Platform architecture
18 Production Services. Hardware Enclaves. Unified Policy.
End-to-end quantum-native security: PQC-TLS termination, HSM-integrated KMS, encrypted storage (SSE-X), secrets vault, signed audit trails, and AI orchestration — deployed as a single coherent platform.
18 Production Services
Edge Gateway, Auth Service, Vault Service, Storage Service, Search Service, Tenant Service, Billing Service, KMS Service, Audit Service, Access Control Service, Security Monitoring Service, Observability Service, AI Orchestrator, AI Intelligence Service, Crypto Inventory Service, Platform API, Terraform Provisioner, PQC-TLS Canary — all deployed as optimized containers (~85 MB average) to AWS ECR.
Hardware Enclaves
Intel SGX (MEE), AMD SEV (Memory Guard + SEV-SNP), NVIDIA CC (GPU memory encryption), Intel TDX (TME - supports Google Cloud Confidential VMs/GKE), ARM TrustZone, ARM CCA/RME (supports Google Cloud Confidential GKE), AWS Nitro Enclaves, IBM Secure Execution with cryptographic attestation.
Scheduler Backends
Kubernetes (Jobs API), AWS Batch (job queues), GPU Fleet, TPU Fleet (with attestation).
HSM Integration
Thales Luna, Entrust nShield, AWS CloudHSM, Azure HSM (PKCS#11 integration; certification level depends on the selected HSM and customer deployment).
Developer Platform
Official TypeScript SDK/client packages, REST APIs (OpenAPI), WebSocket API, CLI tools, and CI/CD usage guides (GitHub Actions, GitLab CI, Jenkins, CircleCI).
Observability & Compliance
OTLP streaming, Merkle tree checkpoints, automated remediation, 8 integration providers (Slack, GitHub, AWS, Azure, GCP, Datadog, Splunk, Okta) via edge gateway, real-time collaboration.
XIIS Assurance
XIIS-backed control-plane verification for trust summary, evidence packs, attestation verification, environment verification, and release-bundle enforcement across the live QNSP cloud path.
Security framework
Threat modelling, policy enforcement, signed audit trails, incident response
Quantum Threat Model v2.0
Comprehensive threat modeling aligned with NIST PQC standards and CRQC timeline assumptions.
- 6 attacker classes: Opportunistic → Nation-State with CRQC
- HNDL (Harvest Now, Decrypt Later) timeline modeling
- 22 security controls mapped to specific threats
- Data classification: ephemeral → long-lived secrets
- Legacy migration milestones: staged classical deprecation (PQC-Native is the default)
Cryptographic Attestation
Forensic-grade cryptographic evidence with NIST algorithm lifecycle tracking and compliance assessment.
- NIST algorithm registry with lifecycle status (Final/Draft/Deprecated)
- CBOM (Cryptographic Bill of Materials) export with SHA3-256 hash
- Automated CNSA 2.0 and FIPS 140-3 compliance checks
- Policy enforcement: audit mode or hard-block mode
- Migration planning for deprecated algorithms (platform-wide)
- Machine-verifiable compliance snapshots with PQC signatures
Cryptographic Policy Engine
Tenant-configurable PQC enforcement with algorithm allowlists and HSM requirements.
- KEM: ML-KEM-512/768/1024 (FIPS 203), HQC, BIKE, Classic McEliece, FrodoKEM, NTRU
- Signatures: ML-DSA-44/65/87 (FIPS 204), SLH-DSA (FIPS 205), FN-DSA (FIPS 206 draft), MAYO, CROSS, UOV, SNOVA
- Symmetric: AES-256-GCM, ChaCha20-Poly1305
- 90 PQC algorithms across 14 families, 4 policy tiers: Default → Government/Defense
- HSM-enforced root key protection (HSM-backed root keys; certification depends on deployment)
Signed Audit Evidence
Cryptographically signed, hash-chained audit trail for compliance and forensics.
- 59 crypto-critical event types across 12 services
- PQC-signed events with ML-DSA-65 (Dilithium-3) signatures
- SHA3-256 event hash chains with SHA3-512 Merkle checkpoints
- Severity inference: info → critical
- SIEM/monitoring export (Splunk, Datadog) + 6 additional integrations (Slack, GitHub, AWS, Azure, GCP, Okta) via deployment-specific forwarding
Key Compromise Response
Automated incident response for suspected or confirmed key compromises.
- 6-step remediation: record → rotate/revoke → rewrap → revoke capabilities → audit → notify
- KMS, Vault, Storage service integration
- Automatic capability token revocation
- 5s per-call timeout with retry for remediation actions
- Correlation tracking across services
Downgrade Attack Remediation
Real-time detection and response to cryptographic downgrade attempts.
- Protocol tracking: PQC-TLS → TLS 1.3 → TLS 1.2
- Algorithm monitoring: ML-DSA → ECDSA downgrades
- Automatic IP/user blocking on critical severity
- Token revocation and resource quarantine
- Escalation to key compromise handler
Capability comparison
How QNSP compares — feature by feature
QNSP vs cloud providers, security tools, and PQC tooling vendors across every capability dimension.
Competitive landscape
Where incumbents fall short — and where QNSP fills the gap
Cloud Providers
Cloud providers are rolling out PQC primarily through primitives (KMS, certificates, TLS endpoints) and managed services. This lowers the barrier to adoption, but customers still assemble end-to-end enforcement across ingress, policy, audit evidence, storage/search workflows, and incident automation.
Vendors
- PQC primitives in KMS / secrets / certificate services and selected TLS endpoints
- Broad managed service catalogs (storage, search, AI) with varying security/enforcement cohesion
- Identity + policy products exist, but cross-service, evidence-grade enforcement is usually an integration project
Strengths
- Global footprint, managed services, and operational maturity
- PQC exposure through standard interfaces (TLS, KMS) accelerates early adoption
- Compliance programs and enterprise procurement pathways
Gaps vs. QNSP
- Often focused on primitives rather than end-to-end tenant policy + audit evidence
- Customers still stitch together ingress enforcement, signed ingestion, retention, and incident automation
- Consistency across services varies; strong outcomes often require additional control-plane buildout
Security Tools
Security tools deliver best-in-class point capabilities (vaults, PAM, edge access, SIEM/SOAR). They can be critical building blocks, but the end-to-end outcome (tenant policy, capability enforcement, signed audit evidence, and secure data workflows) is usually assembled across multiple vendors and systems.
Vendors
- Vaults / PAM for secrets and credential rotation
- Edge access + WAF/Zero Trust posture controls
- SIEM/SOAR for monitoring and response automation
Strengths
- Mature deployments for identity/edge/PAM use cases
- Good fit for incremental adoption (swap one control at a time)
- Broad ecosystem integrations
Gaps vs. QNSP
- Often focused on one layer rather than cross-service, tenant-scoped enforcement
- Doesn't typically unify storage/search/AI workflows under a single policy + capability model
- Audit evidence exists, but it's rarely delivered as a single, tamper-evident platform trail
PQC Tooling
PQC tooling vendors focus on crypto-agility and migration readiness (PKI lifecycle, discovery, HSM options, and PQC primitives). They can accelerate planning and rotation, but typically don't deliver the full platform surface: secure ingress + signed ingestion, per-tenant policy enforcement, evidence-grade audit, and secure data workflows.
Vendors
- Crypto posture / inventory + certificate lifecycle automation
- Hardware-backed key protection options and PQC primitives
- Rotation orchestration for PKI and machine identity surfaces
Strengths
- Deep cryptographic specialization and migration readiness tooling
- Helpful for inventory, policy design, and lifecycle automation at scale
Gaps vs. QNSP
- Usually not a full stack for tenants, audit trails, storage/search workflows, or billing/metering
- Integration and operational ownership remains with the customer or SI
Ready to deploy quantum-native security?
Free tier available. Enterprise deployments provisioned within 48 hours. No credit card required.