TYCHON Insights Reference

📋 Overview

📊 Index Patterns

🔗 Common Fields

🗂 Index Schemas

🔍 Sample Queries

TYCHON Insights Overview

Unified Data Collection Platform

TYCHON Insights is a PowerShell and Python module installed on endpoints that collects CVE, STIG, and quantum readiness data and forwards it to Elasticsearch under the tychon-pqc-* index pattern. When paired with TYCHON Quantum Command (TQC), the combined dataset provides a complete cryptographic posture picture.

🛡️ CVE Intelligence

Vulnerability assessment data tied to installed crypto libraries and software packages, cross-referenced against NIST NVD.

📋 STIG Compliance

Security Technical Implementation Guide checks for cryptographic configurations on Windows and Linux endpoints.

⚛️ Quantum Readiness

Post-quantum cryptography readiness scoring per OMB M-23-02 and CNSA 2.0 standards, including hardware capability profiling.

Integration Architecture

💻

Endpoint

Windows / Linux

TychonScan.psm1

→

📦

TYCHON Insights

PowerShell Module

+ Python Agent

→

🔍

Elasticsearch

tychon-pqc-*

12 indices

🔭

TQC Scanner

Remote port scanning

cipher/cert discovery

🔬

TYCHON Insights

Local endpoint data

CVE / STIG / quantum

PowerShell Module

The TychonScan PowerShell module is the primary data collection agent on Windows endpoints. It is signed with a DigiCert code-signing certificate (TYCHON LLC).

# Import and run a scan
Import-Module TychonScan
Invoke-TychonScan -OutputPath C:\Tychon\Results

# Check module details
Get-Module TychonScan | Select-Object Version, Path

Module Manifest (TychonScan.psd1)

Module Type	Script
Root Module	TychonScan.psm1
Public Functions	Public/*.ps1
Private Functions	Private/*.ps1
Signing	DigiCert (TYCHON LLC)
Cert Expiry	Nov 2026

⚠️ script.* Fields

Every TYCHON Insights document includes script.* fields that capture PowerShell execution metadata. These are injected automatically and are not part of the core data payload.

script.name script.type script.version script.start script.current_time script.current_duration script.runtime.psversion script.runtime.clrversion

Index Patterns

All TYCHON Insights data lands in the tychon-pqc-* index pattern. Use this wildcard in Kibana index pattern settings and Elasticsearch queries to search across all 12 indices simultaneously.

# Kibana Index Pattern

tychon-pqc-*

Index Name	Purpose	Documents	Key Namespace	Category
tychon-pqc-certificates	X.509 certificates from filesystem, keystores, and TLS connections	17,869	`certificate.*`	Crypto
tychon-pqc-assets	Cryptographic asset inventory — config files and process-linked certs	1,985	`config.*`	Crypto
tychon-pqc-applications	Applications using crypto — ports, protocols, and quantum readiness grades	1,582	`tychon.application.*`	App
tychon-pqc-crypto-libraries	Cryptographic libraries (OpenSSL, BouncyCastle, etc.) with vulnerability status	1,613	`tychon.library.*`	Vuln
tychon-pqc-installed-apps	Installed software packages that depend on crypto libraries	560	`package.*`	App
tychon-pqc-inventory	TLS/SSH port-level cipher inventory with OMB M-23-02 compliance scoring	454	`tls.`, `omb.`	Compliance
tychon-pqc-ciphers	Individual cipher suite findings per port with quantum risk ratings	451	`tychon.cipher.*`	Crypto
tychon-pqc-keystores	Keystore files (PKCS#12, JKS, Windows cert stores) with cert statistics	88	`keystore.*`	Crypto
tychon-pqc-ipsec-tunnels	IPSec VPN tunnels — encryption algorithms, DH groups, PFS status	4	`ipsec_tunnel.*`	Network
tychon-pqc-archives	Encrypted archive files (PST, ZIP, 7z) with encryption algorithm detection	2	`archive.*`	File
tychon-pqc-vpn-clients	VPN client software — configuration security and PQC readiness	4	`vpn_client.*`	Network
tychon-pqc-system-readiness	Full hardware and OS quantum readiness scoring with cost analysis and upgrade paths	20	`quantum_readiness.*`	Compliance

Common Fields

These field namespaces appear in every tychon-pqc-* document. They provide consistent host identity, observer context, and routing metadata for cross-index correlation.

host.* Host Identity Fields

Field	Type	Description
host.hostname	keyword	Short hostname of the scanned endpoint
host.id	keyword	Unique host identifier (persistent)
host.domain	keyword	Windows domain or DNS domain
host.ip	ip[]	All IP addresses (IPv4 and IPv6)
host.mac	keyword[]	MAC addresses
host.os.name	keyword	OS name (e.g. "Windows Server 2022")
host.os.version	keyword	OS version string
host.os.family	keyword	OS family (windows / linux / macos)
host.hardware.serial_number	keyword	Hardware serial number from BIOS/DMI
host.hardware.manufacturer	keyword	Hardware manufacturer
host.logged_on_user	keyword	Currently logged-on user at scan time
host.managed	boolean	Whether host is managed by TYCHON
host.epo.guid	keyword	McAfee/Trellix ePO agent GUID

observer.* Observer / Scanner Fields

Field	Type	Description
observer.id	keyword	Scanner instance unique ID
observer.hostname	keyword	Scanner hostname
observer.software_version	keyword	TQC Scanner or Insights version
observer.fips_mode_enabled	boolean	Whether scanner ran in FIPS mode
observer.is_vdi_environment	boolean	VDI environment detection flag
observer.vdi_identity_source	keyword	How VDI identity was resolved (cli_override / profile_file / username_hash / gopsutil)
observer.tychon_client_id	keyword	TYCHON platform client registration ID
observer.bigfix_client_installed	boolean	Whether BigFix agent is present on observer

tychon.* Core TYCHON Fields (All Indices)

Field	Type	Description
tychon.id	keyword	Unique document identifier (SHA-256 derived)
tychon.type	keyword	Record type (e.g. certificate, cipher, application)
tychon.index	keyword	Target index name
tychon.data.version	keyword	Data schema version
tychon.sort.id	long	Numeric sort key for ordered display
tychon.routing.source.hostname	keyword	Originating scanner hostname
tychon.routing.source.observer_id	keyword	Originating scanner observer ID
tychon.routing.original.*	object	Middleware-injected copy of all host.* fields for routing preservation
tychon.endpoint.is_vdi	boolean	VDI endpoint flag
tychon.endpoint.is_laptop	boolean	Laptop form-factor detection
tychon.endpoint.setting.security_label_settings.name	keyword	Applied security classification label

kerberos.* Kerberos Configuration Fields

Field	Type	Description
kerberos.has_aes256	boolean	AES-256 encryption type supported
kerberos.has_aes128	boolean	AES-128 encryption type supported
kerberos.has_rc4	boolean	RC4-HMAC (weak) encryption type supported
kerberos.has_des	boolean	DES (deprecated) encryption type supported
kerberos.is_quantum_safe	boolean	Whether Kerberos config is quantum-safe
kerberos.is_explicitly_configured	boolean	Whether encryption types are explicitly configured vs OS default
kerberos.config_source	keyword	Source of Kerberos config (registry / krb5.conf / default)

Index-Specific Schemas

Certificates Inventory Ciphers Applications Crypto Libraries Keystores System Readiness Other Indices

tychon-pqc-certificates 17,869 documents · X.509 certificate inventory

certificate.* Fields

Field	Description
serial_number	Certificate serial number (hex)
sha1_fingerprint	SHA-1 fingerprint
sha256_fingerprint	SHA-256 fingerprint
signature_algorithm	Signing algorithm (e.g. SHA256WithRSA)
subject_common_name	Subject CN
subject_public_key_info.algorithm	Public key algorithm (RSA/EC/etc.)
subject_public_key_info.bit_size	Key size in bits
not_before / not_after	Validity window
validity.duration_days	Certificate lifetime in days
is_self_signed	Self-signed flag
is_ca	CA certificate flag
pqc_vulnerable	Post-quantum vulnerable flag
source_file_path	Path where cert was found

Additional Namespaces

x509.*

ECS-standard certificate fields: serial_number, public_key_size, public_key_algorithm, signature_algorithm, subject.common_name, issuer.common_name, key_usage, version_number

file.*

Source file metadata: path, name, extension, size, permissions, owner.name, group.name, mtime

omb.sig_tier

OMB M-23-02 signature tier classification (1–4)

pqc.vulnerable

Top-level post-quantum vulnerability shorthand

tychon-pqc-inventory 454 documents · TLS/SSH port cipher inventory with OMB compliance

tls.* Fields

Field	Description
preferred_protocol	Highest/preferred TLS version
preferred_cipher	Preferred cipher suite
supported_protocols	All negotiated protocols
supported_ciphers	All accepted cipher suites
insecure_ciphers	Weak/deprecated cipher suites found
insecure_cipher_count	Count of insecure ciphers
duration_ms	Scan duration in milliseconds

Shorthand Flags

quantum_ready quantum_ready_cert quantum_ready_cipher quantum_ready_kx

omb.* Fields (OMB M-23-02)

Field	Description
kex_primary	Primary key exchange algorithm
kex_tier	KEX tier (1=PQC-safe → 4=legacy)
sig_tier	Signature tier classification
protocol_tier	Protocol compliance tier
vulnerability_status	Overall vulnerability assessment
pqc_algos	Post-quantum algorithms detected
crqc_vulnerable_algos	Algorithms vulnerable to CRQC
certifications	Applicable certifications (FIPS, CC, etc.)

tychon-pqc-ciphers 451 documents · Per-port cipher suite findings

Field	Type	Description
tychon.cipher.protocol	keyword	TLS version (TLSv1.2, TLSv1.3)
tychon.cipher.port	integer	Port number
tychon.cipher.is_encrypted	boolean	Whether this cipher provides encryption
tychon.cipher.pqc_readiness	keyword	PQC readiness level (ready / partial / not_ready)
tychon.cipher.pqc_vulnerable	boolean	Vulnerable to post-quantum attacks
tychon.cipher.quantum_risk	keyword	Risk level (critical / high / medium / low)
tychon.cipher.migration_priority	keyword	Migration urgency (immediate / planned / monitor)
tychon.cipher.recommended_action	text	Human-readable remediation recommendation

tychon-pqc-applications 1,582 documents · Application crypto usage and quantum grades

Field	Type	Description
tychon.application.name	keyword	Application name
tychon.application.path	keyword	Application executable path
tychon.application.port	integer	Primary listening port
tychon.application.quantum_ready	boolean	Overall quantum readiness flag
tychon.application.quantum_grade.score	float	Numeric quantum readiness score
tychon.application.quantum_grade.grade	keyword	Letter grade (A / B / C / D / F)
tychon.application.crypto_library_count	integer	Number of crypto libraries loaded
tychon.application.keystore_count	integer	Keystores associated with this app
tychon.library.uses_openssl	boolean	OpenSSL dependency detected
tychon.library.openssl_pqc_status	keyword	OpenSSL PQC capability status

tychon-pqc-crypto-libraries 1,613 documents · Library vulnerability and PQC status

Field	Type	Description
tychon.library.name	keyword	Library name (libssl, BouncyCastle, etc.)
tychon.library.crypto_type	keyword	Library category (symmetric / asymmetric / hash / TLS)
tychon.library.pqc_status	keyword	PQC support level (full / partial / none)
tychon.library.pqc_algorithms	keyword[]	Supported PQC algorithm names
vulnerability.is_vulnerable	boolean	Has known CVE vulnerability
vulnerability.risk_level	keyword	CVE risk level (critical / high / medium / low)
vulnerability.risk_reason	text	Human-readable vulnerability description
process.name	keyword	Owning process name
process.executable	keyword	Process executable path

tychon-pqc-keystores 88 documents · Keystore files with certificate statistics

Field	Type	Description
keystore.type	keyword	Keystore type (PKCS12 / JKS / Windows / PEM)
keystore.path	keyword	Filesystem path to keystore
keystore.cert_count	integer	Total certificates in keystore
keystore.accessible	boolean	Whether keystore could be read
keystore.requires_auth	boolean	Password-protected keystore
keystore.stats.pqc_vulnerable_certificates	integer	PQC-vulnerable cert count
keystore.stats.expired_certificates	integer	Expired cert count
keystore.stats.key_algorithms.rsa / ecdsa	integer	Cert counts by key algorithm

tychon-pqc-system-readiness 20 documents · Hardware and OS quantum readiness scores

quantum_readiness.* Top-Level

Field	Description
overall_score	Composite readiness score (0–100)
readiness_status	Status label (Ready / Partial / Not Ready)
status_color	Display color (green / yellow / red)
ready_timeline	Estimated migration timeline
assessment_type	Assessment category (hardware / os / full)
recommendations	Array of remediation recommendations

Sub-Objects

quantum_readiness.hardware.*

CPU architecture, cores, RAM, TPM version, instruction sets (AES-NI, AVX2, NEON), HSM presence, Secure Boot, per-component scores

quantum_readiness.operating_system.*

Crypto framework, native PQC support, SymCrypt presence, FIPS mode, modern crypto API availability, per-component scores

quantum_readiness.network.*

IPv6 support, TLS 1.3 capability, modern cipher support, estimated bandwidth, protocol scores

quantum_readiness.cost_analysis.*

total_cost_usd, hardware/labor/license breakdown, total_labor_hours, labor_rate_used

quantum_readiness.upgrade_pathway[]

Ordered upgrade steps: component, action, description, priority, estimated_time_weeks

tychon-pqc-ipsec-tunnels

4 documents · IPSec VPN tunnel crypto configuration

ipsec_tunnel.name / status / implementation

tunnel_details.encryption_algorithm

tunnel_details.dh_group

tunnel_details.perfect_forward_secrecy

security.pqc_support / pqc_vulnerable

security.weak_dh_group / weak_crypto

tychon-pqc-vpn-clients

4 documents · VPN client software and config security

vpn_client.name / vendor / version / status

vpn_client.executable_path / config_path

vpn_config.split_tunneling / kill_switch

vpn_config.dns_leak_protection

pqc.quantum_resistance / is_pqc_ready

security.score / risk_level

tychon-pqc-archives

2 documents · Encrypted archive files (PST, ZIP, 7z)

archive.file_path / file_type / file_hash

archive.is_encrypted / encryption_type

archive.encryption_strength

archive.file_details.{md5,sha1,sha256}_hash

tychon-pqc-assets

1,985 documents · Config-file and process-linked crypto assets

config.config_file / resolved_path

config.property_key / ref_type

process.name / pid / path

tychon-pqc-installed-apps

560 documents · Installed software with crypto library dependencies

package.name / path / install_directory

tychon.installed_app.crypto_library_count

tychon.scan_mode (unique to this index)

Sample Queries

Find All PQC-Vulnerable Certificates

Returns certificates using RSA or ECDSA keys that will be broken by a cryptographically relevant quantum computer.

Elasticsearch Query DSL

GET tychon-pqc-certificates/_search
{
  "query": {
    "term": { "certificate.pqc_vulnerable": true }
  },
  "sort": [{ "certificate.not_after": "asc" }],
  "_source": [
    "host.hostname", "certificate.subject_common_name",
    "certificate.signature_algorithm",
    "certificate.subject_public_key_info.bit_size",
    "certificate.not_after", "certificate.source_file_path"
  ]
}

Application Quantum Grades by Host

Aggregate quantum readiness grades across all detected applications, grouped by hostname.

Elasticsearch Aggregation

GET tychon-pqc-applications/_search
{
  "size": 0,
  "aggs": {
    "by_host": {
      "terms": { "field": "host.hostname", "size": 100 },
      "aggs": {
        "avg_score": {
          "avg": { "field": "tychon.application.quantum_grade.score" }
        },
        "grades": {
          "terms": { "field": "tychon.application.quantum_grade.grade" }
        }
      }
    }
  }
}

Systems Below Readiness Threshold

Find endpoints scoring below 60 on overall quantum readiness for prioritized remediation.

Elasticsearch Range Query

GET tychon-pqc-system-readiness/_search
{
  "query": {
    "range": {
      "quantum_readiness.overall_score": { "lt": 60 }
    }
  },
  "sort": [{ "quantum_readiness.overall_score": "asc" }],
  "_source": [
    "host.hostname", "quantum_readiness.overall_score",
    "quantum_readiness.readiness_status",
    "quantum_readiness.ready_timeline",
    "quantum_readiness.cost_analysis.total_cost_usd"
  ]
}

Critical Crypto Library Vulnerabilities

Returns crypto libraries with critical CVE findings, showing owning process context.

Elasticsearch Bool Query

GET tychon-pqc-crypto-libraries/_search
{
  "query": {
    "bool": {
      "must": [
        { "term": { "vulnerability.is_vulnerable": true } },
        { "term": { "vulnerability.risk_level": "critical" } }
      ]
    }
  },
  "_source": [
    "host.hostname", "tychon.library.name",
    "vulnerability.risk_reason", "process.name",
    "tychon.library.pqc_status"
  ]
}

OMB M-23-02 Compliance Sweep

Find all inventory records with CRQC-vulnerable algorithms for OMB reporting.

Elasticsearch Exists Query

GET tychon-pqc-inventory/_search
{
  "query": {
    "bool": {
      "must": [
        { "exists": { "field": "omb.crqc_vulnerable_algos" } }
      ],
      "filter": [
        { "range": { "@timestamp": { "gte": "now-7d" } } }
      ]
    }
  },
  "_source": [
    "host.hostname", "tls.preferred_protocol",
    "omb.kex_tier", "omb.sig_tier", "omb.crqc_vulnerable_algos",
    "omb.vulnerability_status"
  ]
}

Kibana KQL Examples

Kibana Query Language (KQL)

# All PQC-vulnerable certs on Windows endpoints
certificate.pqc_vulnerable: true AND host.os.family: "windows"

# Applications with grade F quantum scores
tychon.application.quantum_grade.grade: "F"

# Keystores with weak RSA keys
keystore.stats.key_algorithms.rsa > 0

# Systems with RC4 Kerberos
kerberos.has_rc4: true AND kerberos.has_des: true

# Crypto libraries with no PQC support
tychon.library.pqc_status: "none" AND vulnerability.is_vulnerable: true

# Ciphers requiring immediate migration
tychon.cipher.migration_priority: "immediate"