Crypto Discovery and PQC Readiness · Now in private beta

Complete visibility into your
organization's cryptography.

Obsidian discovers cryptographic assets across your repositories, scores migration risk for the post-quantum transition, and hands discoveries to developers and AI agents.

Book a demo → See how it works

5+Languages analyzed

40+Detection rules

DORACrypto controls

NIST PQCFIPS 203 · 204 · 205

The product

Four jobs. One instrument.

From the first scan to the last migration ticket. Obsidian operates across the lifecycle of a cryptographic asset.

01 — DISCOVER

Find every cipher in your code.

Native AST analysis for Go, Python, JS/TS, Rust, and Solidity, purpose-built for cryptography. Detects algorithm usage, key sizes, library calls, KMS/HSM and custody references, and more with file/line evidence for every finding.

CLI & runner nodesScheduled repo scansOptional Semgrep modules

02 — PRIORITIZE

Score what to migrate first.

Readiness bands per repo, driver/blocker analysis, and recommended next steps so engineering leadership can sequence the migration with evidence.

Crypto posture 0–100Exposure heatmapRepo posture summary

03 — PROVE

Generate audit-ready proof.

PQC posture reports, CycloneDX CBOM exports, control violation views, and audit snapshots mapped to the frameworks your auditors actually ask about.

CBOM (CycloneDX 1.7)DORA · FIPS 203 · 204 · 205Audit event log

04 — MIGRATE

Hand it to developers — or agents.

One-click GitHub issue handoff with full evidence. Plus an MCP server for Claude, Cursor, and any coding agent so AI can act on discoveries with the context it needs.

GitHub issue handoffMCP serverPer-finding context API

The product

A console for your cryptography.

No box-and-line dashboard. Tonal layering, dense data, no chrome. Built for the analyst who needs to read a hash, not click a wizard.

obsidian.acme.internal / crypto-estate live

CRYPTO ESTATE

Crypto posture at a glance. The score, repository coverage, discovery runs, and priority exposures — the operator's home screen. One click opens a new discovery against your environment.

EXPOSURE

Prioritized risk view across every discovery. Risk distribution rolls up per repository; drill into a single observed exposure and Obsidian shows every file it appears in — with severity and full evidence.

INVENTORY

Every cryptographic asset, modeled. Keys, certs, tokens, hashing primitives — with owner, environment, criticality, exposure state, and the source evidence behind each entry. CBOM export lives on the same page.

COMPLIANCE

Frameworks you actually get audited on. Toggle NIST FIPS 203 / 204 / 205, PCI DSS, and bring-your-own policy. Active frameworks score against the live inventory, with scored evidence per control.

IDENTITY & ACCESS

Role-based access across the platform. Admin, Security, Auditor, and Viewer roles — least-privilege by default, with sensitive reads and mutations recorded to the audit log.

NODES

Distributed discovery, under your control. Register scanner nodes, issue node-bound credentials, and inspect reported capabilities and activation state — clone tokens stay job-scoped per node.

How it works

Scan. Inventory. Migrate.

A scanner runs in your environment. Discoveries normalize to one model. Everything else like reports, tickets and agent context derives from that single inventory.

01 / SCAN

Run anywhere, register a node.

CLI for local repos. Long-running scanner nodes with bound credentials for automation. Job-scoped clone tokens so scanners never see more than they need.

# local one-shot $ obsidian scan ./payments-service # long-running node $ obsidian node register \ --api obsidian.acme.internal \ --token $OBSIDIAN_TOKEN

02 / NORMALIZE

One model for every detector.

Whatever found it like Semgrep, a custom rule or a PQC signal normalizes to the same discovery: algorithm, library, API, key size, file/line evidence, rule ID, severity, confidence, recommendation. New detectors plug in; the model stays stable.

{ "rule_id": "crypto.weak.rsa-1024", "algorithm": "RSA-1024", "library": "crypto/rsa", "key_size": 1024, "file": "legacy/sign.py", "line": 91, "severity": "critical", "confidence": 0.97 }

03 / HANDOFF

Tickets, reports, or agent calls.

Open a GitHub issue with full evidence. Export a CBOM for procurement. Or let an AI agent fetch context through the MCP server and propose a patch.

→ GitHub issue #2341 created on acme/payments-service attached: 4 discoveries · 1 CBOM assigned: @platform-team → MCP call: get_repo_posture agent: claude-opus-4-8 scope: payments-service returned: posture + 12 discoveries

AI · MCP

Built for the coding agent you'll deploy next quarter.

Obsidian exposes its knowledge like repo posture, discoveries, migration candidates, developer context and compliance status through a read-only AI assistant and an MCP server.

AssistantUse the built-in AI assistant to get more information on findings.
MCPRemote MCP over Streamable HTTP, bearer-auth'd and org-scoped ready for your agent of choice.
SOURCEDThe AI never does the discovery. Scanning is deterministic static analysis. The assistant only reads and cites the scan, finding, or document each answer came from. No hallucinated CVEs.

Read the MCP reference →

obsidian-assistant · session.live org: acme

What's blocking PQC readiness in payments-service?

Three drivers, in order of impact:

ECDSA-P256 in auth/jwt.go — 8 occurrences blocking signature migration to ML-DSA.
RSA-2048 handshake in tls/handshake.go — needs hybrid KEM via cloudflare/circl.
DH-2048 key exchange in vpn/tunnel.go — classical KEX exposed to harvest-now-decrypt-later.

▣ scan #4118 ▣ 12 discoveries ▣ posture

Open a GitHub issue for the ECDSA-P256 finding.

✓ Created acme/payments-service#2341 — "Migrate ECDSA-P256 signing in auth/jwt.go" · 4 discoveries attached · CBOM linked.

Compliance

Audit-ready by default.

CBOM, posture reports, policy framework support, control violations, and audit snapshots. Tracked against the standards your auditors already use.

DORA

EU Digital Operational Resilience Act — ICT crypto & key management

82/100

● compliant18 controlsupdated 12m ago

FIPS 203 · 204 · 205

NIST PQC standards — ML-KEM, ML-DSA, SLH-DSA

64/100

● in progress32 controls3 blockers

NIS2

EU NIS2 Directive — cryptography & encryption (Art. 21)

94/100

● compliant11 controlssnapshot ready

PCI DSS 4.0

Section 3 — protect stored cardholder data

76/100

● compliant9 controls1 advisory

CycloneDX 1.7

CBOM — Cryptography Bill of Materials

EXPORT

● live1,847 assetsJSON · XML · CSV

Custom policy

Bring your own framework. Map controls to rules.

CONFIGURE →

● readyYAML schema2-way sync

Integrations

Connects to your sources. Surfaces crypto everywhere it lives.

Seamlessly integrate GitHub Apps, PATs or public repos and run scans across your inventories discovering cryptographic assets wherever they appear, including the KMS, HSM, and custody platforms your code references.

GitHub App

SOURCE

App + fine-grained PATs. Public repos without auth. Job-scoped clone tokens for scanner runners.

Languages

COVERAGE

Native AST analysis for Go, Python, JS/TS, Rust, and Solidity smart contracts — with a regex fallback for everything else.

Semgrep

DETECTOR

Opt-in external adapters wrap host-installed Semgrep, gosec (Go), and Slither (Solidity). Enabled per scan.

Cloud KMS

INVENTORY

Detect AWS KMS and Azure Key Vault key references in source — inventoried and mapped to algorithms and operations.

Custody platforms

CUSTODY

Detect operational key usage and custody references — Fireblocks, Dfns, BitGo — for exchanges and teams running digital-asset custody.

HSM / PKCS#11

INVENTORY

Detect PKCS#11 and HSM-bound key usage in source — nCipher, Luna, CloudHSM — as part of the inventory.

MCP Server

AGENT BUS

stdio for local agents. Streamable HTTP with bearer auth + org scoping for remote.

CycloneDX CBOM

EXPORT

CBOM 1.7 JSON / XML / CSV. Crypto-asset modeling per the OWASP CBOM spec.

Docker · K8s

DEPLOY

Ship the API control plane and scanner nodes as containers. Production ops docs included.

REST API

API

Versioned /api/v1 JSON for summaries, findings, CBOM, and compliance reports.

AI assistant

OPTIONAL

Opt-in OpenAI-backed assistant over the read-only knowledge layer. Off by default.

TLS & certificates

RUNTIME

Optional runtime/certificates module inspects TLS endpoints and certificate material.

Why it matters

2030 isn't far. Most codebases aren't ready.

NIST has finalized the algorithms. DORA already requires EU firms to manage their cryptographic controls. The work is finding every place your code touches a cipher and that's the work no team has time for.

43%Of organizations can't even inventory their cryptographic assets — the top barrier to post-quantum readiness.Ponemon Institute / Entrust · 2024 PKI & Post-Quantum Trends Study

74%Worry about “harvest now, decrypt later” — data captured today, decrypted once quantum arrives.Ponemon Institute / DigiCert · 2023

2025DORA applies across the EU — financial entities must manage cryptographic & key controls.Regulation (EU) 2022/2554

2030EU roadmap: critical-infrastructure sectors — including finance — should move to post-quantum cryptography by end of 2030.EU PQC Coordinated Implementation Roadmap · NIS Cooperation Group, 2025

Pricing

Priced per repository, not per finding.

Discoveries should never be a metered cost. You should be free to find more.

Starter

Free

For a single repo. Public or private.

1 repository · unlimited scans
CLI scanner, local-only
Inventory + crypto posture score
CBOM export
Community Discord

Get beta access

Team most teams

$24 / repo / month

Up to 100 repos. Hosted control plane.

Everything in Starter
Scanner nodes & scheduled scans
GitHub App + issue handoff
AI assistant + remote MCP
Compliance reports & audit log
Email + Slack support

Get beta access →

Enterprise

Custom

Self-hosted. Unlimited repos.

Everything in Team
Self-hosted control plane
HSM-backed secret store
SAML SSO + RBAC
Custom policy frameworks
Dedicated engineer

Talk to us

See your cryptographic posture
in under 8 minutes.

We'll spin up an Obsidian instance against one of your repos, walk through the discoveries, and leave you with a CBOM you can hand to your auditor.

Book a demo → Talk to the founders

Complete visibility into yourorganization's cryptography.

Four jobs. One instrument.

Find every cipher in your code.

Score what to migrate first.

Generate audit-ready proof.

Hand it to developers — or agents.

A console for your cryptography.

Scan. Inventory. Migrate.

Run anywhere, register a node.

One model for every detector.

Tickets, reports, or agent calls.

Built for the coding agent you'll deploy next quarter.

Audit-ready by default.

Connects to your sources. Surfaces crypto everywhere it lives.

2030 isn't far. Most codebases aren't ready.

Priced per repository, not per finding.

See your cryptographic posturein under 8 minutes.

Complete visibility into your
organization's cryptography.

See your cryptographic posture
in under 8 minutes.