NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) finalized August 2024. QNSP runs 89 PQC algorithms across 14 families. Migration window open. Read the migration brief →
Quantum-nativetrust infrastructure.
Full-stack post-quantum security for sensitive data, critical systems, and AI workloads. Globally available.
Operate keys, secrets, storage, audit, posture, and AI security from one quantum-native infrastructure layer.
Operated as one infrastructure layer.
Sized to your organisation's regulatory posture.
Built for governments, defence, financial institutions, critical infrastructure, enterprises, AI companies, sensitive-data platforms, and production trust teams.
Platform architecture
Your stack stays. QNSP becomes your trust layer.
QNSP sits between your applications, HSMs, and multi-cloud estate as a dedicated trust infrastructure layer. Customer systems stay where they are; QNSP provides post-quantum key operations, vaulting, storage protection, policy enforcement, posture telemetry, and tamper-evident evidence across them. Sovereign, VPC, on-premises, and air-gapped deployment models are sized to your regulatory posture.
Your organisation
Apps · AI workloads
Whatever stack you operate today. TypeScript · Python · Go · Rust · REST · CLI · MCP.
Customer HSMs
Bring-your-own via PKCS#11. Thales Luna · Entrust nShield · AWS CloudHSM · Azure HSM.
Your multi-cloud estate
AWS · Azure · GCP · IBM · Oracle · Alibaba · Akamai · Cloudflare · Fastly · DigitalOcean · HashiCorp Vault.
QNSP Edge Gateway
Single ingress · PQC TLS termination · multi-tenant routing · authentication · entitlement enforcement · capability gates · rate limits.
Identity & Decision
Authentication · access control · policy decisions
Control
Tenancy · entitlements · platform APIs
Data
KMS · vault · storage · search
Evidence
Audit chain · evidence packs
Operations
Crypto inventory · AI orchestration · security monitoring · observability
Tamper-Evident Audit Ledger
Merkle-tree chain · ML-DSA-signed checkpoints · 90-day → 7-year retention tiers · WebSocket streaming for SIEM.
Compliance Evidence
Evidence packs mapped to SOC 2, HIPAA, GDPR, PCI DSS v4, ISO 27001, PDPA, and MAS TRM. Signed and exportable on demand.
Crypto-posture insights
Continuous discovery, NIST PQC readiness scoring, CycloneDX CBOM export across your multi-cloud estate.
Deployment topologies:
Cloud (default)VPCOn-premisesAir-gappedSovereignNote:
Architecture is illustrative and current as of Q2 2026. Public SDKs and integration examples are independently verifiable at github.com/cuilabs/qnsp-public.
Detailed implementation documentation is available under mutual NDA.
Third-party product names, logos, and trademarks are the property of their respective owners and are referenced solely for compatibility and integration documentation.
Their inclusion does not imply endorsement, partnership, or affiliation unless explicitly stated.
Trust & assurance
Built for high-assurance environments.
NIST-finalised cryptographic standards, publicly verifiable CSA STAR assurance artifacts, and deployment topologies sized to regulated procurement frameworks.
CSA STAR Level 1 — Publicly Verified
CUI LABS is listed in the CSA STAR Registry. Download the CAIQ self-assessment directly for your vendor-risk programme.
CAIQ Self-Assessment v4.1.0
Comprehensive documentation of security controls mapped across IaaS, PaaS, and SaaS layers — downloadable from the CSA STAR Registry for vendor due diligence.
Cloud Controls Matrix (CCMv4)
All control domains mapped to CSA CCM — the industry-accepted framework for cloud security assurance, audit, and third-party risk assessment.
Publicly Verifiable Artifacts
Assurance artifacts are publicly accessible for customer due diligence, regulatory submissions, and procurement review. No NDA required for Level 1 evidence.
QNSP Platform Coverage Scope
PQC-TLS termination, HSM-integrated KMS, secrets vault, encrypted storage (SSE-X), full cryptographic audit trail, CBOM export.
Scope: QNSP cloud service as listed in CSA STAR. Controls vary by deployment model. STAR Level 1 = self-attestation; independent audit support available under enterprise agreement.
Operated by CUI LABS (PTE.) LTD., Singapore.
Public assurance sandbox · no signup · no API key
Run live post-quantum operations before onboarding.
Execute fresh FIPS 203, FIPS 204, and FIPS 205 post-quantum operations from a public verification surface. Inspect generated key material, ciphertexts, signatures, verification status, timing data, and integrity checks before creating an account.
The sandbox uses the same pinned implementation family as QNSP's public SDKs and produces new outputs per request. Results are not precomputed, replayed, or served as canned examples.
Operations covered
- ML-KEM — key generation, encapsulation, decapsulation
- ML-DSA — key generation, signing, verification
- SLH-DSA — key generation, signing, verification
Evidence available
Live output · implementation version · algorithm identifiers · timing data · integrity status · conformance vectors · public SDK and integration source mirror · API route access.
Every request produces fresh verification output. Sandbox key material is generated for assurance testing only and must not be used in production systems. Conformance vectors verify deterministic implementation behavior against pinned library versions.
$ curl -s https://qnsp.cuilabs.io/api/sandbox/pqc-runtime | jq .
QNSP transition
From existing trust stack to QNSP-operated trust.
Already operating across cloud KMS, HSMs, Vault, certificates, secrets, storage, or legacy PKI? QNSP can assess your current trust stack, identify exposure, prioritise critical workloads, and guide transition into QNSP-operated trust infrastructure. Every phase below maps to a real cloud-portal surface and a real backend service route.
Your existing trust stack
- 01Discover
Connect cloud accounts via 11 vendor connectors and deploy QNSP discovery agents into private networks. Inventory keys, secrets, certificates, TLS endpoints, hardware modules, and storage across the entire estate.
/crypto-posture/connect-aws · /crypto-posture/agents · /crypto-posture/schedules · /crypto-posture/hardware-inventory
- 02Map
Score quantum exposure per asset, generate a CycloneDX CBOM, identify deprecated algorithms still in use, and map controls against the regulatory frameworks that apply to your organisation.
/crypto-posture/pqc-readiness · /crypto-posture/bom · /crypto-posture/algorithm-deprecation · /nist-compliance
- 03Prioritise
Define transition rules per workload class, draft compliance policies, and produce migration plans that sequence assets by data-lifetime risk, blast radius, and audit obligation.
/crypto-posture/transition-rules · /crypto-posture/policies · /crypto-posture/compliance-policies · /kms/crypto-agility
- 04Transition
Execute migrations with dry-run plus live cutover modes. BYOK and BYOH let existing customer keys and HSMs coexist with QNSP services during the cutover. Every operation is signed into the audit chain.
/crypto-posture/migration-automation · /crypto-posture/cutover-tracking · /kms/byok · /kms/byohsm · /kms/rotation
- 05Operate
Continuous drift-control validation, automated key-compromise response, attack-path analysis, and on-demand evidence packs for SOC 2 / HIPAA / GDPR / PCI / ISO / PDPA / MAS TRM audits.
/crypto-posture/drift-control-validation · /security/automated-response · /security/key-compromise · /evidence
QNSP-operated trust infrastructure
Post-quantum KMS · encrypted vault · PQC-native storage · vector search · tamper-evident audit chain · access control · identity federation · hardware enclaves · AI workload security · multi-cloud crypto-posture · compliance evidence — operated across cloud, VPC, on-premises, air-gapped, and sovereign deployment models.
Every portal path above resolves in the QNSP cloud portal at cloud.qnsp.cuilabs.io. Backend services that implement the transition flow: crypto-inventory-service (23 routes), kms-service (BYOK · BYOH · rotation), and security-monitoring-service (continuous ops). Public SDKs and integration examples are independently verifiable at the public SDK and integration source mirror at github.com/cuilabs/qnsp-public.
Technical integration
Integrate through standard runtimes and APIs.
QNSP is consumed through package managers and runtimes technical teams already use. One package per language, one shared OpenAPI surface, one activation call. Start on Free Forever, then carry the same integration path into cloud, VPC, sovereign, on-premises, or air-gapped deployment.
Same wire contracts
All runtimes call the same OpenAPI surface with identical request/response shapes, error codes, and algorithm identifiers.
One activation path
Self-service activation registers against the Free Forever production tier. Enterprise deployments use the same integration model.
No proprietary build pipeline
Standard package managers, registries, versioning, and CI/CD workflows. No bespoke compiler, vendored toolchain, or custom build system required.
Standards-based evaluation
REST · OpenAPI · JWT · API keys · public registries · SBOM-friendly releases · public source mirror
Self-service activation is free and instant. No credit card required. Same integration path carries into enterprise deployment.
Sectors served
Designed for high-consequence sectors.
QNSP supports organisations where cryptographic failure, exposed secrets, weak audit trails, or long-life data compromise can create operational, financial, regulatory, or national-security risk.
Government & sovereign systems
Protect citizen data, sovereign cloud workloads, inter-agency systems, classified-adjacent records, and long-life archives with post-quantum key management, encrypted storage, policy controls, and audit evidence.
Protects
- ·citizen records
- ·digital identity systems
- ·inter-agency data sharing
- ·long-retention public-sector archives
- ·regulated procurement evidence
Deployment: sovereign · VPC · on-prem · air-gapped
Defence & military
Secure mission systems, operational data, command workflows, signing operations, and sensitive communications where confidentiality, integrity, and long-term cryptographic resilience are non-negotiable.
Protects
- ·mission data protection
- ·defence supply-chain trust
- ·secure signing workflows
- ·operational audit trails
- ·long-life classified-adjacent data
Deployment: air-gapped · sovereign · on-prem
Banks & financial institutions
Protect payment systems, customer records, transaction evidence, signing workflows, vault secrets, and long-life regulated data with quantum-native trust infrastructure.
Protects
- ·payment infrastructure
- ·customer PII
- ·transaction signing
- ·audit evidence
- ·secrets and key governance
- ·long-retention compliance data
Critical infrastructure
Protect energy, telecom, transport, water, healthcare, and industrial systems where cryptographic failure can create physical-world disruption, operational downtime, or national resilience risk.
Protects
- ·OT/IT trust boundaries
- ·infrastructure control-plane secrets
- ·telemetry protection
- ·vendor access controls
- ·incident evidence
Deployment: sovereign · VPC · on-prem · air-gapped
Enterprises
Consolidate keys, secrets, storage protection, audit evidence, access control, and crypto-posture across business units, cloud estates, applications, and regulated data environments.
Protects
- ·multi-cloud key governance
- ·secrets sprawl
- ·application encryption
- ·access policy what-if analysis
- ·internal audit evidence
- ·vendor-risk response
AI companies
Protect model pipelines, embeddings, training data, inference workloads, prompt surfaces, model registries, and AI audit trails with trust controls built for high-value AI systems.
Protects
- ·model registry protection
- ·prompt-injection monitoring
- ·training-data protection
- ·vector search security
- ·inference audit trails
- ·confidential AI workloads
Sensitive-data platforms
Secure SaaS platforms, data rooms, healthcare systems, legal workflows, research platforms, and regulated applications that store, process, or exchange high-value sensitive data.
Protects
- ·encrypted customer data
- ·tenant isolation
- ·regulated file storage
- ·signed audit trails
- ·API security
- ·customer evidence packs
Healthcare & life sciences
Protect patient records, clinical workflows, research data, genomic datasets, regulated file exchange, and long-retention medical archives.
Protects
- ·patient records
- ·clinical systems
- ·research data
- ·regulated exchange
Telecom, cloud & digital infrastructure
Protect network trust, platform control planes, customer data, service credentials, edge workloads, and infrastructure audit evidence.
Protects
- ·control-plane secrets
- ·edge workloads
- ·service credentials
- ·customer data
Per-sector solution pages roll out as deployments mature.
Live platform
Live infrastructure. Public service health.
QNSP Cloud exposes live production service health for its public AWS-hosted control plane. Private, sovereign, VPC, on-premises, and air-gapped deployments are monitored through deployment-specific status and observability endpoints.
Control plane
Authentication, tenancy, billing, entitlement checks, policy enforcement, and access-control services are monitored through the public status surface.
Data plane
KMS, vault, storage, search, audit, and AI orchestration services publish health independently so operational issues are visible by capability.
Dedicated deployments
VPC, sovereign, on-premises, and air-gapped deployments use dedicated status and observability endpoints separate from QNSP Cloud.
Public health endpoints show externally exposed QNSP Cloud service checks. Internal production services and dedicated deployments are monitored through private observability and deployment-specific status endpoints.
AWS and AWS region names are referenced for deployment-location clarity only and do not imply endorsement or affiliation.
QNSP Cloud Public Health Surface
Ready to evaluate quantum-native trust infrastructure?
Start with Free Forever, review public assurance evidence, or speak with an architect about sovereign, VPC, on-premises, and air-gapped deployments.
Free Forever · developer plans from $149/month · enterprise + sovereign deployments custom-priced · see all plans →