Post-Quantum Readiness
Requires Runtime Truth.

Laviq helps security teams find shadow cryptography in live Linux systems, validate what actually executes at runtime, and prioritize remediation for PQC audits and migration planning. No source code required.

Request a Runtime Discovery Demo Explore the Reality Gap ↓

🇺🇸

USA: NSA CNSA 2.0

The Hard Deadline

National Security Systems must begin the transition to Quantum-Resistant algorithms by 2025. You must prove your inventory down to the runtime layer.

🇨🇦

Canada: ITSM.40.001

The Inventory Mandate

Federal departments need a complete cryptographic inventory and migration plan by April 2026. Laviq maps your "Black Box" vendor binaries running in production.

🌐

Global Standard

"Store Now, Decrypt Later"

Protecting long-term data requires immediate action. Laviq captures the exact TLS network parameters being negotiated live to stop vulnerable traffic.

Static inventory is not runtime truth.

See why SBOMs and configs fail audits, and how Laviq's Runtime Truth Engine captures what actually executes in memory.

Select Scenario

Static Assumption

                                # service_config.yaml

                                tls_settings:

                                  min_version: "TLS 1.3"

                                  ciphers:

                                    - "TLS_AES_256_GCM_SHA384"

                                  fallback_allowed: true

The configuration file dictates modern TLS. An auditor reviewing the config assumes the system is compliant.

Laviq Runtime Reality

                                {

                                  "laviq_event": "tls_handshake",

                                  "pid": 4092,

                                  "negotiated_version": "TLS 1.2",

                                  "cipher_suite": "TLS_RSA_WITH_AES_128...",

                                  "verdict": "CLASSICAL_FALLBACK"

                                }

Laviq captures the live connection falling back to a classical path. Support in code is not selection in production.

Runtime evidence from the host.

Not guesses from the repo. Laviq shows what cryptography actually executes at runtime so teams can identify shadow crypto, assign ownership, and prioritize PQC remediation.

Deep Runtime Context

A naive list of loaded libraries isn't enough to prove risk. Laviq's Runtime Truth Engine captures the entire execution chain. We map the process tree, track the network trigger, capture the exact cryptographic parameters, and provide the userspace backtrace to pinpoint the exact line of execution.

Full process hierarchy mapping
Network & Crypto event correlation
Exact parameter capture (e.g., Key Size)
Userspace stack traces for precise attribution

laviq-forensic-trace-viewer

Live Runtime Truth Capture

Process Hierarchy

├─ systemd (PID: 1)

├─ containerd (PID: 882)

├─ containerd-shim (PID: 2104)

└─ vendor_gateway (PID: 4011)

↳ worker_thread (TID: 4015)

Memory Map (Loaded)

/opt/vendor/bin/gateway

/usr/lib/x86_64-linux-gnu/libssl.so.3

/usr/lib/x86_64-linux-gnu/libcrypto.so.3

Execution Trace Timeline

[L4 Network] TCP Connection Established t=0.000ms

Syscall: accept4() | Peer: 192.168.1.105:43912 -> :443

[L7 Crypto] Function Invoked t=1.240ms

Symbol: RSA_private_decrypt

Target Library: libcrypto.so.3

Captured Parameter: Key Size = 2048 bits

Userspace Backtrace (TID: 4015)

#0 RSA_private_decrypt+0x1a (libcrypto.so.3)

#1 ssl3_get_client_key_exchange+0x420 (libssl.so.3)

#2 tls_process_client_hello+0x18c (libssl.so.3)

#3 ossl_statem_server_process_message+0x110 (libssl.so.3)

#4 handle_secure_connection+0x85 (/opt/vendor/bin/gateway)

#5 worker_loop_main+0x112 (/opt/vendor/bin/gateway)

PQC Remediation Roadmap

Audit: ITSM.40.001

Critical Findings

3

Owners Identified

2 / 3

Verified Fixes

0 / 3

RSA-1024 key generation observed at runtime

vendor_auth.so:142

Critical

PQC Relevance

Weak long-term cryptographic posture in a migration-sensitive path.

Owner

Payments Platform / Vendor Gateway Team

Impact

Affects token exchange path and dependent certificate chain.

Remediation

Upgrade to RSA-3072 and rotate dependent certs.

Verification

Planned rescan

Additional Findings

TLS 1.2 fallback in live ingress traffic

Owner: Edge Connectivity. Next: enforce TLS 1.3 and validate client compatibility.

High

Legacy signing curve in certificate workflow

Owner: PKI Services. Next: stage migration and certificate rollover plan.

High

Actionable Migration Plans

Runtime findings become actionable only when they include ownership, blast radius, and a concrete next step. This roadmap is designed to show engineering and security teams what to fix first, who should fix it, and how closure is verified.

Tie each runtime finding to a PQC migration concern
Surface owner and blast radius before change execution
Close the loop with verification states and planned rescans

Frictionless, Air-Gapped Deployment

Security tools shouldn't break your production servers or require opening firewall ports. Laviq is distributed as a standalone .deb, .rpm, or Docker container. It is 100% offline-first. Your proprietary binaries and cryptographic evidence never leave your environment.

Zero external cloud connections required
Native package managers or container execution
Non-intrusive kernel memory hooks (No reboots)

Officially Supported Environments

Ubuntu 20.04 / 22.04 LTS RHEL 8 / AlmaLinux Debian 11 Amazon Linux 2

Requires Linux Kernel 5.10+ (eBPF capabilities)

Deployment Options

# 1. Native Package Install

sudo apt-get install laviq-agent.deb

# 2. Or run via privileged container

docker run --privileged \

-v /sys/kernel/debug:/sys/kernel/debug \

laviq/agent:latest --offline-audit

Community & Open Source

Transparent by Design.

Cryptographic risk scoring shouldn't be a black box. While our Runtime Truth Engine is commercial, we open-source our HTML Reporter UI and the Trust Matrix scoring logic. Security teams can audit our math, modify the output formats, and trust the methodology behind every PQC finding.

View on GitHub

Offline-First Security Analysis

All analysis is performed offline, in a controlled environment.

No cloud uploads

Your binaries never leave your environment

Controlled rollout

Start with scoped deployments and controlled environments before expanding into broader production coverage.

No code modification

Analyze as-is without recompilation

Low footprint

Minimal resource usage, non-intrusive no reboots required.

Frequently Asked Questions

Request a PQC Discovery Pilot

Discuss a controlled assessment for your Linux estate.

Post-Quantum Readiness Requires Runtime Truth.