The complete platform
Every capability below maps to a generally-available production surface in the QNSP cloud portal, designed for regulated environments including government, defence, financial services, healthcare, and artificial-intelligence sectors.
Post-Quantum Key Management
BYOK · BYOH across 8 HSM vendors (AWS CloudHSM · Azure Dedicated · Thales Luna · Entrust nShield · Utimaco CryptoServer · Marvell LiquidHSM · Fortanix DSM · HashiCorp Vault HSM) · key escrow with Shamir M-of-N recovery · ML-DSA / SLH-DSA / FN-DSA / Falcon signing · key rotation policies · usage analytics.
Explore in portal →
Quantum-Safe Vault
Versioned secret storage with PQC envelope encryption · automatic leakage detection across logs and external sources · dynamic database / cloud / service credentials with auto-rotation.
Explore in portal →
PQC-Native Storage & Search
SSE-X server-side encryption with quantum-safe envelope keys · encrypted vector search for semantic queries over confidential corpora.
Explore in portal →
Tamper-Evident Audit Chain
Merkle-tree audit ledger · ML-DSA-signed checkpoints · real-time WebSocket streaming for SIEM · 90-day to 7-year retention tiers · receipt-replay verification.
Explore in portal →
Identity & Access
JIT (just-in-time) access with ephemeral signed grants · policy what-if analysis against historical events · SAML / OIDC / SCIM federation · cross-tenant analysis · zero-trust enforcement.
Explore in portal →
Confidential Compute
Hardware enclaves (Intel SGX · AMD SEV · AWS Nitro) with cryptographic attestation · isolated AI training and inference · GPU enclave capacity for sovereign workloads.
Explore in portal →
AI Workload Security
Prompt-injection detection · per-model bias monitoring with drift alerts · signed model registry with provenance enforcement · cost optimization · governance policies · automated remediation.
Explore in portal →
Security Operations
Attack-path graph analysis · automated incident response with dry-run playbooks · real-time key-compromise detection · SIEM integration · threat intelligence feeds · breach detection · compliance-mapped remediation.
Explore in portal →
Multi-Cloud Crypto-Posture
Crypto inventory and PQC readiness scoring across 11 cloud-vendor connectors (AWS · Azure · GCP · IBM · Oracle · Alibaba · Akamai · Cloudflare · Fastly · DigitalOcean · HashiCorp Vault) · CycloneDX CBOM export · NIST compliance · automated migration.
Explore in portal →
Compliance & Evidence
Evidence packs mapped to SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, PDPA, and MAS TRM · attack-path graph analysis · automated key-compromise response · marketplace for compliant connectors and policies.
Explore in portal →
Observability & Operations
SLO dashboards · anomaly detection across metrics · cost intelligence · structured logs with tracing · usage forecasting · per-service health probes via the edge gateway.
Explore in portal →
Developer Platform
First-party SDKs in TypeScript, Python, Go, Rust, and JVM/Android · OpenAPI REST · WebSocket streaming · qnsp CLI · build-pipeline integrations · activation-keyed package distribution · public mirror at github.com/cuilabs/qnsp-public.
Explore in portal →
Deployment Topology
Multi-region active/active with documented failover · VPC peering · isolated-tenancy for regulated workloads · GPU enclave capacity · region residency enforcement for data-sovereignty requirements.
Explore in portal →
176 portal surfaces. 18 production services. 11 cloud-vendor connectors. 90 PQC algorithms (27 KEMs + 63 signatures). 8 HSM vendors. 4 SDK languages. Operated as one trust infrastructure layer. Public SDKs and integration examples are independently verifiable at the public SDK and integration source mirror at github.com/cuilabs/qnsp-public.
Deployment topologies
The homepage architecture diagram renders the Cloud-default flow — the model most self-serve customers start on. Regulated buyers, sovereign-cloud operators, and air-gapped environments compose a different topology from the same underlying platform. Every model below is a real production code path; ask in any sales / security engagement for the one that matches your posture.
Default
Public internet → QNSP edge gateway → multi-tenant cloud services.
Fastest onboarding. Same wire contract as every other topology. Free tier available with no credit card. This is the model rendered in the homepage architecture diagram.
Self-serve developers · SMBs · early-stage enterprise pilots · proof-of-value engagements.
Topology
Private VPC peering between customer VPC and a QNSP VPC in the customer's AWS region.
No public-internet path between customer apps and QNSP services. Traffic stays on the AWS backbone. Edge gateway still terminates PQC TLS, but the ingress lives inside customer-controlled network space.
Regulated FSI · enterprises with private-network discipline · workloads under DLP / network-segmentation policy.
Topology
AWS PrivateLink / Azure Private Endpoint / GCP Private Service Connect terminating QNSP services.
QNSP services reachable only via private DNS inside the customer's chosen cloud. No NAT, no public ingress, no shared edge. Best for single-cloud enterprises that have standardised on PrivateLink-class connectivity.
Single-cloud enterprise (AWS-only, Azure-only, GCP-only) · platform teams enforcing zero-public-ingress.
Topology
QNSP services run inside the customer's datacenter, container platform, or dedicated rack.
Control plane and data plane both live in customer infrastructure. QNSP delivers signed update bundles; telemetry can be locally retained or streamed to the customer's SIEM. No outbound dependency on the QNSP cloud for steady-state operation.
High-classification government · defence · SCIF / IL5-class environments · critical-infrastructure operators.
Topology
Fully disconnected — no inbound or outbound network path to the QNSP cloud at all.
Updates delivered as signed offline bundles (PQC-signed manifests + cryptographic provenance). Telemetry written to local SIEM only. Crypto policy enforcement, audit chain, and evidence packs all operate inside the air-gap.
Sovereign defence · SCIFs · classified workloads · critical national infrastructure · regulators requiring physical-network isolation.
Composable across five orthogonal axes
The deployment model above is the network-topology axis. Four additional axes — tenancy, HSM custody, region / failover, and compute class — are configured independently. Any combination is supported subject to your tier and regulatory posture.
Axis
Network topology
5 declared deployment types — independently reproducible from the public mirror.
Axis
Tenancy
Three isolation knobs toggle independently per tenant.
Axis
HSM custody
8 HSM vendors supported for BYOH; 2 QNSP-managed HSM cluster shapes.
Axis
Region & failover
Region, failover, and residency are independent add-ons.
Axis
Compute class
Enclave capacity is an add-on; bring-your-own GPU-enclave hardware supported.
Every model and axis above is a real production code path. The combinations are governed by tier and add-on entitlements; sales-assisted topologies (VPC, on-premises, air-gapped, sovereign, isolated tenancy, CloudHSM-managed clusters) require a procurement engagement. Talk to sales for the right mix.
Security framework
Quantum Threat Model v2.0
Comprehensive threat modeling aligned with NIST PQC standards and CRQC timeline assumptions.
Cryptographic Attestation
Forensic-grade cryptographic evidence with NIST algorithm lifecycle tracking and compliance assessment.
Cryptographic Policy Engine
Tenant-configurable PQC enforcement with algorithm allowlists and HSM requirements.
Cryptographic Provenance · Pinned Versions
Auditable provenance for every cryptographic primitive — pinned upstream library + language bindings, all versions verifiable against published releases.
Cross-Verification · Dual-Provider Crypto
For maximum and government tiers, every cryptographic operation is independently verified by two distinct PQC implementations.
Provider Attestation in Audit Chain
Every crypto operation logs which provider produced the output — auditors can prove which implementation generated any given signature.
Signed Audit Evidence
Cryptographically signed, hash-chained audit trail for compliance and forensics.
Compliance Frameworks · 48 Controls
Real-time control evaluation against 7 compliance frameworks via live service health probes.
Key Compromise Response
Automated 6-step remediation for suspected or confirmed key compromises.
Downgrade Attack Remediation
Real-time detection and response to cryptographic downgrade attempts.
Fail-Closed Edge Enforcement
Two-layer entitlement enforcement at the edge gateway before any service proxy. Fail-closed for cryptographic services.
PQC-TLS Production Canary
Standalone production service that continuously verifies PQC-TLS termination on production endpoints.
Cryptographic Hot-Reload + Drift Control
Live tenant policy updates without service restart. Continuous validation that environment stays migrated.
Migration journey
QNSP is designed to become the active trust platform your workloads consume, not a passive reporting overlay. The operating path is Connect → Discover → Analyze → Govern → Migrate → Validate → Operate.
1. Connect
Attach cloud/API connectors for managed providers and install QNSP agents for private, self-hosted, or on-prem sources.
2. Discover
Run discovery to normalize keys, secrets, certificates, protocols, providers, and cryptographic dependencies across internal and external estates.
3. Analyze
Measure quantum exposure, policy violations, deprecated algorithms, and the actual cutover blockers preventing migration to QNSP.
4. Govern
Define crypto policy, lifecycle rules, enforce-vs-audit behavior, transition exceptions, and the tenant target state before cutover.
5. Migrate
Move keys, secrets, certificates, and workload trust paths into QNSP so applications call QNSP KMS, Vault, storage, search, and governed services directly.
6. Validate + Operate
Prove cutover with readiness evidence, CBOM, QBOM, SBOM, and continuous monitoring so the environment stays migrated instead of drifting back.
Comparing vendors?
The master feature matrix (33 features × 4 vendor categories), the three-bucket competitor landscape, and five per-vendor deep-dive pages (Fortanix, SandboxAQ, AWS KMS, Azure Key Vault, HashiCorp Vault) have moved to a dedicated hub so a buyer in evaluation mode has one destination.
Statement of Direction
Capabilities under active development for clients with multi-year cryptographic procurement and architectural requirements. Not generally available. Published forward direction enables long-horizon procurement, architecture, and assurance teams to plan against QNSP's strategic platform programme.
Quantum key distribution (QKD)
Partner integrationHardware-channel integration paths for BB84 and E91 protocols. Partner engagement with QKD hardware vendors (Toshiba, IDQ, MagiQ) for physical-layer key exchange across metropolitan and inter-data-centre links.
Fully homomorphic encryption (FHE)
Active developmentComputation over encrypted data — analytics, machine-learning inference, and aggregation performed against ciphertexts that never leave their encrypted form. Schemes under evaluation: BFV, BGV, and CKKS via OpenFHE.
PQC-protected federated learning
Active developmentDistributed model training with post-quantum-encrypted gradients across organisational boundaries. Designed for financial-sector consortia and healthcare federations where central pooling of sensitive data is constrained by regulation.
Data residency & trust controls (DRTC)
Architecture phaseSovereign residency enforcement at the platform layer — geographic, legal-jurisdiction, and operator-class controls embedded into every cryptographic operation, with auditable evidence end-to-end.
For clients with these capabilities on a procurement timeline, QNSP supports co-development engagements and early-access partnerships. Contact your account team or open a Free Forever account to begin the conversation.
Where to go next
18 production services. Hardware enclaves. Unified cryptographic policy. NIST PQC finalized standards.
The Quantum Threat
Q-Day 2029 (Cloudflare/Google) · NIST 2030–2035. HNDL attacks active today. NIST PQC finalized 2024. Migration window closing.
Understand the threat →
Developer Platform
First-party SDKs in TypeScript, Python, Go, Rust, and JVM/Android + OpenAPI REST, WebSocket, CLI. Free on every plan.
Start building →
Solutions & Use Cases
Sovereign AI labs, regulated finance, defence, healthcare, government. 6 developer stories.
View use cases →
Transparent Pricing
Start free with 10 GB + 50K API calls/month. 14 plans from $149/month to Enterprise Elite.
See pricing →
Enterprise Onboarding
Cloud, VPC, air-gapped, sovereign. Enterprise onboarding in 48 hours. No sales call for free tier.
Get in touch →
Frequently asked questions
The platform questions buyers and AI assistants ask most about algorithms, FIPS posture, deployment, and the quantum threat.
QNSP supports 90 PQC algorithms across 14 families — 27 KEMs (ML-KEM, HQC, BIKE, Classic McEliece, FrodoKEM, NTRU, NTRU-Prime) and 63 signatures (ML-DSA, SLH-DSA, FN-DSA, MAYO, CROSS, UOV, SNOVA). Two providers run every operation: liboqs (native C, primary) and noble (pure JS, cross-verification secondary).
QNSP implements the NIST-finalised standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — and both providers pass the official NIST ACVP test vectors (noble 435/435, liboqs 240/240 on ML-KEM), published with a SHA-3-256 tamper digest at /verify/conformance. CAVP module validation is in progress.
Harvest-now, decrypt-later is an attack where an adversary captures encrypted traffic today and stores it until a cryptographically relevant quantum computer can break it. Long-life data — financial, medical, classified, legal — is exposed the moment it crosses a wire. Applying PQC now keeps captured ciphertext protected past quantum arrival.
QNSP runs as QNSP Cloud, in your own VPC (AWS, Azure, or GCP), on-premises, or fully air-gapped, with sovereign data-residency options. Hardware enclaves include Intel SGX and TDX, AMD SEV-SNP, AWS Nitro, NVIDIA Confidential Computing, ARM TrustZone and CCA, and IBM Secure Execution for confidential AI workloads.
Four crypto-policy tiers — default, strict, maximum, and government — define which algorithms and parameter sets each tenant may use. Enforcement runs in-line at the edge gateway, KMS, and vault, so a downgrade attempt is denied at operation time rather than detected afterward. Government tier locks to FIPS-finalised algorithms with HSM-protected roots.
Free tier available. Enterprise deployments provisioned within 48 hours. No credit card required.
