto_library_score`	CryptoAssessment	Cryptographic library readiness sub-assessment (OpenSSL version, PQC provider, FIPS mode).
`crypto_library_score.details`	object	Detailed crypto library inventory (OpenSSL path/version, OQS provider, system libraries, PQC-capable libraries).
`crypto_library_score.openssl_score`	int	OpenSSL version/capability sub-score.
`crypto_library_score.openssl_max_score`	int	Maximum OpenSSL sub-score.
`crypto_library_score.system_crypto_score`	int	System crypto library sub-score.
`crypto_library_score.system_crypto_max_score`	int	Maximum system crypto sub-score.
`crypto_library_score.total_score`	int	Sum of crypto library sub-scores.
`crypto_library_score.total_max_score`	int	Sum of crypto library max sub-scores.
`crypto_library_score.details.openssl_version`	string	OpenSSL version string (e.g., "OpenSSL 3.3.1").
`crypto_library_score.details.openssl_path`	string	Absolute path to the OpenSSL binary used.
`crypto_library_score.details.pqc_support`	bool	OpenSSL supports PQC algorithms (oqs-provider loaded or built-in).
`crypto_library_score.details.oqs_provider`	bool	liboqs OQS provider detected in OpenSSL.
`crypto_library_score.details.fips_mode`	bool	OpenSSL FIPS module active.
`crypto_library_score.details.system_libraries`	[]string	All crypto libraries found on the system.
`crypto_library_score.details.pqc_capable_libraries`	[]string	Subset of system_libraries that support PQC operations.
`crypto_library_score.details.legacy_libraries_present`	bool	One or more legacy/deprecated crypto libraries found.
network_score - NetworkAssessment
`network_score`	NetworkAssessment	Network readiness sub-assessment (bandwidth, TLS 1.3 capability, IPv6, WiFi security).
`network_score.details`	object	Detailed network inventory (bandwidth, MTU, latency, TLS 1.3, WiFi protocol/cipher).
`network_score.bandwidth_score`	int	Estimated bandwidth adequacy sub-score.
`network_score.bandwidth_max_score`	int	Maximum bandwidth sub-score.
`network_score.protocol_score`	int	Protocol capability sub-score (TLS 1.3, IPv6).
`network_score.protocol_max_score`	int	Maximum protocol sub-score.
`network_score.total_score`	int	Sum of network sub-scores.
`network_score.total_max_score`	int	Sum of network max sub-scores.
`network_score.details.estimated_bandwidth_mbps`	uint64	Estimated available bandwidth in Mbps.
`network_score.details.mtu`	int	Network interface MTU (PQC key exchanges produce larger handshakes).
`network_score.details.latency_ms`	int64	Estimated round-trip latency in milliseconds (`time.Duration.Milliseconds()`).
`network_score.details.tls13_capable`	bool	TLS 1.3 capable (required for PQC key exchange groups).
`network_score.details.modern_cipher_support`	bool	Modern AEAD cipher suites observed in use.
`network_score.details.ipv6_support`	bool	IPv6 available on at least one network interface.
`network_score.details.wifi_present`	bool	`true` when a wireless interface is detected.
`network_score.details.wifi_ssid`	string	SSID (network name) of the active WiFi connection, if determinable.
`network_score.details.wifi_protocol`	string	Active WiFi security protocol: `WPA3-SAE`, `WPA2-PSK`, `WPA2-EAP`, `WPA`, `WEP`, `Open`.
`network_score.details.wifi_cipher`	string	Active WiFi encryption cipher: `AES-CCMP`, `TKIP`, `WEP40`, `None`.
`network_score.details.wifi_key_mgmt`	string	Key management method: `SAE` (WPA3), `WPA-PSK`, `WPA-EAP`, `OWE`, `None`.
`network_score.details.wifi_pqc_vulnerable`	bool	`true` when WiFi uses TKIP, WEP, or no encryption (broken/unencrypted).
`network_score.details.wifi_quantum_risk`	string	One of `low` (WPA3-SAE), `medium` (WPA2-CCMP), `critical` (TKIP/WEP/Open).
critical_issues - []Issue (array; each element has these fields)
`critical_issues[].severity`	string	Issue severity (e.g., "critical", "high", "medium").
`critical_issues[].component`	string	Affected component name (e.g., "OpenSSL", "OS", "Hardware").
`critical_issues[].issue`	string	Issue summary string.
`critical_issues[].impact`	string	Description of the security or operational impact.
`critical_issues[].resolution`	string	Recommended remediation action.
`critical_issues[].blocking`	bool	True when this issue prevents quantum readiness.
upgrade_pathway - []UpgradeStep (array; each element has these fields)
`upgrade_pathway`	[]UpgradeStep	Ordered remediation steps to achieve quantum readiness. Absent when no steps are needed.
`upgrade_pathway[].order`	int	Execution order (1-based, ascending).
`upgrade_pathway[].component`	string	Component to upgrade (e.g., "OpenSSL", "Operating System", "Hardware").
`upgrade_pathway[].action`	string	Action verb (e.g., "Upgrade", "Replace", "Enable", "Install").
`upgrade_pathway[].description`	string	Full description of the upgrade step.
`upgrade_pathway[].estimated_time_weeks`	int	Estimated effort in calendar weeks.
`upgrade_pathway[].priority`	string	Priority label (e.g., "critical", "high", "medium", "low").
compliance_status - ComplianceAssessment
`compliance_status`	ComplianceAssessment	Regulatory compliance assessment (NIST PQC readiness, FIPS 140-3, Common Criteria).
`compliance_status.nist_ready`	bool	Meets NIST PQC migration guidance.
`compliance_status.fips_ready`	bool	FIPS 140-3 compliant configuration detected.
`compliance_status.common_criteria`	bool	Common Criteria evaluated configuration detected.
`compliance_status.compliance_notes`	[]string	Compliance gap or confirmation notes.
system_classification - SystemClassification
`system_classification`	SystemClassification	System category, role, criticality, and detection reason.
`system_classification.type`	string	System category. Values: `server`, `workstation`, `embedded`, `unknown`.
`system_classification.role`	string	Detected role string (e.g., "domain_controller", "ca_server", "workstation").
`system_classification.criticality_level`	string	Criticality. Values: `critical`, `important`, `standard`, `low`.
`system_classification.detection_reason`	string	Human-readable explanation of how the classification was determined.
cost_analysis - CostAnalysis (omitempty; absent when cost analysis was skipped)
`cost_analysis`	CostAnalysis	Remediation cost estimate (labor hours, hardware, licensing). Absent when `-labor-rate 0`.
`cost_analysis.total_labor_hours`	float64	Total estimated labor hours across all remediation tasks.
`cost_analysis.total_labor_cost_usd`	float64	Total labor cost in USD (labor_rate_used × total_labor_hours).
`cost_analysis.total_hardware_cost_usd`	float64	Total hardware replacement cost in USD.
`cost_analysis.total_license_cost_usd`	float64	Total software license cost in USD.
`cost_analysis.total_cost_usd`	float64	Grand total remediation cost in USD (labor + hardware + license).
`cost_analysis.labor_rate_used`	float64	Hourly labor rate applied (from -labor-rate flag; default $150/hr).
`cost_analysis.by_os_category`	[]OsCostLine	Per-OS-category cost breakdown. See sub-fields below.
`cost_analysis.by_os_category[].os_category`	string	OS category display name (e.g., "Windows Server 2019", "RHEL 8").
`cost_analysis.by_os_category[].tier`	string	Upgrade tier. Values: `LEGACY`, `CLASSICAL`, `TRANSITIONAL`.
`cost_analysis.by_os_category[].upgrade_target`	string	Recommended upgrade target OS (e.g., "Server 2025", "Windows 11").
`cost_analysis.by_os_category[].labor_hours`	float64	Estimated labor hours for this OS upgrade.
`cost_analysis.by_os_category[].labor_cost_usd`	float64	Labor cost in USD for this OS upgrade.
`cost_analysis.by_os_category[].license_cost_usd`	float64	License cost in USD for this OS upgrade.
`cost_analysis.by_os_category[].hardware_cost_usd`	float64	Hardware replacement cost in USD for this OS category.
`cost_analysis.by_os_category[].total_cost_usd`	float64	Total cost in USD for this OS category.
`cost_analysis.by_app_family`	[]AppCostLine	Per-application-family cost breakdown. See sub-fields below.
`cost_analysis.by_app_family[].app_family`	string	Application family name (e.g., "Java", "OpenSSL", "IIS").
`cost_analysis.by_app_family[].tier`	string	Upgrade tier. Values: `LEGACY`, `CLASSICAL`, `TRANSITIONAL`.
`cost_analysis.by_app_family[].instance_count`	int	Number of detected instances of this application family.
`cost_analysis.by_app_family[].labor_hours`	float64	Estimated labor hours for this application family upgrade.
`cost_analysis.by_app_family[].labor_cost_usd`	float64	Labor cost in USD for this application family upgrade.
`cost_analysis.by_app_family[].total_cost_usd`	float64	Total cost in USD for this application family upgrade.

ConnectedQuickResult (connected_quick_results[])

Produced by -scanconnected. One entry per active outbound network connection that is not from a browser process. Only connections where a successful TLS handshake can be confirmed via getDefaultCipherInfoQuick() have has_crypto=true; all other connections are still recorded with has_crypto=false. Browser processes (Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, IE, Chromium, Safari) are excluded from enumeration entirely.

Struct note: The Go struct contains three additional fields � primary_protocol, primary_key_exchange, and signature_algorithm � that have omitempty tags and are never populated in the current code path. They will never appear in JSON output. They are documented here only so a reader examining the struct definition is not confused.

JSON field	Type	Description
`source_process_name`	string	Name of the process that owns the connection (e.g., "java", "nginx"). Omitted when the process name cannot be resolved. Conditional
`source_pid`	int32	PID of the process that owns the connection. Omitted when PID cannot be resolved or is zero. Conditional
`remote_ip`	string	Remote IP address of the connection (always present).
`port`	int	Remote port number of the connection (always present).
`has_crypto`	bool	True when a TLS handshake was successfully completed to the remote endpoint via `getDefaultCipherInfoQuick()`. False when the endpoint did not respond to TLS.

Part 2 - Flat NDJSON Output

Each line is an independent JSON object. Fields use dot notation. All events share the base fields, and many event-specific fields are flattened versions of the canonical JSON structures defined above.

Base Fields - present in every NDJSON event

Field	Type	Description
`observer.software_version`	string	Scanner binary version.
`observer.id`	string	Stable host identifier (from host_id).
`observer.hostname`	string	System hostname.
`observer.domain`	string	Domain name.
`observer.current_user`	string	Username running the scanner.
`observer.user_uid`	string	User UID.
`observer.user_gid`	string	User GID.
`observer.user_home_dir`	string	User home directory.
`observer.ip_addresses`	[]string	All host IP addresses.
`observer.os.name`	string	OS name (e.g., "Windows", "linux").
`observer.os.platform`	string	OS platform identifier.
`observer.os.family`	string	OS family (e.g., "debian", "windows").
`observer.os.version`	string	OS version string.
`observer.os.kernel`	string	Kernel version string.
`observer.os.build`	string	OS build number (Windows only — e.g., "19045").
`observer.kernel_version`	string	Full kernel version (Windows build).
`observer.platform_version`	string	Platform patch version.
`observer.virtualization_system`	string	Virtualization system name.
`observer.virtualization_role`	string	Virtualization role (guest/host).
`observer.cpu_vendor_id`	string	CPU vendor ID string.
`observer.cpu_model_name`	string	CPU model name.
`observer.cpu_cores`	int32	Physical CPU cores.
`observer.cpu_logical_cores`	int	Logical CPU cores.
`observer.total_ram_bytes`	uint64	Total RAM in bytes.
`observer.ram_used_percent`	float64	RAM utilization percentage.
`observer.system_uptime_seconds`	uint64	System uptime in seconds.
`observer.openssl_version_used`	string	OpenSSL version used by scanner.
`observer.openssl_path_used`	string	OpenSSL binary path.
`observer.fips_mode_enabled`	bool	OS FIPS enforcement active.
`observer.machine_serial_number`	string	Hardware serial number.
`observer.bios_serial_number`	string	BIOS serial number.
`observer.organization`	string	Organization name.
`observer.bigfix_client_installed`	bool	BigFix client present (only when true).
`observer.bigfix_client_id`	string	BigFix computer ID (when client is installed).
`observer.tychon_client_id`	string	TYCHON client ID.
`observer.is_vdi_environment`	bool	VDI environment detected (only when true).
`observer.vdi_identity_source`	string	VDI identity source.
`observer.output_schema_version`	string	Version of the flat NDJSON output schema.
`scan.type`	string	Scan mode: local, remote, connected.
`scan.target_input`	string	Raw -host value or "localhost".
`scan.timestamp`	time	Scan start time (RFC3339Nano).
`scan.tags`	[]string	User-supplied tags (omitted when empty).

event.dataset = "quantum_assessment" — one event per host (OS + overall)

Three flat datasets emitted: (1) quantum_assessment — main OS + overall event (this section); (2) quantum_assessment.app_group — one row per application family with cost fields; (3) quantum_assessment.critical_issue — one row per critical finding. App-family cost and critical issues are not embedded in this event — they are separate documents.

event.kind=event � event.category=configuration � event.action=quantum_readiness_assessment � tychon.type=quantum_readiness

Field	Type	Description
`id`	string	Assessment ID (also written to `_id`).
`_id`	string	Elasticsearch document ID. Copy of `id` for direct indexing.
`event.kind`	string	Always `event`.
`quantum_readiness.assessment_id`	string	Unique assessment identifier.
`quantum_readiness.timestamp`	time	Assessment timestamp (RFC3339Nano).
`quantum_readiness.assessment_type`	string	Assessment type (local/remote).
`quantum_readiness.overall_score`	int	Overall score 0-100.
`quantum_readiness.max_possible_score`	int	Maximum possible score (100).
`quantum_readiness.readiness_status`	string	Readiness status label.
`quantum_readiness.status_color`	string	Dashboard color for status.
`quantum_readiness.ready_timeline`	string	Estimated readiness timeline.
`quantum_readiness.fips_mode_enabled`	bool	OS FIPS enforcement mode active at scan time.
`quantum_readiness.assessment_duration_ms`	int64	Assessment duration in milliseconds.
quantum_readiness.cost_analysis — CostAnalysis (conditional; absent when cost analysis was skipped or -labor-rate 0)
`quantum_readiness.cost_analysis.total_labor_hours`	float64	Total estimated labor hours across all remediation tasks.
`quantum_readiness.cost_analysis.total_labor_cost_usd`	float64	Total labor cost in USD (labor_rate_used × total_labor_hours).
`quantum_readiness.cost_analysis.total_hardware_cost_usd`	float64	Total hardware replacement cost in USD.
`quantum_readiness.cost_analysis.total_license_cost_usd`	float64	Total software license cost in USD.
`quantum_readiness.cost_analysis.total_cost_usd`	float64	Grand total remediation cost in USD (labor + hardware + license).
`quantum_readiness.cost_analysis.labor_rate_used`	float64	Hourly labor rate applied (from -labor-rate flag; default $150/hr).
`quantum_readiness.cost_analysis.os_category`	string	Conditional OS category display name. Flattened directly (no index) since there is at most one OS entry per host (e.g. "Windows Server 2019").
`quantum_readiness.cost_analysis.os_tier`	string	OS upgrade tier: `LEGACY`, `CLASSICAL`, `TRANSITIONAL`.
`quantum_readiness.cost_analysis.os_upgrade_target`	string	Recommended upgrade target OS.
`quantum_readiness.cost_analysis.os_labor_hours`	float64	Estimated labor hours for OS upgrade.
`quantum_readiness.cost_analysis.os_labor_cost_usd`	float64	Labor cost in USD for OS upgrade.
`quantum_readiness.cost_analysis.os_license_cost_usd`	float64	License cost in USD for OS upgrade.
`quantum_readiness.cost_analysis.os_hardware_cost_usd`	float64	Hardware replacement cost in USD for OS upgrade.
`quantum_readiness.cost_analysis.os_total_cost_usd`	float64	Total cost in USD for OS upgrade.
ⓘ App-family cost breakdown is now emitted as separate `quantum_assessment.app_group` events — one per family. Fields: `quantum_readiness.cost_analysis.app_family`, `.tier`, `.instance_count`, `.labor_hours`, `.labor_cost_usd`, `.total_cost_usd`. Stable ID: SHA-256(quantum_assessment_app_group \| hostname \| appFamily \| observerID).
`quantum_readiness.hardware.cpu_score`	int	CPU sub-score.
`quantum_readiness.hardware.cpu_max_score`	int	CPU max sub-score.
`quantum_readiness.hardware.memory_score`	int	Memory sub-score.
`quantum_readiness.hardware.memory_max_score`	int	Memory max sub-score.
`quantum_readiness.hardware.security_hw_score`	int	Security hardware sub-score.
`quantum_readiness.hardware.security_hw_max_score`	int	Security hardware max sub-score.
`quantum_readiness.hardware.total_score`	int	Hardware total score.
`quantum_readiness.hardware.max_score`	int	Hardware max score.
`quantum_readiness.hardware.architecture`	string	CPU architecture (e.g., "x86_64").
`quantum_readiness.hardware.instruction_sets`	string	Detected instruction sets (comma-joined).
`quantum_readiness.hardware.cores`	int	Physical core count.
`quantum_readiness.hardware.logical_cores`	int	Logical core count.
`quantum_readiness.hardware.base_frequency_ghz`	float64	CPU base frequency in GHz.
`quantum_readiness.hardware.total_ram_gb`	float64	Total RAM in GB.
`quantum_readiness.hardware.available_ram_gb`	float64	Available RAM in GB at scan time.
`quantum_readiness.hardware.has_aes_ni`	bool	CPU has AES-NI hardware acceleration.
`quantum_readiness.hardware.has_avx2`	bool	CPU has AVX2 vector instructions.
`quantum_readiness.hardware.has_neon`	bool	CPU has ARM NEON SIMD.
`quantum_readiness.hardware.has_tpm`	bool	Trusted Platform Module detected.
`quantum_readiness.hardware.tpm_version`	string	TPM version string (e.g., "2.0").
`quantum_readiness.hardware.has_hsm`	bool	Hardware Security Module detected.
`quantum_readiness.hardware.has_secure_boot`	bool	Secure Boot enabled.
`quantum_readiness.hardware.pqc_benchmark.overall_passed`	bool	conditional Present when `-hardware-benchmark` specified. True if all benchmark operations passed.
`quantum_readiness.hardware.pqc_benchmark.measurement_ms`	int	conditional Measurement window per operation in milliseconds.
`quantum_readiness.hardware.pqc_benchmark.timestamp_utc`	string	conditional RFC 3339 UTC timestamp of the benchmark run.
`quantum_readiness.hardware.pqc_benchmark.ml_dsa_44.keygen.ops_per_sec`	float64	conditional ML-DSA-44 key generation throughput (ops/sec). Threshold: 500.
`quantum_readiness.hardware.pqc_benchmark.ml_dsa_44.sign.ops_per_sec`	float64	conditional ML-DSA-44 sign throughput (ops/sec). Threshold: 500.
`quantum_readiness.hardware.pqc_benchmark.ml_dsa_44.verify.ops_per_sec`	float64	conditional ML-DSA-44 verify throughput (ops/sec). Threshold: 1000.
`quantum_readiness.hardware.pqc_benchmark.ml_dsa_65.*`	object	conditional ML-DSA-65 keygen/sign/verify ops_per_sec, latency_microsec, passed. Thresholds: 300/300/600.
`quantum_readiness.hardware.pqc_benchmark.ml_dsa_87.*`	object	conditional ML-DSA-87 keygen/sign/verify ops_per_sec, latency_microsec, passed. Thresholds: 200/200/400.
`quantum_readiness.hardware.pqc_benchmark.ml_kem_768.*`	object	conditional ML-KEM-768 keygen/encap/decap ops_per_sec, latency_microsec, passed. Threshold: 2000 each.
`quantum_readiness.hardware.pqc_benchmark.ml_kem_1024.*`	object	conditional ML-KEM-1024 keygen/encap/decap ops_per_sec, latency_microsec, passed. Threshold: 1000 each.
`quantum_readiness.operating_system.os_version_score`	int	OS version sub-score.
`quantum_readiness.operating_system.os_version_max_score`	int	OS version max sub-score.
`quantum_readiness.operating_system.crypto_api_score`	int	Crypto API sub-score.
`quantum_readiness.operating_system.crypto_api_max_score`	int	Crypto API max sub-score.
`quantum_readiness.operating_system.total_score`	int	OS total score.
`quantum_readiness.operating_system.max_score`	int	OS max score.
`quantum_readiness.operating_system.family`	string	OS family.
`quantum_readiness.operating_system.version`	string	OS version.
`quantum_readiness.operating_system.kernel_version`	string	Kernel version.
`quantum_readiness.operating_system.build`	string	OS build identifier.
`quantum_readiness.operating_system.native_pqc_support`	bool	OS natively supports PQC algorithms.
`quantum_readiness.operating_system.crypto_framework`	string	OS crypto framework name (e.g., "CNG", "OpenSSL").
`quantum_readiness.operating_system.pqc_framework`	string	PQC framework detected (e.g., "liboqs").
`quantum_readiness.operating_system.symcrypt_present`	bool	Windows SymCrypt library detected.
`quantum_readiness.operating_system.modern_crypto_api`	bool	Modern crypto API (CNG/OpenSSL 3.x) detected.
`quantum_readiness.operating_system.fips_mode_enabled`	bool	OS FIPS enforcement active.
`quantum_readiness.crypto_libraries.openssl_score`	int	OpenSSL sub-score.
`quantum_readiness.crypto_libraries.openssl_max_score`	int	OpenSSL max sub-score.
`quantum_readiness.crypto_libraries.system_crypto_score`	int	System crypto sub-score.
`quantum_readiness.crypto_libraries.system_crypto_max_score`	int	System crypto max sub-score.
`quantum_readiness.crypto_libraries.total_score`	int	Crypto libraries total score.
`quantum_readiness.crypto_libraries.max_score`	int	Crypto libraries max score.
`quantum_readiness.crypto_libraries.openssl_version`	string	Detected OpenSSL version string.
`quantum_readiness.crypto_libraries.uses_openssl`	bool	True when at least one running process has OpenSSL loaded in memory. Written only when true.
`quantum_readiness.crypto_libraries.openssl_path`	string	Path to OpenSSL binary.
`quantum_readiness.crypto_libraries.pqc_support`	bool	OpenSSL PQC support detected.
`quantum_readiness.crypto_libraries.oqs_provider`	bool	OQS provider loaded in OpenSSL.
`quantum_readiness.crypto_libraries.fips_mode`	bool	OpenSSL FIPS mode active.
`quantum_readiness.crypto_libraries.system_libraries`	string	Detected system crypto libraries (comma-joined).
`quantum_readiness.crypto_libraries.pqc_capable_libraries`	string	PQC-capable libraries (comma-joined).
`quantum_readiness.crypto_libraries.legacy_libraries_present`	bool	Legacy crypto libraries detected.
`quantum_readiness.network.bandwidth_score`	int	Network bandwidth sub-score.
`quantum_readiness.network.bandwidth_max_score`	int	Network bandwidth max sub-score.
`quantum_readiness.network.protocol_score`	int	Network protocol sub-score.
`quantum_readiness.network.protocol_max_score`	int	Network protocol max sub-score.
`quantum_readiness.network.total_score`	int	Network total score.
`quantum_readiness.network.max_score`	int	Network max score.
`quantum_readiness.network.estimated_bandwidth_mbps`	float64	Estimated network bandwidth in Mbps.
`quantum_readiness.network.mtu`	int	Network MTU in bytes.
`quantum_readiness.network.latency_ms`	int64	Network latency in milliseconds.
`quantum_readiness.network.tls13_capable`	bool	TLS 1.3 capable.
`quantum_readiness.network.modern_cipher_support`	bool	Modern cipher suites supported.
`quantum_readiness.network.ipv6_support`	bool	IPv6 connectivity detected.
`quantum_readiness.recommendations`	string	Recommendations joined by " \| ".
`quantum_readiness.upgrade_pathway.order`	int	First upgrade step order number.
`quantum_readiness.upgrade_pathway.component`	string	First upgrade step component name.
`quantum_readiness.upgrade_pathway.action`	string	First upgrade step action description.
`quantum_readiness.upgrade_pathway.description`	string	First upgrade step full description.
`quantum_readiness.upgrade_pathway.estimated_time_weeks`	int	Estimated weeks for first upgrade step.
`quantum_readiness.upgrade_pathway.priority`	string	First upgrade step priority (e.g., "Critical").
ⓘ Critical issues are now emitted as separate `quantum_assessment.critical_issue` events — one per issue. Fields: `quantum_readiness.issue.severity`, `.component`, `.issue`, `.impact`, `.resolution`, `.blocking`. Stable ID: SHA-256(quantum_assessment_critical_issue \| hostname \| component \| severity \| issue \| observerID).
`quantum_readiness.compliance.nist_ready`	bool	NIST compliance status.
`quantum_readiness.compliance.fips_ready`	bool	FIPS compliance status.
`quantum_readiness.compliance.common_criteria`	bool	Common Criteria compliance status.
`quantum_readiness.compliance.compliance_notes`	string	Compliance notes joined by " \| ".
`quantum_readiness.system_classification.type`	string	System type classification.
`quantum_readiness.system_classification.role`	string	System role (e.g., "server", "workstation").
`quantum_readiness.system_classification.criticality_level`	string	Business criticality level.
`quantum_readiness.system_classification.detection_reason`	string	Reason for the classification.
`quantum_readiness.assessment_duration_ms`	int64	Assessment duration in milliseconds.
`quantum_readiness.detailed_report`	string	Extended narrative assessment text.
quantum_readiness.kerberos — Kerberos encryption type configuration (Windows only; absent on non-Windows platforms)
`quantum_readiness.kerberos.config_source`	string	Where the configuration was read from. Values: `group_policy` (set via GPO — authoritative), `lsa_direct` (direct LSA registry key), `os_default` (key absent — OS default inferred from platform version).
`quantum_readiness.kerberos.is_explicitly_configured`	bool	True when the `SupportedEncryptionTypes` registry value is explicitly set. False when the OS default is inferred from an absent key.
`quantum_readiness.kerberos.supported_types`	[]string	List of Kerberos encryption types permitted on this host (e.g., `["AES256-CTS-HMAC-SHA1-96","AES128-CTS-HMAC-SHA1-96","RC4-HMAC"]`).
`quantum_readiness.kerberos.has_rc4`	bool	True when RC4-HMAC (bit 0x04) is permitted. RC4 for Kerberos is deprecated (RFC 8429) and exploitable via Kerberoasting attacks.
`quantum_readiness.kerberos.has_des`	bool	True when DES-CBC-CRC (0x01) or DES-CBC-MD5 (0x02) is permitted. DES is broken and should never be enabled.
`quantum_readiness.kerberos.has_aes128`	bool	True when AES128-CTS-HMAC-SHA1-96 (bit 0x08) is permitted.
`quantum_readiness.kerberos.has_aes256`	bool	True when AES256-CTS-HMAC-SHA1-96 (bit 0x10) is permitted.
`quantum_readiness.kerberos.is_quantum_safe`	bool	True only when the configuration permits exclusively AES (no RC4, no DES) and at least one AES variant is present. AES is Grover-resistant at 256-bit key length.
`quantum_readiness.kerberos.raw_bitmask`	uint64	Raw value of `SupportedEncryptionTypes` registry DWORD. Absent when config_source is `os_default` (no registry value exists to read). Omitted when zero.
kerberos.* — same data as flat dot-notation fields in the NDJSON event (Windows only; absent when config_source is not_applicable)
`kerberos.config_source`	string	Same as `quantum_readiness.kerberos.config_source`.
`kerberos.is_explicitly_configured`	bool	Same as `quantum_readiness.kerberos.is_explicitly_configured`.
`kerberos.supported_types`	string	Encryption type names joined with `", "` (e.g., `"AES256-CTS-HMAC-SHA1-96, RC4-HMAC"`).
`kerberos.has_rc4`	bool	Same as `quantum_readiness.kerberos.has_rc4`.
`kerberos.has_des`	bool	Same as `quantum_readiness.kerberos.has_des`.
`kerberos.has_aes128`	bool	Same as `quantum_readiness.kerberos.has_aes128`.
`kerberos.has_aes256`	bool	Same as `quantum_readiness.kerberos.has_aes256`.
`kerberos.is_quantum_safe`	bool	Same as `quantum_readiness.kerberos.is_quantum_safe`.
`kerberos.raw_bitmask`	uint64	Raw SupportedEncryptionTypes DWORD value. Conditional Omitted when zero.
Cross-dataset normalized fields — see tychon.crypto.*
`tychon.crypto.ntlm.protocol`	string	NTLM protocol string (e.g. `NTLMv2`). Present when NTLM is detected. Conditional
`tychon.crypto.ntlm.auth`	string	Same as ntlm.protocol. Conditional
`tychon.crypto.ntlm.pqc_readiness`	string	`vulnerable` or `transitional`. Conditional
`tychon.crypto.ntlm.quantum_risk`	string	`high` or `low`. Conditional
`tychon.crypto.wifi.protocol`	string	WiFi security protocol (e.g. `WPA3-SAE`). Present when WiFi interface is detected. Conditional
`tychon.crypto.wifi.cipher`	string	WiFi pairwise cipher (e.g. `AES-CCMP`). Conditional
`tychon.crypto.wifi.key_exchange`	string	WiFi key management (e.g. `SAE`, `WPA-PSK`). Conditional
`tychon.crypto.wifi.pqc_readiness`	string	`vulnerable` or `transitional`. Conditional
`tychon.crypto.wifi.quantum_risk`	string	Risk level (e.g. `low`, `medium`, `critical`). Conditional

event.dataset = "port_detail" — one event per (host, port); upserted on each scan

event.kind=event � event.category=network � event.action=port_scan_result � tychon.type=cipher (or "connected" for -scanconnected)

Field	Type	Description
`id`	string	Universal ID for this cipher observation (also written to `_id`).
`target_host.address`	string	Scanned host address.
`target_host.domain`	string	Domain name (when resolved).
`target_host.ip`	string	Resolved IP address.
`target_host.ipv4`	string	IPv4 address (when applicable).
`target_host.ipv6`	string	IPv6 address (when applicable).
`server.address`	string	Server hostname or IP.
`server.port`	int	Server port number.
`server.ip`	string	Server IP (when scanned host is an IP).
`port.number`	int	Port number (legacy field, same as server.port).
`port.status_overall`	string	Port status string.
`port.protocol_detected`	string	Detected application protocol.
`error.message`	string	Error message (when scan failed).
`process.pid`	int32	PID of the process owning this port.
`process.name`	string	Process name.
`process.command_line`	string	Process command line.
`process.username`	string	Process owner username.
`process.create_time`	time	Process creation time.
`process.executable`	string	Process executable path.
`process.executable_directory`	string	Directory containing the executable.
`process.executable_file.path`	string	Absolute path to the executable.
`process.executable_file.size`	int64	File size in bytes.
`process.executable_file.sha1_hash`	string	SHA-1 hex digest.
`process.executable_file.sha256_hash`	string	SHA-256 hex digest.
`process.executable_file.md5_hash`	string	MD5 hex digest.
`process.executable_file.mod_time`	time	Last modification time (RFC3339Nano).
`process.executable_file.create_time`	time	File creation time (RFC3339Nano).
`process.executable_file.access_time`	time	Last access time (RFC3339Nano).
`process.executable_file.extension`	string	File extension (e.g., ".exe", "").
`process.executable_file.name`	string	Filename without directory.
`process.executable_file.attributes`	string	File permission/attribute string.
`process.executable_file.file_version`	string	Windows PE file version.
`process.executable_file.product_version`	string	Windows PE product version.
`process.executable_file.product_name`	string	Windows PE product name.
`process.executable_file.company_name`	string	Windows PE company name.
`process.executable_file.owner`	string	File owner username.
`process.executable_file.group`	string	File group name.
`process.executable_file.error`	string	Error collecting file metadata.
`quantum_ready_kx`	bool	Key exchange is quantum-safe.
`quantum_ready_cipher`	bool	Cipher provides post-Grover resistance.
`quantum_ready_cert`	bool	Certificate uses quantum-resistant signature.
`quantum_ready`	bool	All three quantum dimensions pass.
`x509.version_number`	int	Certificate version (from leaf cert).
`x509.serial_number`	string	Certificate serial number.
`x509.signature_algorithm`	string	Certificate signature algorithm.
`x509.issuer.distinguished_name`	string	Issuer DN string.
`x509.issuer.common_name`	string	Issuer CN.
`x509.subject.distinguished_name`	string	Subject DN string.
`x509.subject.common_name`	string	Subject CN.
`x509.validity.not_before`	time	Certificate not-before date.
`x509.validity.not_after`	time	Certificate not-after date.
`x509.public_key_algorithm`	string	Public key algorithm.
`x509.public_key_size`	int	Public key size in bits.
`x509.public_key_curve`	string	Elliptic curve name.
`hash.sha1_certificate`	string	SHA-1 certificate fingerprint.
`hash.sha256_certificate`	string	SHA-256 certificate fingerprint.
tychon.certificate_leaf_details - CertificateDetails struct, flattened
tychon.certificate_leaf_details - CertificateDetails struct, flattened
`tychon.certificate_leaf_details.universal_id`	string	Universal tracking ID across all outputs.
`tychon.certificate_leaf_details.source_id`	string	Source record ID.
`tychon.certificate_leaf_details.source_file_path`	string	Filesystem path (filesystem certs only).
`tychon.certificate_leaf_details.version`	int	X.509 version (always 3 for modern certs).
`tychon.certificate_leaf_details.serial_number`	string	Certificate serial number (hex).
`tychon.certificate_leaf_details.signature_algorithm`	string	Signature algorithm (e.g., "SHA256WithRSA").
`tychon.certificate_leaf_details.issuer.common_name`	string	Issuer common name.
`tychon.certificate_leaf_details.issuer.serial_number`	string	Issuer serial number.
`tychon.certificate_leaf_details.issuer.country`	string	Issuer country codes ([]string joined as comma-separated).
`tychon.certificate_leaf_details.issuer.organization`	string	Issuer organization names (joined).
`tychon.certificate_leaf_details.issuer.organizational_unit`	string	Issuer OU values (joined).
`tychon.certificate_leaf_details.issuer.locality`	string	Issuer locality (joined).
`tychon.certificate_leaf_details.issuer.province`	string	Issuer province/state (joined).
`tychon.certificate_leaf_details.issuer.street_address`	string	Issuer street address (joined).
`tychon.certificate_leaf_details.issuer.postal_code`	string	Issuer postal code (joined).
`tychon.certificate_leaf_details.issuer.raw_string`	string	Issuer DN as raw string.
`tychon.certificate_leaf_details.subject.common_name`	string	Subject common name.
`tychon.certificate_leaf_details.subject.serial_number`	string	Subject serial number.
`tychon.certificate_leaf_details.subject.country`	string	Subject country codes (joined).
`tychon.certificate_leaf_details.subject.organization`	string	Subject organization (joined).
`tychon.certificate_leaf_details.subject.organizational_unit`	string	Subject OU (joined).
`tychon.certificate_leaf_details.subject.locality`	string	Subject locality (joined).
`tychon.certificate_leaf_details.subject.province`	string	Subject province/state (joined).
`tychon.certificate_leaf_details.subject.street_address`	string	Subject street address (joined).
`tychon.certificate_leaf_details.subject.postal_code`	string	Subject postal code (joined).
`tychon.certificate_leaf_details.subject.raw_string`	string	Subject DN as raw string.
`tychon.certificate_leaf_details.validity.not_before`	time	Certificate valid-from timestamp (RFC3339Nano).
`tychon.certificate_leaf_details.validity.not_after`	time	Certificate expiry timestamp (RFC3339Nano).
`validity.duration_days`	int	Total validity duration in days (not_after - not_before).
`tychon.certificate_leaf_details.subject_public_key_info.algorithm`	string	Public key algorithm (e.g., "RSA", "ECDSA", "Ed25519").
`tychon.certificate_leaf_details.subject_public_key_info.bit_size`	int	Key size in bits.
`tychon.certificate_leaf_details.subject_public_key_info.curve`	string	Elliptic curve name (ECDSA keys only).
`tychon.certificate_leaf_details.subject_public_key_info.rsa_exponent`	int64	RSA public exponent (RSA keys only).
`tychon.certificate_leaf_details.subject_public_key_info.rsa_modulus_hex`	string	RSA modulus as hex (RSA keys only).
`tychon.certificate_leaf_details.subject_public_key_info.raw_der_base64`	string	Raw DER-encoded public key as base64.
`tychon.certificate_leaf_details.subject_public_key_info.ecdsa_x_hex`	string	ECDSA X coordinate as hex.
`tychon.certificate_leaf_details.subject_public_key_info.ecdsa_y_hex`	string	ECDSA Y coordinate as hex.
`tychon.certificate_leaf_details.subject_public_key_info.eddsa_public_key_hex`	string	EdDSA public key as hex.
`tychon.certificate_leaf_details.signature_hex`	string	Signature bytes as hex.
`tychon.certificate_leaf_details.authority_key_id`	string	Authority Key Identifier extension value.
`tychon.certificate_leaf_details.subject_key_id`	string	Subject Key Identifier extension value.
`tychon.certificate_leaf_details.key_usage`	string	Key usage bits ([]string joined with ", ").
`tychon.certificate_leaf_details.extended_key_usage`	string	Extended key usage OIDs/names (joined).
`tychon.certificate_leaf_details.unknown_extended_key_usage_oids`	string	Unrecognized EKU OIDs (joined).
`tychon.certificate_leaf_details.basic_constraints.is_ca`	bool	True when certificate is a CA.
`tychon.certificate_leaf_details.basic_constraints.max_path_len`	int	Max path length for CA chains.
`tychon.certificate_leaf_details.basic_constraints.max_path_len_zero`	bool	True when max path length is explicitly 0.
`tychon.certificate_leaf_details.subject_alternative_names.dns_names`	string	SAN DNS names (joined).
`tychon.certificate_leaf_details.subject_alternative_names.email_addresses`	string	SAN email addresses (joined).
`tychon.certificate_leaf_details.subject_alternative_names.ip_addresses`	string	SAN IP addresses (joined).
`tychon.certificate_leaf_details.subject_alternative_names.uris`	string	SAN URIs (joined).
`tychon.certificate_leaf_details.crl_distribution_points`	string	CRL distribution point URLs (joined).
`tychon.certificate_leaf_details.ocsp_servers`	string	OCSP responder URLs (joined).
`tychon.certificate_leaf_details.issuing_certificate_urls`	string	Issuer certificate URLs (AIA extension, joined).
`tychon.certificate_leaf_details.policy_identifiers`	string	Certificate policy OIDs (joined).
`tychon.certificate_leaf_details.unhandled_critical_extensions_oids`	string	Unhandled critical extension OIDs (joined).
`tychon.certificate_leaf_details.permitted_dns_domains_critical`	bool	Name constraint critical flag.
`tychon.certificate_leaf_details.permitted_dns_domains`	string	Permitted DNS name constraints (joined).
`tychon.certificate_leaf_details.excluded_dns_domains`	string	Excluded DNS name constraints (joined).
`tychon.certificate_leaf_details.sha1_fingerprint`	string	SHA-1 fingerprint of the certificate.
`tychon.certificate_leaf_details.sha256_fingerprint`	string	SHA-256 fingerprint of the certificate.
`tychon.certificate_leaf_details.is_self_signed`	bool	True when subject equals issuer.
`tychon.certificate_leaf_details.raw_pem_certificate`	string	PEM-encoded certificate text.
`tychon.certificate_leaf_details.parse_error`	string	Parse error message. Omitted on success.
`tychon.certificate_leaf_details.is_private_key`	bool	Always false for certificates (true for private key records).
`tychon.certificate_leaf_details.pqc_vulnerable`	bool	True when key algorithm is vulnerable to quantum attack.
`tychon.certificate_leaf_details.pqc_readiness`	string	PQC readiness assessment. Values: `vulnerable`, `transitional`, `resistant`.
`tychon.certificate_leaf_details.crypto_library`	string	Crypto library that parsed this certificate.
`tychon.certificate_leaf_details.key_strength_assessment`	string	Key strength. Values: `weak`, `adequate`, `strong`.
`tychon.certificate_leaf_details.quantum_risk`	string	Quantum risk level. Values: `high`, `medium`, `low`.
`tychon.certificate_leaf_details.recommended_action`	string	Recommended remediation action.
`tychon.certificate_leaf_details.migration_priority`	string	Migration priority. Values: `critical`, `high`, `medium`, `low`.
`tychon.certificate_leaf_details.encryption.algorithm`	string	Encryption algorithm for protected private keys (e.g., "AES-256-CBC").
`tychon.certificate_leaf_details.encryption.kdf`	string	Key derivation function (e.g., "PBKDF2", "PKCS12KDF").
`tychon.certificate_leaf_details.encryption.iterations`	int	KDF iteration count.
`tychon.certificate_leaf_details.encryption.mac`	string	MAC algorithm (e.g., "SHA256").
`tychon.certificate_leaf_details.encryption.vulnerable`	bool	True when encryption scheme is PQC-vulnerable.
`tychon.certificate_leaf_details.encryption.reason`	string	Reason the encryption is vulnerable.
`tychon.certificate_leaf_details.encryption.iv_length`	int	Initialization vector length in bytes.
`tychon.certificate_leaf_details.encryption.salt_length`	int	Salt length in bytes.
certificate.chain.N - N-th chain certificate (0-indexed). Subject/issuer DistinguishedName fields are rewritten as flat strings at this level rather than nested objects.
`certificate.chain.N.subject`	string	Subject DN as a single string.
`certificate.chain.N.subject_common_name`	string	Subject common name.
`certificate.chain.N.subject_country`	string	Subject country (joined).
`certificate.chain.N.subject_organization`	string	Subject organization (joined).
`certificate.chain.N.subject_organizational_unit`	string	Subject OU (joined).
`certificate.chain.N.subject_locality`	string	Subject locality (joined).
`certificate.chain.N.subject_province`	string	Subject province (joined).
`certificate.chain.N.issuer`	string	Issuer DN as a single string.
`certificate.chain.N.issuer_common_name`	string	Issuer common name.
`certificate.chain.N.issuer_country`	string	Issuer country (joined).
`certificate.chain.N.issuer_organization`	string	Issuer organization (joined).
`certificate.chain.N.issuer_organizational_unit`	string	Issuer OU (joined).
`certificate.chain.N.issuer_locality`	string	Issuer locality (joined).
`certificate.chain.N.issuer_province`	string	Issuer province (joined).
`certificate.chain.N.version`	int	X.509 version.
`certificate.chain.N.serial_number`	string	Certificate serial number (hex).
`certificate.chain.N.signature_algorithm`	string	Signature algorithm.
`certificate.chain.N.sha1_fingerprint`	string	SHA-1 fingerprint.
`certificate.chain.N.sha256_fingerprint`	string	SHA-256 fingerprint.
`certificate.chain.N.is_self_signed`	bool	True when subject equals issuer.
`certificate.chain.N.pqc_vulnerable`	bool	True when key algorithm is quantum-vulnerable.
`certificate.chain.N.pqc_readiness`	string	PQC readiness. Values: `vulnerable`, `transitional`, `resistant`.
`certificate.chain.N.quantum_risk`	string	Quantum risk. Values: `high`, `medium`, `low`.
`certificate.chain.N.validity.not_before`	time	Valid-from timestamp.
`certificate.chain.N.validity.not_after`	time	Expiry timestamp.
`validity.duration_days`	int	Total validity duration in days (not_after - not_before).
`certificate.chain.N.subject_public_key_info.algorithm`	string	Public key algorithm.
`certificate.chain.N.subject_public_key_info.bit_size`	int	Key size in bits.
`certificate.chain.N.subject_public_key_info.curve`	string	Elliptic curve (ECDSA only).
`certificate.chain.N.key_usage`	string	Key usage values (joined).
`certificate.chain.N.extended_key_usage`	string	Extended key usage values (joined).
`certificate.chain.N.basic_constraints.is_ca`	bool	True when this is a CA certificate.
`certificate.chain.N.subject_alternative_names.dns_names`	string	SAN DNS names (joined).
`certificate.chain.N.subject_alternative_names.ip_addresses`	string	SAN IP addresses (joined).
`certificate.chain.N.authority_key_id`	string	Authority Key Identifier.
`certificate.chain.N.subject_key_id`	string	Subject Key Identifier.
`certificate.chain.N.crl_distribution_points`	string	CRL URLs (joined).
`certificate.chain.N.ocsp_servers`	string	OCSP responder URLs (joined).
`ssh.status`	string	SSH status (e.g., "connected", "failed"). Present when port is SSH.
`ssh.banner`	string	SSH server version banner (e.g., "SSH-2.0-OpenSSH_9.6").
ssh.host_key - SSHHostKeyInfo (omitted when no host key)
`ssh.host_key.type`	string	Host key type (e.g., "ecdsa-sha2-nistp256", "ssh-ed25519", "rsa-sha2-512").
`ssh.host_key.public_key`	string	Base64-encoded public key blob.
`ssh.host_key.fingerprint_sha256`	string	SHA-256 fingerprint (e.g., "SHA256:abc123...").
`ssh.host_key.bits`	int	Host key size in bits.
ssh.algorithms - SSHEnhancedNegotiationInfo (omitted when unavailable)
`ssh.algorithms.server_offered_kex`	string	KEX algorithms offered by server ([]string joined with ", ").
`ssh.algorithms.server_offered_host_key_algos`	string	Host key algorithms offered by server (joined).
`ssh.algorithms.server_offered_ciphers_c2s`	string	Client-to-server ciphers offered by server (joined).
`ssh.algorithms.server_offered_ciphers_s2c`	string	Server-to-client ciphers offered by server (joined).
`ssh.algorithms.server_offered_macs_c2s`	string	Client-to-server MACs offered by server (joined).
`ssh.algorithms.server_offered_macs_s2c`	string	Server-to-client MACs offered by server (joined).
`ssh.algorithms.server_offered_compression`	string	Compression methods offered by server (joined).
`ssh.algorithms.negotiated_kex`	string	Negotiated KEX algorithm.
`ssh.algorithms.negotiated_host_key_algo`	string	Negotiated host key algorithm.
`ssh.algorithms.negotiated_cipher_c2s`	string	Negotiated client-to-server cipher.
`ssh.algorithms.negotiated_cipher_s2c`	string	Negotiated server-to-client cipher.
`ssh.algorithms.negotiated_mac_c2s`	string	Negotiated client-to-server MAC.
`ssh.algorithms.negotiated_mac_s2c`	string	Negotiated server-to-client MAC.
`ssh.algorithms.negotiated_compression`	string	Negotiated compression method.
`ssh.algorithms.client_offered_kex`	string	KEX algorithms offered by the scanner client (joined).
`ssh.algorithms.client_offered_host_key_algos`	string	Host key algorithms offered by the scanner client (joined).
`ssh.algorithms.client_offered_ciphers`	string	Ciphers offered by the scanner client (joined).
`ssh.algorithms.client_offered_macs`	string	MACs offered by the scanner client (joined).
`tls.server.cipher`	string	Negotiated cipher suite name.
`tls.server.protocol_version`	string	Negotiated TLS protocol version.
`tls.server.negotiated_group`	string	Negotiated key exchange group (when present).
Cross-dataset normalized fields — see tychon.crypto.*
`tychon.crypto.protocol`	string	Always `TLS` in port_detail events.
`tychon.crypto.protocol_version`	string	TLS version stripped (e.g. `1.3`, `1.2`). Conditional
`tychon.crypto.key_exchange`	string	Negotiated key exchange group. Same source as `tls.server.negotiated_group`. Conditional
`tychon.crypto.cipher`	string	Bulk cipher extracted from cipher suite name (e.g. `AES-256-GCM`). Conditional
`tychon.crypto.pqc_vulnerable`	bool	`true` when the connection is vulnerable to a quantum computer. Conditional
`tychon.crypto.pqc_readiness`	string	`ready`, `transitional`, `vulnerable`, or `critical`. Conditional
`tychon.crypto.quantum_risk`	string	`none`, `low`, `medium`, `high`, or `critical`. Conditional
ⓘ Design change: port_detail is now one document per (host, port). The per-cipher-suite `tychon.cipher_negotiation.` fields below are no longer emitted in flat NDJSON output. They are replaced by the `tls.server.` summary fields above: `tls.server.cipher` (preferred), `tls.server.supported_ciphers` (comma-joined), `tls.server.cipher_count`, `tls.server.supported_protocols`, `tls.server.supported_key_exchanges`.
tychon.cipher_negotiation - MainCipherNegotiationInfo (deprecated — see tls.server.* summary fields above)
`tychon.cipher_negotiation.universal_id`	string	Universal tracking ID.
`tychon.cipher_negotiation.source_id`	string	Source record ID.
`tychon.cipher_negotiation.protocol`	string	TLS protocol version (e.g., "TLSv1.3").
`tychon.cipher_negotiation.cipher_suite`	string	Cipher suite name.
`tychon.cipher_negotiation.key_length_bits`	int	Key length in bits.
`tychon.cipher_negotiation.negotiated_group`	string	Negotiated key exchange group.
`tychon.cipher_negotiation.ephemeral_key_length_bits`	int	Ephemeral key length in bits.
`tychon.cipher_negotiation.peer_signing_digest`	string	Peer signing digest algorithm.
`tychon.cipher_negotiation.alpn_protocol`	string	ALPN protocol negotiated (e.g., "h2", "http/1.1").
`tychon.cipher_negotiation.session_id`	string	TLS session ID (hex).
`tychon.cipher_negotiation.session_ticket_lifetime_hint_seconds`	int	Session ticket lifetime hint in seconds.
`tychon.cipher_negotiation.extended_master_secret_supported`	bool	Extended master secret extension supported.
`tychon.cipher_negotiation.tls13_early_data_supported`	bool	TLS 1.3 0-RTT early data supported.
`tychon.cipher_negotiation.renegotiation_forbidden`	bool	TLS renegotiation forbidden.
`tychon.cipher_negotiation.compression_method`	string	TLS compression method (should be "null").
`tychon.cipher_negotiation.is_preferred`	bool	True when this is the server's preferred cipher suite.
`tychon.cipher_negotiation.source`	string	Probe source. Values: `anchor`, `swarm`, `swarm+intel`.
`tychon.cipher_negotiation.probe_method`	string	Probe method used. Values: `openssl`, `utls_standard`, `utls_hrr`.
tychon.cipher_negotiation.intel - CipherIntelDefinition fields (from toMapWithContext) + KEX/Protocol/Connection fields (from enrichIntelMapWithKex)
`tychon.cipher_negotiation.intel.bit_operator`	string	Cipher bit operator string from intel DB.
`tychon.cipher_negotiation.intel.cipher_name_from_definition`	string	Cipher name as stored in the intel DB.
`tychon.cipher_negotiation.intel.openssl_name_from_definition`	string	OpenSSL name for this cipher suite.
`tychon.cipher_negotiation.intel.security_category`	string	Security category (e.g., "Recommended", "Acceptable", "Deprecated").
`tychon.cipher_negotiation.intel.nist_security_category`	string	NIST security category label.
`tychon.cipher_negotiation.intel.overall_risk`	string	Cipher overall risk. Values: `Low`, `Medium`, `High`, `Critical`.
`tychon.cipher_negotiation.intel.description`	string	Human-readable cipher suite description.
`tychon.cipher_negotiation.intel.recommendations`	string	Remediation recommendations.
`tychon.cipher_negotiation.intel.vulnerabilities`	string	Known vulnerabilities for this cipher suite.
`tychon.cipher_negotiation.intel.is_nist_approved`	bool	NIST-approved cipher suite.
`tychon.cipher_negotiation.intel.is_fips140_2_compliant`	bool	FIPS 140-2 compliant cipher suite.
`tychon.cipher_negotiation.intel.is_fips140_3_compliant`	bool	FIPS 140-3 compliant cipher suite.
`tychon.cipher_negotiation.intel.is_pci_dss_compliant`	bool	PCI DSS v4.0 compliant cipher suite.
`tychon.cipher_negotiation.intel.is_cis_compliant`	bool	CIS Benchmark compliant cipher suite.
`tychon.cipher_negotiation.intel.is_nist_800_131a_compliant`	bool	NIST SP 800-131A rev2 compliant cipher suite.
`tychon.cipher_negotiation.intel.is_hipaa_compliant`	bool	HIPAA guidance compliant cipher suite.
`tychon.cipher_negotiation.intel.is_cnsa_20_compliant`	bool	CNSA 2.0 compliant symmetric cipher (symmetric dimension only; see connection fields for full assessment).
`is_cipher_quantum_resistant`	bool	True for AES-256 and ChaCha20 (>=128-bit post-Grover resistance).
`is_cipher_quantum_resistant`	bool	True for AES-256 and ChaCha20 (>=128-bit post-Grover resistance).
`cipher_quantum_resistance_bits`	int	Effective post-Grover bits: AES-256->256, AES-128->64, 3DES->56, broken->0.
`tychon.cipher_negotiation.intel.is_tls13_only`	bool	True when cipher suite is exclusive to TLS 1.3.
`tychon.cipher_negotiation.intel.protocols_from_definition`	string	Protocol versions this cipher suite is valid for.
`tychon.cipher_negotiation.intel.recommended_iana`	bool	IANA-recommended cipher suite.
`tychon.cipher_negotiation.intel.rfc_reference`	string	Defining RFC for this cipher suite.
`tychon.cipher_negotiation.intel.key_exchange_algorithm`	string	Key exchange algorithm component.
`tychon.cipher_negotiation.intel.authentication_algorithm`	string	Authentication algorithm component.
`tychon.cipher_negotiation.intel.encryption_algorithm_from_definition`	string	Encryption algorithm component.
`tychon.cipher_negotiation.intel.encryption_bits_from_definition`	int	Encryption key bits from intel definition.
`tychon.cipher_negotiation.intel.aead_mac`	string	AEAD MAC algorithm component.
`tychon.cipher_negotiation.intel.dtls_ok`	bool	Cipher suite usable with DTLS.
`tychon.cipher_negotiation.intel.tls_server_cipher_risk_score`	int	Protocol-version risk score (added when protocol is known).
`tychon.cipher_negotiation.intel.tls_cipher_weight`	int	Cipher strength weight score (added when cipher name is known).
`tychon.cipher_negotiation.intel.kex_quantum_safe`	bool	True when the key exchange is quantum-safe.
`tychon.cipher_negotiation.intel.kex_family`	string	KEX family. Values: `pure_pqc`, `hybrid_pqc`, `ecdh`, `dh_ff`, `rsa_kex`, `null_anon`, `legacy_broken`.
`tychon.cipher_negotiation.intel.kex_cnsa_20_level`	string	KEX CNSA 2.0 level. Values: `full`, `transition`, `classical_acceptable`, `none`.
`tychon.cipher_negotiation.intel.kex_display_name`	string	Human-readable KEX display name.
`tychon.cipher_negotiation.intel.kex_is_pqc_hybrid`	bool	True when KEX is a classical+PQC hybrid.
`tychon.cipher_negotiation.intel.kex_pqc_component`	string	PQC component of hybrid KEX (e.g., "ML-KEM-768").
`tychon.cipher_negotiation.intel.kex_security_bits_pqc`	int	PQC security bits of the KEX.
`tychon.cipher_negotiation.intel.kex_nist_standard`	string	NIST PQC standard (e.g., "FIPS-203").
`tychon.cipher_negotiation.intel.kex_overall_risk`	string	KEX overall risk. Values: `Low`, `Medium`, `High`, `Critical`.
`tychon.cipher_negotiation.intel.kex_fips140_2_compliant`	bool	KEX uses FIPS 140-2 approved algorithms.
`tychon.cipher_negotiation.intel.kex_fips140_3_compliant`	bool	KEX uses FIPS 140-3 approved algorithms.
`tychon.cipher_negotiation.intel.kex_pci_dss_compliant`	bool	KEX meets PCI DSS requirements.
`tychon.cipher_negotiation.intel.kex_cis_compliant`	bool	KEX meets CIS Benchmark requirements.
`tychon.cipher_negotiation.intel.kex_nist_800_131a_compliant`	bool	KEX meets NIST SP 800-131A rev2 requirements.
`tychon.cipher_negotiation.intel.kex_hipaa_compliant`	bool	KEX meets HIPAA guidance.
`tychon.cipher_negotiation.intel.protocol_pqc_capable`	bool	True when the protocol supports PQC key exchange groups (TLS 1.3 only).
`tychon.cipher_negotiation.intel.protocol_cnsa_20_approved`	bool	Protocol is CNSA 2.0 approved (TLS 1.2/1.3 only).
`tychon.cipher_negotiation.intel.protocol_deprecated`	bool	Protocol is deprecated (TLS 1.0/1.1, SSLv2/3, DTLSv1.0, SSHv1).
`tychon.cipher_negotiation.intel.protocol_fips140_2_compliant`	bool	Protocol meets FIPS 140-2 requirements.
`tychon.cipher_negotiation.intel.protocol_fips140_3_compliant`	bool	Protocol meets FIPS 140-3 requirements.
`tychon.cipher_negotiation.intel.protocol_pci_dss_compliant`	bool	Protocol meets PCI DSS requirements.
`tychon.cipher_negotiation.intel.protocol_cis_compliant`	bool	Protocol meets CIS Benchmark requirements.
`tychon.cipher_negotiation.intel.protocol_nist_800_131a_compliant`	bool	Protocol meets NIST SP 800-131A rev2 requirements.
`tychon.cipher_negotiation.intel.protocol_hipaa_compliant`	bool	Protocol meets HIPAA guidance.
`tychon.cipher_negotiation.intel.connection_quantum_safe`	bool	True when protocol + KEX + cipher are all quantum-safe (composite).
`tychon.cipher_negotiation.intel.connection_cnsa_20_level`	string	Connection-level CNSA 2.0 compliance. Values: `full`, `transition`, `partial`, `none`.
`tychon.cipher_negotiation.intel.connection_security_score`	int	Composite connection security score (0-100).
`tychon.cipher_negotiation.intel.connection_overall_risk`	string	Connection overall risk. Values: `low`, `medium`, `high`, `critical`.
`tychon.cipher_negotiation.intel.connection_findings`	string	Semicolon-separated findings explaining the connection risk score.
`tychon.cipher_negotiation.intel.connection_fips140_2_compliant`	bool	Connection meets FIPS 140-2 (all three dimensions pass).
`tychon.cipher_negotiation.intel.connection_fips140_3_compliant`	bool	Connection meets FIPS 140-3 (all three dimensions pass).
`tychon.cipher_negotiation.intel.connection_pci_dss_compliant`	bool	Connection meets PCI DSS (all three dimensions pass).
`tychon.cipher_negotiation.intel.connection_cis_compliant`	bool	Connection meets CIS Benchmarks (all three dimensions pass).
`tychon.cipher_negotiation.intel.connection_nist_800_131a_compliant`	bool	Connection meets NIST SP 800-131A rev2 (all three dimensions pass).
`tychon.cipher_negotiation.intel.connection_hipaa_compliant`	bool	Connection meets HIPAA guidance (all three dimensions pass).
Cross-dataset normalized fields — see tychon.crypto.*
`tychon.crypto.protocol`	string	Always `TLS`.
`tychon.crypto.protocol_version`	string	TLS version number (e.g. `1.3`, `1.2`). Conditional
`tychon.crypto.key_exchange`	string	Negotiated key exchange / group. Same source as `tls.curve`. Conditional
`tychon.crypto.cipher`	string	Bulk cipher parsed from `tls.cipher` (e.g. `AES-256-GCM`). Conditional
`tychon.crypto.mac`	string	MAC / AEAD tag algorithm. Same source as `tls.mac`. Conditional
`tychon.crypto.auth`	string	Server authentication / signature digest (e.g. `RSA-SHA256`). Conditional
`tychon.crypto.pqc_readiness`	string	`ready`, `transitional`, `vulnerable`, or `critical`. Derived from `tychon.cipher.detail.is_quantum_ready` and `tychon.kex.overall_risk`.
`tychon.crypto.quantum_risk`	string	`none`, `low`, `medium`, `high`, or `critical`. Derived from `tychon.kex.overall_risk`.
`tychon.crypto.pqc_vulnerable`	bool	`true` when the connection's key exchange or cipher is vulnerable to a cryptographically-relevant quantum computer. Derived from Intel map `is_quantum_ready` field.

event.dataset = "tychon.cipher_quick" - one event per port with quick cipher scan

event.category=network � event.type=info � tychon.type not set

Field	Type	Description
`server.address`	string	Scanned host address.
`server.port`	int	Port number.
`server.ip`	string	Resolved IP (when available).
`tychon.cipher_quick.supported_protocols`	string	Comma-separated list of supported TLS protocol versions.
`tychon.cipher_quick.supported_protocol_count`	int	Count of supported protocol versions.
`tychon.cipher_quick.supported_cipher_suites`	string	Comma-separated list of all accepted cipher suites.
`tychon.cipher_quick.supported_cipher_count`	int	Count of accepted cipher suites.
`tychon.cipher_quick.supported_key_exchanges`	string	Comma-separated list of accepted key exchange groups.
`tychon.cipher_quick.supported_key_exchange_count`	int	Count of accepted key exchange groups.
`tychon.cipher_quick.preferred_protocol`	string	Server's preferred TLS version.
`tychon.cipher_quick.preferred_cipher`	string	Server's preferred cipher suite.
`tychon.cipher_quick.preferred_key_exchange`	string	Server's preferred key exchange group.
`tychon.cipher_quick.insecure_ciphers`	string	Comma-separated insecure cipher suites.
`tychon.cipher_quick.insecure_cipher_count`	int	Count of insecure cipher suites.
`tychon.cipher_quick.weak_ciphers`	string	Comma-separated weak (medium-risk) cipher suites.
`tychon.cipher_quick.weak_cipher_count`	int	Count of weak cipher suites.
`tychon.cipher_quick.total_probes`	int	Total TLS handshakes attempted.
`tychon.cipher_quick.duration_ms`	int64	Duration of the quick scan in milliseconds.

event.dataset = "certificate" or "private_key" - one per filesystem cert/key

Source Produced by -scanfilesystem. Format This is mostly CertificateDetails flattened into certificate.* fields, with a few explicit convenience fields added.

event.kind=event � event.category=file � event.action=filesystem_certificate_discovered (or private_key_discovered) � tychon.type=filesystem

Field	Type	Description
`id`	string	Universal ID (also `_id`).
`certificate.universal_id`	string	Stable unique ID for deduplication across outputs.
`certificate.source_id`	string	Source-specific unique identifier.
`certificate.source_file_path`	string	Filesystem path where this certificate was found.
`certificate.version`	int	X.509 certificate version (2 = v3).
`certificate.serial_number`	string	Hex-encoded certificate serial number.
`certificate.signature_algorithm`	string	Certificate signature algorithm (e.g., "SHA256-RSA").
`certificate.subject`	string	Subject DN string.
`certificate.subject_common_name`	string	Subject common name.
`certificate.subject_country`	string	Subject country codes ([]string joined with ", " by flattenObjectToMap).
`certificate.subject_organization`	string	Subject organization names (joined).
`certificate.subject_organizational_unit`	string	Subject OU values (joined).
`certificate.subject_locality`	string	Subject locality values (joined).
`certificate.subject_province`	string	Subject province/state values (joined).
`certificate.issuer`	string	Issuer DN string.
`certificate.issuer_common_name`	string	Issuer common name.
`certificate.issuer_country`	string	Issuer country codes (joined).
`certificate.issuer_organization`	string	Issuer organization names (joined).
`certificate.issuer_organizational_unit`	string	Issuer OU values (joined).
`certificate.issuer_locality`	string	Issuer locality values (joined).
`certificate.issuer_province`	string	Issuer province/state values (joined).
`certificate.not_before`	time	Validity start (RFC3339Nano) - explicit field written in addition to validity.not_before.
`certificate.validity.not_before`	time	Valid-from timestamp (RFC3339Nano) - from nested validity object via flattenObjectToMap.
`certificate.validity.not_after`	time	Expiry timestamp (RFC3339Nano).
`validity.duration_days`	int	Total validity duration in days (not_after - not_before).
`certificate.not_before`	time	Validity start (RFC3339Nano) - explicit field written in addition to validity.not_before.
`certificate.not_after`	time	Validity end (RFC3339Nano) - explicit field written in addition to validity.not_after.
`certificate.subject_public_key_info.algorithm`	string	Public key algorithm (e.g., "RSA", "EC", "Ed25519").
`certificate.subject_public_key_info.bit_size`	int	Key size in bits.
`certificate.subject_public_key_info.curve`	string	Elliptic curve name (ECDSA keys).
`certificate.subject_public_key_info.rsa_exponent`	int64	RSA public exponent (RSA keys).
`certificate.subject_public_key_info.rsa_modulus_hex`	string	RSA modulus as hex (RSA keys).
`certificate.subject_public_key_info.raw_der_base64`	string	Raw DER-encoded public key as base64.
`certificate.subject_public_key_info.ecdsa_x_hex`	string	ECDSA X coordinate as hex.
`certificate.subject_public_key_info.ecdsa_y_hex`	string	ECDSA Y coordinate as hex.
`certificate.subject_public_key_info.eddsa_public_key_hex`	string	EdDSA public key as hex.
`certificate.signature_hex`	string	Raw signature bytes as hex.
`certificate.authority_key_id`	string	Authority Key Identifier extension value.
`certificate.subject_key_id`	string	Subject Key Identifier extension value.
`certificate.key_usage`	string	Key usage bits ([]string joined with ", ", e.g., "Digital Signature, Key Encipherment").
`certificate.extended_key_usage`	string	Extended key usage names (joined with ", ").
`certificate.unknown_extended_key_usage_oids`	string	Unrecognized EKU OIDs as dotted strings (joined).
`certificate.basic_constraints.is_ca`	bool	True when certificate is a Certificate Authority.
`certificate.basic_constraints.max_path_len`	int	Maximum CA chain path length.
`certificate.basic_constraints.max_path_len_zero`	bool	True when max path length is explicitly 0.
`certificate.subject_alternative_names.dns_names`	string	SAN DNS names (joined).
`certificate.subject_alternative_names.email_addresses`	string	SAN email addresses (joined).
`certificate.subject_alternative_names.ip_addresses`	string	SAN IP addresses (joined).
`certificate.subject_alternative_names.uris`	string	SAN URIs (joined).
`certificate.crl_distribution_points`	string	CRL distribution point URLs (joined).
`certificate.ocsp_servers`	string	OCSP responder URLs (joined).
`certificate.issuing_certificate_urls`	string	AIA issuing certificate URLs (joined).
`certificate.policy_identifiers`	string	Certificate policy OIDs (joined).
`certificate.unhandled_critical_extensions_oids`	string	Unhandled critical extension OIDs (joined).
`certificate.permitted_dns_domains_critical`	bool	Name constraints extension marked critical.
`certificate.permitted_dns_domains`	string	Permitted DNS name constraints (joined).
`certificate.excluded_dns_domains`	string	Excluded DNS name constraints (joined).
`certificate.sha1_fingerprint`	string	SHA-1 fingerprint of the DER-encoded certificate.
`certificate.sha256_fingerprint`	string	SHA-256 fingerprint of the DER-encoded certificate.
`certificate.is_self_signed`	bool	True when issuer equals subject.
`certificate.raw_pem_certificate`	string	PEM-encoded certificate.
`certificate.parse_error`	string	Parse error message. Omitted on success.
`certificate.active`	bool	Asset tracking: written only when `false` (tombstoned asset). Absent when the asset is currently active.
`certificate.last_seen`	string	RFC3339 timestamp of last observation. Present only for tombstoned assets.
`certificate.is_private_key`	bool	True when this is a private key entry. For `private_key` events this is always true.
`certificate.pqc_vulnerable`	bool	True when key algorithm is quantum-vulnerable.
`certificate.pqc_readiness`	string	PQC readiness: vulnerable, transitional, resistant.
`certificate.crypto_library`	string	Crypto library that issued this certificate.
`certificate.key_strength_assessment`	string	Key strength: weak, adequate, strong.
`certificate.quantum_risk`	string	Quantum risk level: high, medium, low.
`certificate.recommended_action`	string	Recommended remediation action.
`certificate.migration_priority`	string	Migration priority: critical, high, medium, low.
`certificate.encryption.algorithm`	string	Encryption algorithm for password-protected private keys (e.g., "AES-256-CBC").
`certificate.encryption.kdf`	string	Key derivation function (e.g., "PBKDF2").
`certificate.encryption.iterations`	int	KDF iteration count.
`certificate.encryption.mac`	string	MAC algorithm.
`certificate.encryption.vulnerable`	bool	True when encryption scheme is weak.
`certificate.encryption.reason`	string	Reason the encryption is considered vulnerable.
`certificate.encryption.iv_length`	int	IV length in bytes.
`certificate.encryption.salt_length`	int	Salt length in bytes.
`file.path`	string	Absolute path to the certificate or key file.
`file.name`	string	Filename.
`file.extension`	string	File extension (e.g., ".pem", ".crt").
`file.size`	int64	File size in bytes.
`file.mtime`	time	File modification time.
`file.owner.name`	string	File owner username.
`file.group.name`	string	File group name.
`file.permissions`	string	File permission string.
`x509.subject.common_name`	string	Subject CN.
`x509.issuer.common_name`	string	Issuer CN.
`x509.serial_number`	string	Certificate serial number.
`x509.is_valid`	bool	True when current time is within the validity period.
`x509.subject.distinguished_name`	string	Full subject DN string.
`x509.public_key_size`	int	Public key size in bits.
`hash.sha256_certificate`	string	SHA-256 fingerprint.
`crypto.key_algorithm`	string	Public key algorithm.
`crypto.key_size`	int	Key size in bits.
`crypto.signature_algorithm`	string	Certificate signature algorithm.
`pqc.vulnerable`	bool	True when quantum-vulnerable.
`pqc.readiness`	string	PQC readiness: vulnerable, transitional, resistant.
`pqc.key_strength`	string	Key strength: weak, adequate, strong.
`pqc.quantum_risk`	string	Quantum risk level: high, medium, low.
`pqc.recommended_action`	string	Recommended remediation action.
`pqc.migration_priority`	string	Migration priority: critical, high, medium, low.
`pqc.crypto_library`	string	Crypto library that issued this cert.

event.dataset = "memory_scan" - one per native crypto library in memory

event.kind=event � event.category=process � event.action=crypto_library_in_memory � tychon.type=library

Field	Type	Description
`id`	string	Universal ID for this library observation (also `_id`).
`event.kind`	string	Always `event`.
`process.pid`	uint32	PID of the process that loaded this library.
`process.name`	string	Process name.
`process.executable`	string	Process executable path.
`process.executable_directory`	string	Directory of the process executable.
`library.universal_id`	string	Library universal ID.
`library.name`	string	Library filename.
`library.path`	string	Full library path.
`library.file_version`	string	PE file version (Windows).
`library.product_version`	string	PE product version (Windows).
`library.company_name`	string	PE company name (Windows).
`library.product_name`	string	PE product name (Windows).
`library.description`	string	PE file description (Windows).
`library.copyright`	string	PE copyright string (Windows).
`library.pid`	uint32	Owning process PID.
`library.process_name`	string	Owning process name.
`library.base_addr`	uintptr	Base load address in process virtual memory.
`library.size`	uint32	Mapped module size in bytes.
`library.crypto_type`	string	Identifies the cryptographic library. Value depends on platform and detection path (casing differs between memory scan and PE/dylib scan). Possible values: `openssl` \| `OpenSSL` \| `boringssl` \| `BoringSSL` \| `libressl` \| `LibreSSL` \| `gnutls` \| `GnuTLS` \| `nss` \| `NSS` \| `mbedtls` \| `mbedTLS` \| `wolfssl` \| `wolfSSL` \| `apple_security` (macOS: Security.framework / CommonCrypto / CoreCrypto / CryptoKit) \| `Schannel` \| `BCrypt (CNG)` \| `windows_bcrypt` \| `NCrypt (CNG)` \| `windows_ncrypt` \| `Crypt32 (CAPI)` \| `windows_crypt32` \| `windows_schannel` \| `Botan` \| `GenericCrypto/TLS` (Windows memory fallback for unrecognized ssl/tls/crypto DLLs) \| `generic` (Linux fallback) \| `Unknown` (Windows memory: pattern matched but name unrecognized).
`library.detected_apis`	string	Detected API symbols (comma-joined).
`library.pqc_status`	string	PQC capability: capable, partial, not_capable, unknown.
`library.pqc_algorithms`	string	PQC algorithms supported (comma-joined).
`tychon.library.uses_openssl`	bool	True when this process has OpenSSL loaded in memory. Written only when true.
`tychon.library.openssl_version`	string	OpenSSL version string (PE file version on Windows; product version on macOS/Linux). Written only when present.
`tychon.library.uses_libressl`	bool	True when this process has LibreSSL loaded in memory. Written only when true.
`tychon.library.libressl_version`	string	LibreSSL version string. Written only when present.
`tychon.library.uses_apple_security`	bool	True when this process has Apple Security framework (Security.framework / CommonCrypto / CryptoKit) loaded. macOS only. Written only when true.
`library.active`	bool	Asset tracking: written only when `false` (tombstoned); absent when library is currently observed.
`library.last_seen`	string	Last observation timestamp (tombstoned assets only).
`vulnerability.is_vulnerable`	bool	True when a known CVE applies to this library version.
`vulnerability.risk_level`	string	Vulnerability risk level: Low, Medium, High, Critical.
`vulnerability.risk_reason`	string	Reason for the risk assessment.
`vulnerability.cve_list`	[]string	Applicable CVE identifiers (when vulnerable).
`vulnerability.fixed_in_version`	string	Version that fixes the vulnerability.
`vulnerability.assessed_at`	time	Timestamp when vulnerability assessment was performed.

event.dataset = "java_crypto" - one per Java crypto provider in memory

event.kind=event � event.category=process � event.action=crypto_library_in_memory � tychon.type=library

Field	Type	Description
`process.pid`	int	PID of the Java process.
`process.name`	string	Process name (e.g., "java").
`library.library_name`	string	Java crypto library name (e.g., "Bouncy Castle", "Conscrypt").
`library.jar_path`	string	Absolute path to the JAR file.
`library.version`	string	Library version string.
`library.process_id`	int32	PID of the Java process that loaded this library.
`library.process_name`	string	Process name of the Java process.
`library.java_vendor`	string	JVM vendor string (e.g., "Oracle Corporation"). Omitted when empty.
`library.java_version`	string	JVM version string (e.g., "17.0.8+7"). Omitted when empty.
`library.crypto_features`	string	Cryptographic capabilities of this library ([]string joined with ", ", e.g., "TLS, PKI, Post-Quantum Crypto"). Omitted when empty.
`library.detection_time`	time	Timestamp when this library was detected (RFC3339Nano).
`library.active`	bool	Asset tracking: written only when `false` (tombstoned); absent when Java library is currently observed.
`library.last_seen`	string	Last observation timestamp (tombstoned assets only).
`java.vendor`	string	JVM vendor (e.g., "Oracle Corporation", "Eclipse Adoptium"). Duplicates library.java_vendor for ECS compatibility.
`java.version`	string	JVM version string. Duplicates library.java_version for ECS compatibility.

event.dataset = "keystore_certificate" - one per certificate per keystore

Source Produced by -scanfilesystem. Format Combines flattened KeystoreInfo context with flattened certificate fields for each certificate discovered inside the keystore.

event.kind=event � event.category=file � event.action=keystore_certificate_discovered � tychon.type=keystore

Field	Type	Description
`event.kind`	string	Always `event`.
`keystore.type`	string	Keystore format (jks, pkcs12, pem_bundle, nss, windows_cert_store).
`keystore.accessible`	bool	Keystore was readable.
`keystore.requires_auth`	bool	Password protection required.
`keystore.cert_count`	int	Total certificate count in keystore.
`keystore.owner`	string	File owner username.
`keystore.permissions`	string	File permissions string.
`keystore.error_message`	string	Parse error message (when applicable).
`keystore.encryption.algorithm`	string	Keystore encryption algorithm.
`keystore.encryption.kdf`	string	Key derivation function.
`keystore.encryption.iterations`	int	KDF iteration count.
`keystore.encryption.mac`	string	MAC algorithm used.
`keystore.encryption.vulnerable`	bool	True when encryption parameters are known weak.
`keystore.encryption.reason`	string	Reason encryption is considered vulnerable.
`keystore.encryption.iv_length`	int	IV length in bytes.
`keystore.encryption.salt_length`	int	Salt length in bytes.
`file.path`	string	Keystore file path (ECS). This is where the keystore filesystem path is written - `keystore.*` does not include a path field.
`file.name`	string	Keystore filename (basename only).
`file.extension`	string	Keystore file extension (e.g., "jks", "p12", "pem").
`file.size`	int64	Keystore file size in bytes.
`file.mtime`	time	Keystore file modification time.
`tls.certificate.subject`	string	Subject distinguished name.
`tls.certificate.issuer`	string	Issuer distinguished name.
`tls.certificate.serial_number`	string	Certificate serial number (hex string).
`certificate.not_before`	time	Validity start (RFC3339Nano) - explicit field written in addition to validity.not_before.
`certificate.not_after`	time	Validity end (RFC3339Nano) - explicit field written in addition to validity.not_after.
`tls.certificate.version`	int	X.509 version number (always 3 for modern certificates).
`tls.certificate.alias`	string	Keystore alias for this certificate. Omitted when blank.
`tls.certificate.is_ca`	bool	True when certificate is a CA certificate (BasicConstraints.IsCA).
`tls.certificate.is_self_signed`	bool	True when issuer DN equals subject DN.
`tls.certificate.has_private_key`	bool	True when the keystore contains a private key paired with this certificate.
`tls.certificate.key_usage`	[]string	Key usage extension values (e.g., "Digital Signature", "Key Encipherment"). Omitted when empty.
`tls.certificate.extended_key_usage`	[]string	Extended key usage OID names (e.g., "TLS Web Server Authentication"). Omitted when empty.
`tls.certificate.chain_length`	int	Number of certificates in the chain. Omitted when 0.
`tls.certificate.chain_complete`	bool	True when the full chain up to a trust anchor is present. Omitted when chain_length is 0.
`crypto.key_algorithm`	string	Public key algorithm (e.g., "RSA", "EC", "Ed25519").
`crypto.key_size`	int	Key size in bits.
`crypto.signature_algorithm`	string	Signature algorithm (e.g., "SHA256WithRSA", "ECDSAWithSHA384").
`crypto.fingerprint_sha1`	string	SHA-1 thumbprint of the certificate (hex string).
`tls.server.hash.sha1`	string	SHA-1 fingerprint of the certificate in ECS TLS namespace (hex string). Written alongside `crypto.fingerprint_sha1`.
`vulnerability.is_vulnerable`	bool	True when a known CVE applies to this certificate or key. Written only when true or risk_level is set.
`vulnerability.risk_level`	string	Risk level: `"critical"`, `"high"`, `"medium"`, or `"low"`.
`vulnerability.risk_reason`	string	Human-readable reason for the risk classification. Omitted when blank.
`vulnerability.cve_list`	[]string	Applicable CVE identifiers. Omitted when empty.
`vulnerability.fixed_in_version`	string	Version in which the vulnerability is fixed. Omitted when blank.
`pqc.vulnerable`	bool	True when the key algorithm is vulnerable to a cryptographically-relevant quantum computer. Written only when true or pqc_reason is set.
`pqc.reason`	string	PQC vulnerability reason (e.g., "RSA-2048 broken by Shor's algorithm"). Omitted when blank.
`active`	bool	Asset tracking: written only when `false` (tombstoned); absent when certificate is currently observed in the keystore.
`last_seen`	time	Last observation timestamp (tombstoned assets only).

event.dataset = "keystore" - keystore summary (one per keystore file)

event.kind=event � event.category=file � event.action=keystore_discovered � tychon.type=keystore

Field	Type	Description
`event.kind`	string	Always `event`.
`keystore.type`	string	Keystore format (jks, pkcs12, pem_bundle, nss, windows_cert_store).
`keystore.accessible`	bool	True when the scanner could open and read the keystore.
`keystore.requires_auth`	bool	True when keystore is password-protected.
`keystore.cert_count`	int	Number of certificates in the keystore.
`keystore.owner`	string	File owner username.
`keystore.permissions`	string	File permission string.
`keystore.size`	int64	File size in bytes.
`keystore.last_modified`	time	Last modification timestamp (RFC3339Nano).
`keystore.error_message`	string	Error when keystore could not be parsed.
`keystore.encryption.algorithm`	string	Encryption algorithm.
`keystore.encryption.kdf`	string	Key derivation function.
`keystore.encryption.iterations`	int	KDF iteration count.
`keystore.encryption.mac`	string	MAC algorithm.
`keystore.encryption.vulnerable`	bool	True when encryption parameters are known weak.
`keystore.encryption.reason`	string	Reason encryption is considered vulnerable.
`keystore.encryption.iv_length`	int	IV length in bytes.
`keystore.encryption.salt_length`	int	Salt length in bytes.
`file.path`	string	Keystore file path (ECS). This is where the keystore filesystem path is written - `keystore.*` does not include a path field.
`file.name`	string	Keystore filename (basename only).
`file.extension`	string	Keystore file extension (e.g., "jks", "p12", "pem").
`keystore.stats.vulnerable_certificates`	int	Count of certificates with known CVEs.
`keystore.stats.pqc_vulnerable_certificates`	int	Count of quantum-vulnerable certificates.
`keystore.stats.expired_certificates`	int	Count of expired certificates.
`keystore.stats.certificate_types.ca`	int	Count of CA certificates.
`keystore.stats.certificate_types.end_entity`	int	Count of end-entity certificates.
`keystore.stats.key_algorithms.{algo}`	int	Count of certificates per key algorithm. Key is the algorithm name (e.g., `keystore.stats.key_algorithms.RSA`). Dynamic — any algorithm name observed in the keystore becomes a key.
`keystore.stats.key_algorithms.RSA`	int	Count of RSA certificates in this keystore. Conditional Only present when RSA certificates exist.
`keystore.stats.key_algorithms.ECDSA`	int	Count of ECDSA certificates in this keystore. Conditional Only present when ECDSA certificates exist.

This dataset contains flattened application summary fields plus JSON-serialized arrays for concise nested summaries such as ports, crypto libraries, certificates, keystores, encrypted files, and connected destinations.

event.dataset = "tychon.application" — one event per (application × port)

Source Produced by -cipherscanquick. Format One flat NDJSON row per listening port on each application. Applications with no detected ports emit a single app-level row. Stable ID: SHA-256(tychon_application | hostname | name | path | port). All multi-value fields (supported protocols, cipher suites) are comma-joined strings.

event.category=process � event.type=info � populated only when -cipherscanquick in local mode

Field	Type	Description
Each row represents one port on one application. Application-level fields (pid, name, path, quantum_grade.*) are repeated on every port row for that application. Port-specific fields (port, protocol_detected, preferred_cipher, etc.) differ per row. The `id` field encodes the (application, port) pair for stable upsert.
`tychon.application.pid`	int32	Primary process PID.
`tychon.application.name`	string	Process or application name.
`tychon.application.path`	string	Executable path.
`tychon.application.app_root`	string	Application root directory.
`tychon.application.file_version`	string	PE file version.
`tychon.application.product_version`	string	PE product version.
`tychon.application.product_name`	string	PE product name.
`tychon.application.company_name`	string	PE company name.
`tychon.application.source`	string	Entry source: process, vpn_client, ipsec_tunnel.
`tychon.application.service_info.service_name`	string	Windows service name.
`tychon.application.service_info.service_display_name`	string	Windows service display name.
`tychon.application.service_info.service_description`	string	Windows service description.
`tychon.application.quantum_grade.score`	int	Composite quantum readiness score for this application (0-100).
`tychon.application.quantum_grade.grade`	string	Letter grade (for example `"A"`, `"B"`, `"C"`, `"D"`, `"F"`).
`tychon.application.quantum_grade.port_count`	int	Number of ports scored.
`tychon.application.quantum_grade.worst_port_score`	int	Score of the weakest port.
`tychon.application.quantum_grade.best_port_score`	int	Score of the strongest port.
`tychon.application.quantum_grade.os_deductions`	int	Score deductions applied from OS-level findings.
`tychon.application.quantum_grade.os_findings`	string	OS-level findings that caused deductions ([]string joined with `", "`). Omitted when empty.
`tychon.application.port_count`	int	Total listening port count for this application (present on every row).
Per-port fields — vary by row (absent on app-only rows when no ports were detected)
`tychon.application.port`	int	Listening port number for this row.
`tychon.application.protocol_detected`	string	Protocol detected on this port (e.g. `"TLS"`, `"SSH"`). Omitted when empty.
`tychon.application.preferred_protocol`	string	Server's preferred TLS protocol on this port. Omitted when empty.
`tychon.application.preferred_cipher`	string	Server's preferred cipher suite on this port. Omitted when empty.
`tychon.application.preferred_key_exchange`	string	Server's preferred key exchange group on this port. Omitted when empty.
`tychon.application.quantum_ready`	bool	True when this port's cipher configuration is quantum-safe.
`tychon.application.supported_protocols`	string	Comma-joined supported TLS protocols on this port. Omitted when empty.
`tychon.application.supported_cipher_suites`	string	Comma-joined supported cipher suites on this port. Omitted when empty.
`tychon.application.supported_key_exchanges`	string	Comma-joined supported key exchange groups. Omitted when empty.
`tychon.application.insecure_ciphers`	string	Comma-joined insecure cipher names on this port. Omitted when empty.
`tychon.application.weak_ciphers`	string	Comma-joined weak cipher names on this port. Omitted when empty.
`tychon.application.crypto_library_count`	int	Count of crypto library summaries emitted in `tychon.application.crypto_libraries`.
`tychon.application.crypto_libraries`	string	JSON-serialized array of concise `CryptoLibrarySummary` objects.
`tychon.application.in_memory_cert_count`	int	Count of in-memory certificate summaries emitted in `tychon.application.in_memory_certificates`.
`tychon.application.in_memory_certificates`	string	JSON-serialized array of concise `CertificateCryptoSummary` objects, including subject/issuer identity, issuer geography/organization, self-signed status, and validity details.
`tychon.application.private_key_count`	int	Count of private key summaries emitted in `tychon.application.private_keys`.
`tychon.application.private_keys`	string	JSON-serialized array of concise `PrivateKeySummary` objects.
`tychon.application.keystore_count`	int	Count of keystore summaries emitted in `tychon.application.keystores`.
`tychon.application.keystores`	string	JSON-serialized array of concise `KeystoreSummary` objects.
`tychon.application.encrypted_file_count`	int	Count of encrypted file findings emitted in `tychon.application.encrypted_files`.
`tychon.application.encrypted_files`	string	JSON-serialized array of `EncryptedFileInfo` objects associated with the application.
`tychon.application.connected_to_count`	int	Count of outbound TLS destinations discovered by `-scanconnected`.
`tychon.application.connected_to`	string	Comma-joined `ip:port` destinations (e.g. `"10.0.1.5:443, 10.0.1.6:8443"`). Only present when `-scanconnected` is active.
`tychon.application.keychain_identity_count`	int	Count of macOS Keychain certificate+key pairs accessible to this application. Always 0 on non-macOS platforms.
`tychon.application.keychain_identity_labels`	string	Comma-joined keychain item labels for this application (e.g. `"Microsoft.AAD,GlobalProtect"`). Absent when count is 0.
`tychon.application.keychain_identity_pqc_vulnerable_count`	int	Count of Keychain identities whose associated certificate has `pqc_vulnerable=true`. Absent when count is 0.
`tychon.library.uses_openssl`	bool	True when at least one OpenSSL library is loaded by this application's process. Written only when true.
`tychon.library.openssl_version`	string	OpenSSL version string detected for this application. Written only when present.
`tychon.library.openssl_pqc_status`	string	PQC capability of the detected OpenSSL library: `capable`, `partial`, `not_capable`, or `unknown`.
`tychon.library.uses_libressl`	bool	True when at least one LibreSSL library is loaded by this application's process. Written only when true.
`tychon.library.libressl_version`	string	LibreSSL version string detected for this application. Written only when present.
`tychon.library.libressl_pqc_status`	string	PQC capability of the detected LibreSSL library.
`tychon.library.uses_apple_security`	bool	True when Apple Security framework is loaded by this application (macOS only). Written only when true.
`tychon.library.apple_security_pqc_status`	string	PQC capability of Apple Security framework for this application (macOS only).

event.dataset = "tychon.pqc_inventory" - one per app+port with QuickCipherScan

event.action=pqc_inventory_scan � event.category=network � event.kind=event � event.type=info � populated only when -cipherscanquick in local mode

Field	Type	Description
`id`	string	Stable unique ID derived from hostID + hostname + process path + port.
`event.kind`	string	Always `event`.
`@timestamp`	time	Scan timestamp (RFC3339).
`scan_type`	string	Scan mode: local/remote/connected.
`host.hostname`	string	System hostname.
`host.id`	string	Stable host identifier.
`host.ip`	[]string	Host IP addresses.
`host.architecture`	string	CPU architecture.
`host.os.name`	string	OS name.
`host.os.platform`	string	OS platform.
`host.os.family`	string	OS family.
`host.os.version`	string	OS version.
`host.os.kernel`	string	Kernel version.
`host.cpu.cores`	int32	Physical CPU core count.
`host.memory.total`	uint64	Total RAM in bytes.
`host.os_category`	string	Canonical OS category (e.g., "Windows 10", "Ubuntu 24.04").
`host.os_pqc_tier`	string	OS-level PQC readiness tier.
`observer.type`	string	"certscanner" (fixed value).
`observer.vendor`	string	"CertScanner" (fixed value).
`observer.version`	string	Scanner binary version.
`observer.os.name`	string	Scanner OS name.
`observer.os.platform`	string	Scanner OS platform.
`observer.os.family`	string	Scanner OS family.
`observer.os.version`	string	Scanner OS version.
`observer.os.kernel`	string	Scanner kernel version.
`observer.os.build`	string	OS build number (Windows only — e.g., "19045").
`observer.bigfix_client_installed`	bool	BigFix client present (only when true).
`observer.bigfix_client_id`	string	BigFix client ID.
`observer.tychon_client_id`	string	TYCHON client ID.
`observer.is_vdi_environment`	bool	VDI environment (only when true).
`observer.vdi_identity_source`	string	VDI identity source.
`observer.database_schema_version`	string	Intel database schema version.
`observer.output_schema_version`	string	Version of the flat NDJSON output schema.
`process.name`	string	Application process name.
`process.pid`	int32	Application PID.
`process.executable`	string	Application executable path.
`process.executable_directory`	string	Directory of application executable.
`process.app_root`	string	Application root directory.
`process.source`	string	Entry origin: process, vpn_client, ipsec_tunnel.
`iis.site_name`	string	IIS site name (Windows, when applicable).
`iis.site_id`	string	IIS site ID.
`iis.binding`	string	IIS site binding string.
`iis.app_pool_name`	string	IIS application pool name.
`iis.physical_path`	string	IIS site physical path.
`iis.version`	string	IIS version string.
`iis.manufacturer`	string	IIS manufacturer (Microsoft).
`pe.file_version`	string	PE file version (Windows executables).
`pe.product_version`	string	PE product version.
`pe.product`	string	PE product name.
`pe.company`	string	PE company name.
`server.port`	int	Port number.
`server.protocol`	string	Detected protocol.
`tls.preferred_protocol`	string	Server's preferred TLS version.
`tls.preferred_cipher`	string	Server's preferred cipher suite.
`tls.preferred_key_exchange`	string	Server's preferred key exchange group.
`tls.supported_protocols`	string	All supported protocols (comma-joined).
`tls.supported_protocol_count`	int	Count of supported protocols.
`tls.supported_ciphers`	string	All supported cipher suites (comma-joined).
`tls.supported_cipher_count`	int	Count of supported cipher suites.
`tls.supported_key_exchanges`	string	All supported key exchange groups (comma-joined).
`tls.supported_key_exchange_count`	int	Count of supported key exchange groups.
`tls.insecure_ciphers`	string	Insecure cipher suites (comma-joined).
`tls.insecure_cipher_count`	int	Count of insecure cipher suites.
`tls.weak_ciphers`	string	Weak cipher suites (comma-joined).
`tls.weak_cipher_count`	int	Count of weak cipher suites.
`tls.total_probes`	int	Total TLS handshake probes.
`tls.duration_ms`	int64	Quick scan duration in milliseconds.
`tls.previous_preferred_protocol`	string	Previous preferred protocol (change detection).
`tls.previous_preferred_cipher`	string	Previous preferred cipher (change detection).
`tls.previous_preferred_key_exchange`	string	Previous preferred key exchange (change detection).
`tls.previous_supported_protocols`	string	Previous supported protocols (comma-joined, change detection).
`tls.previous_supported_ciphers`	string	Previous supported ciphers (comma-joined, change detection).
`tls.previous_supported_key_exchanges`	string	Previous supported key exchanges (comma-joined, change detection).
`tls.last_changed`	time	Timestamp when cipher configuration last changed.
`tls.first_seen`	time	Timestamp when this port was first observed.
`crypto.block_ciphers`	string	Block cipher algorithms in use (comma-joined, from cipher suite analysis).
`crypto.cipher_modes.AES`	string	AES modes observed across supported cipher suites. Comma-separated subset of: `GCM`, `CBC`, `CCM`. Omitted if no AES suites present.
`crypto.cipher_modes.ChaCha20`	string	ChaCha20 mode. Always `Poly1305 (AEAD)` when present. Omitted if no ChaCha20 suites present.
`crypto.cipher_key_sizes.AES`	string	AES key sizes observed across supported cipher suites. Comma-separated subset of: `128`, `256`. Omitted if no AES suites present.
`crypto.hash_algorithms`	string	Hash algorithms in use (comma-joined).
`crypto.mac_algorithms`	string	MAC algorithms in use (comma-joined).
`crypto.kex_types`	string	Key exchange types in use (comma-joined).
`omb.kex_primary`	string	Primary key exchange algorithm.
`omb.kex_primary_quantum_safe`	bool	Primary key exchange is quantum-safe.
`omb.kex_tier`	string	KEX tier: PQC READY, MODERN, CLASSICAL, LEGACY, OTHER.
`omb.kex_secondary`	string	Secondary key exchange groups (comma-joined).
`omb.protocol_tier`	string	Protocol tier: TLS 1.3, TLS 1.2, LEGACY.
`omb.sig_tier`	string	Signature tier: PQC READY, MODERN, CLASSICAL, LEGACY.
`omb.module_name`	string	OMB module name (from OmbFields assessment).
`omb.vulnerability_status`	string	OMB vulnerability status.
`omb.crqc_vulnerable_algos`	string	Algorithms vulnerable to CRQC.
`omb.pqc_algos`	string	PQC algorithms in use.
`omb.symmetric_algos`	string	Symmetric algorithms in use.
`omb.kex_protocols`	string	Key exchange protocols.
`omb.kem_algorithms`	string	KEM algorithms.
`omb.kem_parameters`	string	KEM parameters.
`omb.dsa_algorithms`	string	DSA algorithms.
`omb.dsa_parameters`	string	DSA parameters.
`omb.dsa_hash_algorithms`	string	Hash algorithms used with DSA.
`omb.block_cipher_key_lengths`	string	Block cipher key lengths.
`omb.block_cipher_modes`	string	Block cipher modes of operation.
`omb.hash_algorithm_parameters`	string	Hash algorithm parameters.
`omb.mac_algorithm_parameters`	string	MAC algorithm parameters.
`omb.software_package_name`	string	Software package name.
`omb.software_package_version`	string	Software package version.
`omb.vendor`	string	Software vendor.
`omb.operating_system`	string	Operating system identifier.
`omb.additional_notes`	string	Additional assessment notes.
`omb.other_crypto_details`	string	Other cryptographic details.
`omb.certifications`	string	Relevant certifications.
`x509.serial_number`	string	Leaf certificate serial number.
`x509.subject_cn`	string	Leaf certificate subject CN.
`x509.issuer_cn`	string	Leaf certificate issuer CN.
`x509.not_before`	time	Leaf certificate not-before date (RFC3339).
`x509.not_after`	time	Leaf certificate not-after date (RFC3339).
`x509.sig_algorithm`	string	Leaf certificate signature algorithm.
`x509.key_type`	string	Leaf certificate key algorithm.
`x509.key_bits`	int	Leaf certificate key size in bits.
`x509.key_usage`	string	Leaf certificate key usage (comma-joined).
`keystore_count`	int	Number of keystores associated with this application.
`in_memory_cert_count`	int	Number of in-memory certificates found for this application.
`crypto_library_count`	int	Number of crypto libraries loaded by this application.
`keychain_identity_count`	int	Number of macOS Keychain certificate+key pairs accessible to this application (macOS only).
`keychain_identity_labels`	string[]	Array of keychain item labels. Absent when count is 0.
`keychain_identity_pqc_vulnerable_count`	int	Count of Keychain identities with `pqc_vulnerable=true`. Absent when count is 0.

event.dataset = "tychon.app_certificate" - one per in-memory certificate per application

Source Produced by -cipherscanquick + -scanmemory. Format One event per X.509 certificate found loaded in a running process's virtual memory (not file-based). Emitted alongside tychon.application.

event.kind=event · event.category=process · event.action=in_memory_certificate · event.type=info

Field	Type	Description
`event.kind`	string	Always `event`.
`tychon.application.name`	string	Name of the process that holds this certificate in memory.
`tychon.application.path`	string	Executable path of the owning process.
`tychon.application.pid`	int32	PID of the owning process.
`x509.serial_number`	string	Certificate serial number (hex string).
`x509.subject_cn`	string	Subject Common Name.
`x509.subject_org`	string	Subject Organization (joined with `", "` when multiple values). Written only when present.
`x509.issuer_cn`	string	Issuer Common Name.
`x509.issuer_org`	string	Issuer Organization (joined with `", "` when multiple values). Written only when present.
`x509.not_before`	time	Validity start date (RFC3339).
`x509.not_after`	time	Validity end date (RFC3339).
`x509.sig_algorithm`	string	Signature algorithm (e.g., `SHA256WithRSA`).
`x509.key_type`	string	Public key algorithm (e.g., `RSA`, `EC`, `Ed25519`).
`x509.key_bits`	int	Public key size in bits.
`x509.curve_name`	string	EC curve name when key_type is EC (e.g., `P-256`, `P-384`). Written only when present.
`x509.fingerprint_sha256`	string	SHA-256 fingerprint of the certificate (hex string). Written only when present.

event.dataset = "tychon.connected_quick" - one per active outbound connection

event.action=connected_quick_scan � populated only when -scanconnected is active � browser processes excluded � no full cipher detail fields

Unlike other event types, this event does NOT begin with the full observer.* base fields. It emits only selective host identity fields from ScanningSystemInfo when available. Specifically: tychon.host.machine_serial_number, observer.machine_serial_number, tychon.host.bios_serial_number, observer.bios_serial_number, observer.organization, tychon.host.organization, observer.domain, and tychon.host.domain are only written when scanningSystem != nil.

Field	Type	Description
`id`	string	Stable unique ID: SHA-1 hex of concatenated SourceProcessName + SourcePID + RemoteIP + Port.
`@timestamp`	time	Scan timestamp (RFC3339Nano).
`event.dataset`	string	Always `tychon.connected_quick`.
`event.action`	string	Always `connected_quick_scan`.
`tychon.type`	string	Always `connected_quick`.
`tychon.scan_mode`	string	Always `local`.
`certificate.is_file`	string	Always the string `false` (this is not a file-based certificate event).
`tychon.host.os.quantum_ready`	bool	Whether the OS is considered quantum-ready based on its version tier.
`tychon.host.os.quantum_ready_when`	string	Estimated date when this OS version will be quantum-ready (empty string if already ready or unknown).
`tychon.host.machine_serial_number`	string	Machine serial number from ScanningSystemInfo. Conditional Only present when scanningSystem != nil and value is non-empty.
`observer.machine_serial_number`	string	Machine serial number (ECS observer namespace). Conditional Same condition as above.
`tychon.host.bios_serial_number`	string	BIOS serial number from ScanningSystemInfo. Conditional
`observer.bios_serial_number`	string	BIOS serial number (ECS observer namespace). Conditional
`observer.organization`	string	Organization name from ScanningSystemInfo. Conditional
`tychon.host.organization`	string	Organization name (tychon namespace). Conditional
`observer.domain`	string	Domain name from ScanningSystemInfo. Conditional
`tychon.host.domain`	string	Domain name (tychon namespace). Conditional
`tychon.tags`	string	Comma-joined list of tags assigned to this connection by the tagging engine. Conditional Omitted when no tags are assigned.
`connected.remote_ip`	string	Remote IP address of the connection (always present).
`connected.port`	int	Remote port number of the connection (always present).
`connected.has_crypto`	bool	True when TLS was confirmed on this connection via a successful quick cipher probe. Always written (true or false).
`connected.source_process`	string	Name of the process that owns the connection. Conditional Omitted when SourceProcessName is empty.
`process.name`	string	Process name (ECS namespace, same value as `connected.source_process`). Conditional Omitted when SourceProcessName is empty.
`connected.source_pid`	int32	PID of the process that owns the connection. Conditional Omitted when SourcePID is zero.
`process.pid`	int32	Process PID (ECS namespace, same value as `connected.source_pid`). Conditional Omitted when SourcePID is zero.
`destination.ip`	string	Destination IP address (ECS namespace, same value as `connected.remote_ip`). Always present.
`destination.port`	int	Destination port (ECS namespace, same value as `connected.port`). Always present.

event.dataset = "tychon.non_tls_cipher" - one per non-TLS protocol profile

event.action=non_tls_cipher_detected — emitted for SMB3 (port 445), SNMPv3 (port 161), and Kerberos (port 88). Field names mirror tychon.cipher.* for consistent downstream processing. Detection source: SMB3 via TCP network probe; SNMPv3 via /etc/snmp/snmpd.conf (Linux/macOS) or Windows SNMP service registry; Kerberos via /etc/krb5.conf (Linux/macOS) or SupportedEncryptionTypes registry key (Windows).

Field	Type	Description
`@timestamp`	time	Scan timestamp (RFC3339Nano).
`event.dataset`	string	Always `tychon.non_tls_cipher`.
`event.action`	string	Always `non_tls_cipher_detected`.
`event.category`	string	Always `security`.
`event.type`	string	Always `info`.
`observer.hostname`	string	Hostname of the scanning system. Conditional
`host.hostname`	string	Hostname (ECS host namespace). Conditional
`observer.os.name`	string	OS name of the scanner. Conditional
`observer.machine_serial_number`	string	Machine serial number. Conditional
`observer.organization`	string	Organization name. Conditional
`tychon.tags`	string	Comma-joined tag list. Conditional
`tychon.cipher.protocol`	string	Protocol: `SMB3`, `SNMPv3`, or `Kerberos`.
`tychon.cipher.port`	int	Well-known port (445, 161, 88). Conditional Omitted when 0.
`tychon.cipher.supported_ciphers`	string	Comma-joined list of safe cipher/enctype strings. Conditional
`tychon.cipher.insecure_ciphers`	string	Comma-joined list of broken/banned ciphers. Conditional
`tychon.cipher.weak_ciphers`	string	Comma-joined list of deprecated ciphers. Conditional
`tychon.cipher.preferred_cipher`	string	Server-selected cipher from network negotiation (SMB3 only). Conditional
`tychon.cipher.auth_algorithms`	string	Comma-joined acceptable authentication algorithm names (SNMPv3, Kerberos). Conditional
`tychon.cipher.is_encrypted`	bool	Whether the protocol session is encrypted. Always present.
`tychon.cipher.pqc_vulnerable`	bool	True when any cipher is vulnerable to a cryptographically-relevant quantum computer. Always present.
`tychon.cipher.pqc_readiness`	string	One of `safe`, `transitional`, or `vulnerable`. Always present.
`tychon.cipher.quantum_risk`	string	One of `low`, `medium`, `high`, or `critical`. Always present.
`tychon.cipher.migration_priority`	string	One of `low`, `medium`, `high`, or `critical`. Always present.
`tychon.cipher.recommended_action`	string	Human-readable remediation suggestion. Conditional
`tychon.cipher.config_source`	string	Detection method: `network_probe`, `registry`, `registry_group_policy`, `registry_lsa_direct`, `registry_os_default`, `krb5_conf`, `krb5_conf_defaults`, `snmpd_conf`. Always present.
Cross-dataset normalized fields — enable single-query visualization across all security protocol event types
`tychon.crypto.protocol`	string	Protocol family: `SMB3`, `SNMPv3`, `Kerberos`, `SMTP`, `IMAP`, `LDAP`, or `PostgreSQL`. Always present.
`tychon.crypto.cipher`	string	Negotiated or preferred bulk cipher. Preferred cipher when available, else first supported cipher. Conditional
`tychon.crypto.auth`	string	First entry of auth_algorithms (SNMPv3 USM or Kerberos pre-auth). Conditional
`tychon.crypto.pqc_readiness`	string	One of `ready`, `transitional`, `vulnerable`, or `critical`. Same source as `tychon.cipher.pqc_readiness`.
`tychon.crypto.quantum_risk`	string	One of `none`, `low`, `medium`, `high`, or `critical`. Same source as `tychon.cipher.quantum_risk`.
`tychon.crypto.protocol_version`	string	TLS version negotiated by STARTTLS probes (e.g. `1.3`). Populated from `SupportedProtocols[0]` when the protocol is SMTP/IMAP/LDAP/PostgreSQL. Conditional
`id`	string	Unique document ID: SHA-1 hex of protocol + config_source + timestamp.

event.dataset = "vpn" - one per detected VPN client

Source Produced by -detect-vpn-clients. Format Flattens VPNClientInfo with nested connection, security, config, and PQC assessment objects at the root level.

event.kind=event · event.category=configuration · event.action=vpn_client_detected · tychon.type=vpn_client

Field	Type	Description
`event.kind`	string	Always `event`.
`id`	string	Stable unique ID (SourceID). Also written to `_id`.
`_id`	string	Elasticsearch document ID. Copy of `id`.
vpn_client.* — core identity fields
`vpn_client.name`	string	VPN client name (e.g., `Cloudflare WARP`, `OpenVPN`).
`vpn_client.vendor`	string	VPN client vendor (e.g., `Cloudflare Inc.`).
`vpn_client.version`	string	Installed version string. Always written, even when empty.
`vpn_client.status`	string	VPN client status: `active`, `inactive`, `unknown`.
`vpn_client.active`	bool	True when the VPN client is currently running.
`vpn_client.detection_method`	string	How the client was detected: `registry`, `filesystem`, `service`, `process`, `certificate`.
`vpn_client.detection_confidence`	string	Detection confidence level: `high`, `medium`, `low`.
`vpn_client.last_seen`	time	Last observed timestamp (RFC3339Nano).
`vpn_client.first_detected`	time	First detection timestamp (RFC3339Nano). Written only when non-zero.
`vpn_client.install_path`	string	Installation directory path. Written only when non-empty.
`vpn_client.config_path`	string	Path to the VPN client configuration file. Written only when non-empty.
`vpn_client.executable_path`	string	Path to the VPN client executable. Written only when non-empty.
`vpn_client.process_id`	int	PID of the running VPN process. Written only when non-zero.
`file.path`	string	ECS field: copy of `vpn_client.install_path` when present.
`service.name`	string	ECS field: VPN service name. Written only when service name is non-empty.
`service.state`	string	ECS field: service state string (mirrors `vpn_client.status`). Written only when service name is non-empty.
vpn_connection.* — active connection details (from VPNConnectionInfo; written only when ConnectionInfo != nil)
`vpn_connection.server_address`	string	VPN server hostname or IP address.
`vpn_connection.server_port`	int	VPN server port.
`vpn_connection.encryption_algorithm`	string	Active bulk encryption algorithm (e.g., `AES-256-CBC`, `ChaCha20-Poly1305`).
`vpn_connection.key_exchange_algorithm`	string	Active key exchange algorithm (e.g., `ECDH-P256`, `X25519`, `RSA-2048`).
`vpn_connection.dh_group`	string	Diffie-Hellman group used for key exchange. Written only when non-empty.
security.* — security assessment (from VPNSecurityAssessment; written only when SecurityAssessment != nil)
`security.security_score`	int	Security score 0–100. Always written when SecurityAssessment is present.
`security.pqc_support`	bool	True when the VPN client supports post-quantum cryptography. Always written when SecurityAssessment is present.
`security.weak_crypto`	bool	True when the VPN client uses weak cryptographic algorithms.
vpn_config.* — configuration security (from VPNConfigSecurity; written only when ConfigurationSecurity != nil)
`vpn_config.authentication_method`	string	Authentication method: `certificate`, `psk`, `username_password`, `eap`.
`vpn_config.dns_leak_protection`	bool	DNS leak protection is enabled.
`vpn_config.kill_switch`	bool	Kill switch (network lock) is enabled.
`vpn_config.split_tunneling`	bool	Split tunneling is enabled (security risk: traffic bypasses VPN).
`vpn_config.ipv6_leak_protection`	bool	IPv6 leak protection is enabled.
`vpn_config.auto_reconnect`	bool	Automatic reconnect is enabled.
`vpn_config.logging_enabled`	bool	VPN connection logging is enabled.
`vpn_config.config_encrypted`	bool	VPN configuration file is encrypted.
`vpn_config.weak_settings`	string	List of weak configuration settings ([]string joined with `", "`). Written only when non-empty.
pqc.* — PQC assessment (from PQCAssessment; written only when PQCAssessment != nil)
`pqc.quantum_resistance`	string	Quantum resistance level: `high`, `medium`, `low`, `none`.
`pqc.pqc_migration_status`	string	PQC migration status: `ready`, `partial`, `not_ready`.
`pqc.supported_algorithms`	string	PQC algorithm types supported by this client ([]PQCAlgorithmType serialized, joined with `", "`). Written only when non-empty.
`pqc.pqc_algorithm_details.ML-KEM.algorithm_type`	string	Algorithm type for the ML-KEM entry in the PQC algorithm details map. Dynamic key — any algorithm name in the PQCAlgorithmDetails map becomes a sub-namespace.
`pqc.pqc_algorithm_details.ML-KEM.implementation`	string	Implementation name for ML-KEM (e.g., library or module name).
`pqc.pqc_algorithm_details.ML-KEM.standard_status`	string	Standardization status: `draft`, `finalized`, `deprecated`.

event.dataset = "ipsec" - one per detected IPSec tunnel

event.kind=event · event.category=network · event.action=ipsec_tunnel_detected · tychon.type=ipsec_tunnel

Field	Type	Description
`ipsec_tunnel.source_id`	string	Stable source ID (also written to `id` and `_id`).
`ipsec_tunnel.name`	string	Tunnel name or identifier.
`ipsec_tunnel.implementation`	string	IPSec implementation (e.g. `strongSwan`, `libreswan`).
`ipsec_tunnel.version`	string	Implementation version. Always written, even when empty.
`ipsec_tunnel.status`	string	Tunnel status (e.g. `active`, `inactive`).
`ipsec_tunnel.active`	bool	Whether the tunnel is currently active.
`ipsec_tunnel.detection_method`	string	Detection method (e.g. `config_file`, `service`).
`ipsec_tunnel.detection_confidence`	string	Confidence level: `high`, `medium`, `low`.
`ipsec_tunnel.config_path`	string	Path to configuration files. Always written, even when empty.
`ipsec_tunnel.last_seen`	time	Last observed timestamp (RFC3339Nano).
`ipsec_tunnel.first_detected`	time	First detection timestamp (RFC3339Nano).
tunnel_details.* — tunnel configuration at root level
`tunnel_details.local_endpoint`	string	Local tunnel endpoint IP (also written to `source.ip`).
`tunnel_details.remote_endpoint`	string	Remote tunnel endpoint IP (also written to `destination.ip`).
`tunnel_details.local_subnet`	string	Local subnet (also written to `source.network`).
`tunnel_details.remote_subnet`	string	Remote subnet (also written to `destination.network`).
`tunnel_details.*`	object	All other TunnelDetails fields flattened at root level.
security_association.* — IKE and ESP SA details at root level
`security_association.*`	object	All SecurityAssociation fields flattened at root level.
security.* — security assessment at root level
`security.score`	int	Security score 0–100. Always written when SecurityAssessment is present.
`security.pqc_support`	bool	True when IPSec supports post-quantum cryptography. Always written when SecurityAssessment is present.
pqc.* — PQC assessment at root level
`pqc.*`	object	All PQCAssessment fields flattened at root level.
ECS network fields
`source.ip`	string	Local tunnel endpoint IP.
`destination.ip`	string	Remote tunnel endpoint IP.
`source.network`	string	Local subnet CIDR.
`destination.network`	string	Remote subnet CIDR.

event.dataset = "tychon.macsec" - one per MACsec network interface

event.kind=event · event.category=network · event.action=macsec_interface_detected · tychon.type=macsec

Field	Type	Description
`macsec.interface_name`	string	MACsec interface name (e.g. `macsec0`).
`macsec.parent_interface`	string	Underlying parent network interface.
`macsec.implementation`	string	MACsec implementation (e.g. `kernel`, `wpa_supplicant`).
`macsec.status`	string	Interface status (e.g. `active`, `inactive`).
`macsec.active`	bool	Whether the interface is currently active.
`macsec.detection_method`	string	How the interface was detected.
`macsec.detection_confidence`	string	Detection confidence level.
`macsec.last_seen`	time	Last observed timestamp (RFC3339Nano).
`macsec.first_detected`	time	First detection timestamp (RFC3339Nano).
`macsec.cipher_suite`	string	MACsec cipher suite (e.g. `GCM-AES-128`, `GCM-AES-256`).
`macsec.validation_mode`	string	Frame validation mode.
`macsec.protect`	bool	MACsec protect mode is enabled.
`macsec.encrypt`	bool	Frame encryption is enabled.
`macsec.replay_protect`	bool	Replay attack protection is enabled.
`macsec.replay_window`	int	Replay window size. Written only when non-zero.
`macsec.include_sci`	bool	SCI included in frame header.
`macsec.sci`	string	Security Channel Identifier. Written only when non-empty.
`macsec.key_agreement_method`	string	Key agreement method (e.g. `MKA`, `static`).
`macsec.mka_enabled`	bool	MACsec Key Agreement (MKA) enabled.
`macsec.mka_priority`	int	MKA actor priority. Written only when non-zero.
`macsec.security_score`	int	Security score from assessment.
`macsec.quantum_safe`	bool	Whether MACsec configuration is quantum-safe.
`macsec.risk_level`	string	Risk level from security assessment.
`macsec.findings`	string	Security findings joined with `"; "`.
`tychon.crypto.protocol`	string	Always `MACsec`.
`tychon.crypto.cipher`	string	MACsec cipher suite (cross-dataset).
`tychon.crypto.key_exchange`	string	Key agreement method (cross-dataset).
`tychon.pqc_vulnerable`	bool	`true` when `macsec.quantum_safe` is `false`.
`tychon.crypto.pqc_vulnerable`	bool	Cross-dataset PQC vulnerability flag.

event.dataset = "archivefile" - one per Outlook PST/OST archive

event.kind=event · event.category=file · event.action=outlook_archive_detected · tychon.type=archivefile

Field	Type	Description
`id`	string	Stable source ID (SourceID). Also written to `_id`.
`archive.*`	object	Full `OutlookArchiveInfo` struct flattened with `archive.` prefix.
`archive.type`	string	Archive type: `pst` or `ost`.
`archive.version`	string	Archive file format version.
`archive.is_encrypted`	bool	Whether the archive is password-protected.
`archive.encryption_type`	string	Encryption type used.
`archive.encryption_strength`	string	Description of encryption strength.

event.dataset = "config_cert" - one per certificate path reference in a config file

event.kind=event · event.category=configuration · event.action=config_cert_ref_discovered · tychon.type=config_cert

Field	Type	Description
`config.config_file`	string	Path to the configuration file that references the certificate.
`config.property_key`	string	Config property key containing the certificate path reference.
`config.resolved_path`	string	Resolved absolute path to the referenced certificate file.
`config.ref_type`	string	Reference type classification (e.g. `cert_file`, `key_file`, `keystore`).
`file.path`	string	Same as `config.resolved_path` (ECS field).
`file.name`	string	Filename component of the resolved path.
`process.pid`	int	PID of the process whose config was scanned. Written only when non-zero.
`process.name`	string	Process name. Written only when non-empty.
`process.path`	string	Process executable path. Written only when non-empty.

Cross-Dataset Normalized Fields — tychon.crypto.*

Every security-protocol event type emits a tychon.crypto.* block alongside its native fields. These fields use consistent names across TLS, SSH, SMB3, SNMPv3, Kerberos, STARTTLS (SMTP/IMAP/LDAP/PostgreSQL), VPN, IPSec, and MACsec events, enabling a single Kibana/Elasticsearch visualization (e.g. tychon.crypto.quantum_risk : "critical") to return findings from all event types at once. Existing ECS (tls.*, ssh.*) and protocol-specific (tychon.cipher.*, tychon.kex.*) fields are preserved — these fields are purely additive.

Field	Type	Description / Values
`tychon.crypto.protocol`	string	Security protocol family: `TLS`, `SSH`, `SMB3`, `SNMPv3`, `Kerberos`, `SMTP`, `IMAP`, `LDAP`, `PostgreSQL`, `IPSec`, `MACsec`, `X.509` (filesystem/keystore certificates), `library` (crypto library events). For VPN events, the protocol value comes from the connection's `Protocol` field (e.g. `WireGuard`, `OpenVPN`).
`tychon.crypto.protocol_version`	string	Version of the protocol. Examples: `1.3` (TLS), `1.2` (TLS), `2` (SSH). For STARTTLS events this is the TLS version negotiated inside the protocol. Conditional
`tychon.crypto.key_exchange`	string	Negotiated key exchange / group. Examples: `x25519`, `curve25519-sha256`, `X25519MLKEM768`, `modp14`, `WPA-PSK`. Conditional
`tychon.crypto.cipher`	string	Bulk encryption cipher extracted from the full cipher suite name or directly from the protocol profile. Examples: `AES-256-GCM`, `aes256-ctr`, `3DES`, `CHACHA20-POLY1305`. Conditional
`tychon.crypto.mac`	string	MAC / integrity algorithm. Examples: `SHA-384`, `umac-128@openssh.com`, `HMAC-SHA2-256`. Conditional
`tychon.crypto.auth`	string	Authentication or signature method. Examples: `RSA-SHA256`, `ecdsa-sha2-nistp256`, `PSK`, `Certificate`. Conditional
`tychon.crypto.pqc_readiness`	string	Canonical PQC readiness status: `ready`, `transitional`, `vulnerable`, or `critical`. Present on all event types that carry PQC assessment data.
`tychon.crypto.quantum_risk`	string	Canonical risk level: `none`, `low`, `medium`, `high`, or `critical`. Present on all event types that carry PQC risk data.
`tychon.crypto.pqc_vulnerable`	bool	Boolean flag — `true` when any cipher, key exchange, or algorithm in use is vulnerable to a cryptographically-relevant quantum computer. Present on all event types. Use this field for single-query cross-dataset vulnerability filtering.
tychon.crypto.ntlm.* — sub-namespace in tychon.quantum_readiness events (when NTLM detected)
`tychon.crypto.ntlm.protocol`	string	NTLM protocol string from registry (e.g. `NTLMv2`). Conditional
`tychon.crypto.ntlm.auth`	string	Same as ntlm.protocol (NTLM uses protocol string as auth description).
`tychon.crypto.ntlm.pqc_readiness`	string	`vulnerable` when NTLMPqcVulnerable=true, `transitional` otherwise.
`tychon.crypto.ntlm.quantum_risk`	string	`high` when NTLMPqcVulnerable=true, `low` otherwise.
tychon.crypto.wifi.* — sub-namespace in tychon.quantum_readiness events (when WiFi present)
`tychon.crypto.wifi.protocol`	string	WiFi security protocol (e.g. `WPA3-SAE`, `WPA2`). Conditional
`tychon.crypto.wifi.cipher`	string	WiFi pairwise cipher (e.g. `AES-CCMP`, `TKIP`). Conditional
`tychon.crypto.wifi.key_exchange`	string	WiFi key management method (e.g. `SAE`, `WPA-PSK`). Conditional
`tychon.crypto.wifi.pqc_readiness`	string	`vulnerable` when WifiPqcVulnerable=true, `transitional` otherwise.
`tychon.crypto.wifi.quantum_risk`	string	WiFi quantum risk level from assessment (e.g. `medium`, `high`). Conditional

Coverage by event type: tychon.cipher (TLS) — protocol, protocol_version, key_exchange, cipher, mac, auth, pqc_readiness, quantum_risk, pqc_vulnerable | tychon.ssh — protocol, protocol_version, key_exchange, cipher, mac, auth, pqc_readiness, quantum_risk, pqc_vulnerable | tychon.non_tls_cipher (SMB3/SNMPv3/Kerberos/STARTTLS) — protocol, cipher, auth, pqc_readiness, quantum_risk, pqc_vulnerable [+protocol_version for STARTTLS] | tychon.vpn_client — protocol, key_exchange, cipher, mac, auth, pqc_readiness, quantum_risk, pqc_vulnerable | tychon.ipsec_tunnel — protocol=IPSec, key_exchange, cipher, mac, auth, pqc_readiness, quantum_risk, pqc_vulnerable | tychon.macsec — protocol=MACsec, cipher, key_exchange, pqc_readiness, quantum_risk, pqc_vulnerable | tychon.filesystem_certificate — protocol=X.509, cipher, pqc_vulnerable, pqc_readiness, quantum_risk | tychon.keystore_certificate — protocol=X.509, cipher, pqc_vulnerable, pqc_readiness, quantum_risk | tychon.crypto_library — protocol=library, cipher, pqc_vulnerable, pqc_readiness, quantum_risk | tychon.quantum_readiness — ntlm.* and wifi.* sub-namespaces

Implementation Notes

flattenObjectToMap behavior: String slices are joined with ", ". Time values use RFC3339Nano. Zero integers, empty strings are omitted. Booleans are always included. Non-string slices are JSON-serialized as strings. Maps with string keys are recursively flattened.

Base observer fields: Every NDJSON event starts with the base event. The scanner host's ScanningSystemInfo is flattened under observer.*, with four key remappings: host_id -> observer.id, platform_family -> observer.os.family, platform -> observer.os.platform, os -> observer.os.name.

Certificate chain: Chain certs in port_detail events use index-based keys: certificate.chain.0.*, certificate.chain.1.*, etc. Subject/issuer nested fields are removed and rewritten as flat strings.

Intel map flattening: The intel field on MainCipherNegotiationInfo is a map[string]any. When flattened under tychon.cipher_negotiation.intel.*, all keys from the intel map become dot-notation fields. This includes KEX, protocol, and connection composite fields when enrichIntelMapWithKex has been called.

AppReport events: tychon.application and tychon.pqc_inventory events are only emitted when -cipherscanquick runs in local scan mode and report.AppReport != nil.

SSH-only ports: When a port responds to SSH but not TLS (and TLS cipher list is empty), a single port_detail event is emitted with SSH fields flattened under ssh.*.

active / last_seen semantics: The active field is written only when false - this marks a previously-seen asset that was NOT observed in the current scan (tombstoned). When an asset IS present in the current scan, active is omitted entirely (omitempty). The last_seen field is a string in RFC3339 format and is likewise only present for tombstoned assets to record when they were last seen.

keystore.stats.key_algorithms dynamic keys: The keystore.stats.key_algorithms.{algo} field in keystore summary events uses the algorithm name (e.g., RSA, EC, Ed25519) as the key. The count of certificates using that algorithm is the integer value.

-scanconnected browser exclusion: The isBrowserProcess() function filters out connections from known browsers before any probe is attempted. Excluded process names (case-insensitive): chrome, msedge, firefox, brave, opera, duckduckgo, iexplore, chromium, safari. These processes generate large volumes of ephemeral TLS connections and are not operationally meaningful for PQC assessment.

-scanconnected TLS confirmation: A connection is recorded with has_crypto=true only when getDefaultCipherInfoQuick() successfully completes a TLS handshake. Connections that time out, refuse the handshake, or speak plaintext are still recorded but with has_crypto=false. No full cipher suite enumeration is performed; tychon.connected_quick events never contain cipher detail, certificate chain, or SSH fields.

-scanconnected limited observer fields: Unlike every other event type, tychon.connected_quick does not inject the full observer.* base field set. It writes only selective identity fields (machine_serial_number, bios_serial_number, organization, domain) when scanningSystem != nil. A parser must not assume standard observer host/OS fields are present in this dataset.

Output Schema Reference

How To Read This Page

JSON

Flat NDJSON

Coverage rule

Reuse rule

Omitted versus null

Table of Contents

Overview

Quick Crosswalk

Legend and Reading Shortcuts

Provenance badges

Three fast rules

Example Payloads

Minimal JSON shape

Representative NDJSON lines

Repeated Structures You Will See Often

CertificateDetails

KeystoreInfo

ProcessCryptoInfo

SSHScanResult and SSHCryptoNegotiationInfo

Field Search

Part 1 - JSON Output (`ScanReport`)

Part 2 - Flat NDJSON Output

Implementation Notes

How To Read This Page

JSON

Flat NDJSON

Coverage rule

Reuse rule

Omitted versus null

Table of Contents

Overview

Quick Crosswalk

Legend and Reading Shortcuts

Provenance badges

Three fast rules

Example Payloads

Minimal JSON shape

Representative NDJSON lines

Repeated Structures You Will See Often

CertificateDetails

KeystoreInfo

ProcessCryptoInfo

SSHScanResult and SSHCryptoNegotiationInfo

Field Search

Part 1 - JSON Output (ScanReport)

Part 2 - Flat NDJSON Output

Implementation Notes

Part 1 - JSON Output (`ScanReport`)