QorTrace Labs

Cryptographic engineering
for the post-quantum era.

The engineering arm of QorTrace. We migrate production TLS, KMS, code-signing, and on-chain verification from classical ECDHE / RSA / ECDSA to hybrid post-quantum primitives — without downtime, with senior engineers on the call from day one, and signed deliverables on the way out.

See what we ship
Median rollout
11 weeks
Senior-led practice
4 pillars
Compliant deliverables
CNSA 2.0
Standards covered
FIPS 203/204
Public registry
Live verifiable
Insights cadence
Biweekly essays
Live trace · TLS 1.3 · classical ECDHE → hybrid X25519+ML-KEM-768
QORTRACE PQC AUDIT SUITE · LABS HEADLINE PRODUCT

The three PQC audits that don't exist anywhere else, bundled.

Hybrid Signature. EIP-7702 / Account Abstraction. MPC Wallet PQC. Three signed audit engagements, each scoped to a cryptographic surface no generalist firm covers. Bundle any two and save 15%. All three — save 25%.

NEW · PQC AUDIT
Hybrid Signature Transition Audit
from $15,000
NEW · PQC AUDIT
EIP-7702 / AA PQC Audit
from $12,000
NEW · PQC AUDIT
MPC Wallet PQC Compatibility Checker
from $14,000
FULL SUITE · STANDARD TIER
$41,000$30,750
SAVE $10,250 · 25% OFF
Configure your suite
01 · MANIFESTO

The data your customers send today will be the decryption target of 2034.

The QorTrace Labs Engineering Practice

Harvest-now-decrypt-later is not a hypothetical. Adversaries with budget and patience are already collecting TLS sessions, VPN traffic, and on-chain ECDSA signatures with a single assumption: that within a decade, a cryptographically relevant quantum computer will turn that archive into plaintext.

QorTrace Labs exists to make that assumption irrelevant for your stack. We don’t sell a product. We sell ten consecutive weeks of senior cryptographic engineers — embedded with your team, shipping production-grade hybrid TLS, ML-KEM key-encapsulation, and ML-DSA signatures, and walking out with a signed migration certificate the regulator will accept.

02 · SERVICES

What we ship.

Four senior-engineer-led pillars. Fixed-fee scoping, signed deliverables, and a senior on the call from day one — not a partner-slide pitch and a junior on Slack.

01
ASSESSMENT

PQC Cryptographic Inventory

See every crypto primitive your org depends on — before Q-Day does.

Deep, automated inventory of every cryptographic primitive in your code, infrastructure, and dependency graph. We connect to your GitHub / GitLab / Bitbucket via read-only OAuth, scan AST-level for RSA / ECDSA / secp256k1 / weak hashes / hard-coded IVs, then cross-reference your TLS certificates and Cloud KMS configuration. You get a signed PDF risk report and a phased migration plan.

  • Cryptographic inventory (CSV + PDF)
  • CVSS-scored risk register
  • Harvest-now-decrypt-later exposure analysis
  • Phased PQC migration plan (12-36 months)
  • CNSA 2.0 compliance gap matrix
4–8 weeksOpen service
02
ENGINEERING

PQC Migration Engineering

Hybrid TLS, ML-KEM, ML-DSA — production-grade, week one.

Hands-on engineering to migrate your TLS endpoints, signature verification, key-management, and code-signing pipelines to post-quantum primitives. We embed senior engineers with your team, ship in production-ready PRs, and stay on through deployment + monitoring.

  • Hybrid TLS rollout (X25519+ML-KEM)
  • Code-signing migration to ML-DSA / SLH-DSA
  • KMS / HSM PQC enablement
  • Runtime telemetry + alerting
  • Senior engineer pair-programming sessions
8–24 weeksOpen service
03
AUDIT

Smart-Contract PQC Audit

ECDSA-locked smart contracts have a Q-Day half-life. Find yours.

Specialised audit for EVM, Solana, and Move-based smart contracts that depend on classical signatures. Identifies harvest-exposed addresses, recommends migration paths (account abstraction, ZK-of-knowledge proofs, hybrid signature verification on-chain), and ships a signed audit certificate that's verifiable on the QorTrace public registry.

  • Address-level harvest exposure score
  • Migration path (AA + hybrid sigverify)
  • Cryptographic remediation checklist
  • Public Audit Certificate (SVG + PDF)
3–6 weeksOpen service
04
AUDIT

EIP-7702 / AA PQC Audit

The first PQC audit for the modern Account-Abstraction stack — UserOps, validators, session keys, paymasters, recovery.

Specialised audit for ERC-4337 / ERC-7579 / EIP-7702 Account Abstraction wallets and the modular validator stack that ships on top. We score every cryptographic surface in the AA pipeline — UserOp signatures, validator-module slots, session keys, paymaster sponsorship signatures, EIP-7702 delegations + their revocation paths, and social-recovery guardian schemes — for post-quantum readiness. Deliverable: a signed AA Posture Certificate verifiable on the public QorTrace registry.

  • UserOp / validator scheme review against ML-DSA migration
  • Session-key cryptography audit (HNDL exposure)
  • EIP-7702 delegation + revoke-downgrade threat model
  • Paymaster sponsorship-signature audit
  • ERC-7579 PQ validator slot reservation guidance
  • Social-recovery / guardian / WebAuthn PQ-readiness analysis
  • AA Posture Score (0–100) + signed certificate (SVG + PDF)
1–3 weeksOpen service
05
AUDIT

Hybrid Signature Transition Audit

The world's first audit for protocols mid-migration to a hybrid PQ+classical signature scheme.

Specialised audit for teams shipping a hybrid signature scheme (classical + PQ) — the migration pattern every serious chain and protocol will adopt before Q-Day. We score your combiner construction, domain separation, downgrade resistance, and witness ordering against NIST SP 800-208, ETSI TS 103 744, and the draft-ietf-pquip-hybrid-signature-spec. Deliverable: a signed Hybrid Posture Certificate verifiable on the public QorTrace registry.

  • Combiner soundness review (concatenation / strong-nest / AND-gate)
  • Domain-separation audit across classical + PQ paths
  • Downgrade-resistance threat model
  • Witness-ordering + signature-malleability analysis
  • NIST SP 800-208 + ETSI TS 103 744 compliance mapping
  • Hybrid Posture Score (0–100) + signed certificate (SVG + PDF)
2–4 weeksOpen service
06
AUDIT

MPC Wallet PQC Compatibility Checker

The first PQC audit for the MPC custody stack — Fireblocks, Coinbase Custody, Privy, Lit, Web3Auth, Safeheron, DFNS, Turnkey, Capsule, Cobo.

Specialised audit for MPC / threshold wallets — every major MPC custody stack ships with classical primitives at every layer (ECDSA / EdDSA output signatures, X25519 / ECDH DKG channels, classical KEMs wrapping shares at rest, classical recovery vaults). We score the full MPC pipeline against a maintained vendor matrix, identify the harvest-now-decrypt-later (HNDL) exposure points, and deliver a signed MPC Posture Certificate that procurement, custody-counterparty diligence, and regulators can cite. Covers GG18 / CGGMP21 ECDSA TSS, FROST / DKLs Schnorr / EdDSA TSS, proactive secret sharing refresh ceremonies, and recovery vault constructions.

  • Vendor matrix review — Fireblocks / Coinbase / Privy / Lit / Web3Auth / Safeheron / DFNS / Turnkey / Capsule / Cobo / Zengo / Sepior / Curv / Knox / Ledger Vault
  • DKG ceremony HNDL exposure analysis (X25519 / ECDH share channels)
  • Share-at-rest KEM wrap audit (path to ML-KEM-768 hybrid)
  • Pre-signature / nonce-pool persistence threat model
  • Proactive secret-sharing refresh-ceremony review
  • Recovery vault (Shamir / social-recovery / WebAuthn) PQ-readiness
  • Signing-attestation + audit-trail signature scope
  • MPC Posture Score (0–100) + signed certificate (SVG + PDF)
2–4 weeksOpen service
07
ADVISORY

CISO PQC Readiness Workshop

Two days, your exec team, a real PQC strategy.

On-site or remote workshop for security leadership. We walk through your current cryptographic posture, the harvest-now-decrypt-later threat model, regulatory cliff dates (CNSA 2.0, DORA, NIST SP 800-131A), and produce a 12-month executive readiness roadmap with budget bands.

  • Executive readiness roadmap
  • Regulatory cliff-date matrix
  • Q-Day exposure modelling
  • Budget bands by phase
1–2 weeksOpen service
03 · METHODOLOGY

How an engagement runs.

Four phases. Predictable. Auditable. Built to satisfy your procurement, your CISO, and your regulator — without slowing your engineers down.

  1. Day 0

    Discover

    30-minute call with a senior engineer. We map your cryptographic surface — TLS, KMS, code-signing, on-chain — and identify your harvest-now exposure.

  2. Days 1–5

    Scope

    Fixed-fee scoping memo within five business days. Phased plan, named senior leads, deliverables, milestones, and a hard end-date — signed both sides.

  3. Weeks 2–N

    Engineer

    Senior engineers embed with your team. Production-grade hybrid TLS, ML-KEM, ML-DSA, KMS migration. PRs into your repos, reviewed by your reviewers.

  4. Final week

    Sign

    Cryptographic Migration Certificate — signed PDF, embeddable SVG, verifiable on the QorTrace public registry. Hand-off doc, runbook, telemetry.

04 · ENGAGEMENTS

Real engagements. Redacted.

We sign tight NDAs. The shape of the work is public; the names aren’t.

engineering
11 weeks

Top-3 EU exchange · TLS-PQC rollout

Hybrid X25519+ML-KEM behind every customer-facing endpoint. Full rollout in 11 weeks.

NDA-redacted · client name on request
assessment
240 repos

Tier-1 US bank · Cryptographic inventory

12-month sweep across 240 repositories and 1,800 TLS endpoints. Migration plan accepted by board.

NDA-redacted · client name on request
audit
$4.1B TVL

DeFi L2 protocol · Harvest-exposure audit

Custom-rule audit of $4.1B TVL bridge contract suite. Found a key-rotation gap; helped them ship a fix.

NDA-redacted · client name on request
05 · WHO YOU’LL WORK WITH

Senior engineers. No layers.

Every engagement is led by an engineer with at least eight years of applied cryptography or production TLS experience — on the call from day one, in your repos by week two, and on the regulator response by month three.

NIST FIPS 203 · ML-KEM NIST FIPS 204 · ML-DSA CNSA 2.0 X25519 · X448 oqs-provider liboqs
Credentials
NIST FIPS 203 / 204 / 205 fluent
CNSA 2.0 migration playbook
Bouncy Castle / OpenSSL 3 / liboqs in production
Big-bank, exchange, and L1/L2 chain references
06 · WHO YOU’LL TALK TO

Senior engineers.

A working bench of 19. One will be on your discovery call — matched by stack, sector, and timezone. No partner-slide intermediaries, no handover to a junior on Slack. Names are first-name and last-initial only because client engagements are NDA-protected and we don’t dox our engineers.

James Stephens, CBE, CCFI

Principal Architect of QorTrace

James is the Principal Architect of QorTrace, a post-quantum cybersecurity and cryptographic risk intelligence company focused on securing digital assets, blockchain ecosystems, DeFi protocols, custodians, institutions, and individual investors against emerging quantum-era threats. As a Certified Blockchain Expert and Certified Cryptocurrency Forensic Investigator, James brings deep expertise in blockchain infrastructure, digital asset security, crypto forensics, and post-quantum risk strategy. His work centers on identifying hidden cryptographic exposure, strengthening security readiness, and helping organizations prepare for the next generation of cyber risk — advancing a mission to trace the risk and secure the future.

ArchitectureBlockchain forensicsPQC strategyCustody

James R.

Senior · Principal Cryptographer

Twelve years applied cryptography across central-bank settlement, digital-asset custody, and Layer-1 chain design. Lead author of the QorTrace migration methodology and the public-registry certificate spec.

FIPS 203/204EVMTLS 1.3HSM

Raj P.

Senior · Quantum-Safe Networking

Network-layer cryptographer who has shipped hybrid X25519+ML-KEM on production load balancers, service meshes, and edge proxies. Specialises in zero-downtime cutovers and post-quantum interop across mixed-vendor fleets.

TLS 1.3ML-KEM hybridsQUICService mesh

Devon A.

Senior · Compliance & Regulator Liaison

Twenty years across federal cybersecurity policy and financial-services compliance. Translates regulator expectations into engineering acceptance criteria and represents client cryptographic posture in supervisor reviews.

NIST SP 800-208CNSA 2.0DORAMAS TRM

Anya K.

Senior · Lattice Cryptography

Lattice researcher turned production engineer. Authored the constant-time review checklist every QorTrace ML-KEM build runs through and has contributed upstream side-channel fixes to liboqs.

ML-KEMML-DSASide-channelConstant-time

Marcus L.

Senior · Hybrid TLS Engineering

Shipped hybrid TLS in production at two Tier-1 CDNs and a top-3 global fintech. Co-author of the oqs-provider integration patches we still upstream.

X25519+ML-KEMOpenSSL 3AkamaiEnvoy

Priya S.

Senior · HSM & KMS Migration

AWS, GCP, Azure, and on-premise HSM migrations across financial-services and healthcare. Author of the KMS-rotation runbook every QorTrace engagement ships against.

AWS KMSThalesEntrustML-DSA-65

Luca B.

Senior · Smart-Contract Audit

Solidity auditor with eight years on bridges, AMMs, and L2 rollups. Wrote the harvest-exposure scoring model that powers QorTrace’s smart-contract PQC audit deliverable.

SolidityERC-4337BridgeFoundry

Sara M.

Senior · Migration Architecture

Designed the GCP→PQC migration blueprint for a top-five payments processor. Specialises in zero-downtime rollouts and supply-chain attestation across multi-cloud KMS surfaces.

GCP KMSSigstoreCosignSupply chain

Kenji T.

Senior · Code-Signing Pipelines

Built the dual-family (ML-DSA + SLH-DSA) code-signing pipeline that ships on Methodology v1.5. Veteran of two CI/CD security teams at consumer-OS vendors.

SigstoreGitHub OIDCML-DSASLH-DSA

Nadia H.

Senior · Regulatory & Compliance

Former regulator-side reviewer. Maps every QorTrace engagement to the specific FIPS, CNSA, DORA, and EO 14028 clauses your auditor is going to ask about.

FIPS 140-3CNSA 2.0DORAEO 14028

Owen P.

Senior · On-Chain Signatures

Ten years of on-chain ECDSA forensics across exchanges and bridges. Quantifies harvest-exposure of dormant signed transactions before they become quantum liabilities.

ECDSA-secp256kEVMSolanaZK

Zara W.

Senior · Bridge & Cross-Chain

Audited bridges holding eleven-figure TVL. Knows where ECDSA-only relayers sit in your message-passing flow and how to phase ML-DSA in without breaking liveness.

LayerZeroWormholeAxelarZK

Ravi C.

Senior · TLS & Network Crypto

Worked on TLS at hyperscale before joining QorTrace. Owns the hybrid-handshake telemetry pipeline we use to prove a migration actually negotiated PQC end-to-end.

TLS 1.3QUICBoringSSLCloudflare

Elena V.

Senior · FIPS-Validated Modules

Eleven years inside a FIPS-validating lab. Reviews QorTrace builds for module-boundary compliance before they go anywhere near a CMVP submission.

FIPS 140-3Module reviewML-KEMAudit

Darius O.

Senior · Supply-Chain Attestation

Designed SLSA-level-4 attestation flows for two enterprise SaaS vendors. Built the in-toto layout QorTrace clients use to prove the migration came from us, unmodified.

SLSAin-totoProvenanceSBOM

Mei L.

Senior · L1 Protocol Engineering

Protocol engineer who shipped consensus changes on two non-EVM L1s. Maps PQC migration paths for chains where the signature scheme is baked into the runtime.

MoveAptosSuiConsensus

Thomas K.

Senior · Banking Cryptography

Thirty years of payment-grade cryptography across European Tier-1 banks. The engineer your CISO’s CISO calls when the migration touches a mainframe HSM.

HSMEMVISO 8583Mainframe

Fatima D.

Senior · Fintech Regulatory

Bridges engineering and regulatory translation. Co-author of the EU regulatory-clause mapping every QorTrace Labs fintech engagement carries on its certificate.

PSD2DORAMiCAAudit-ready
08 · COMING NEXT

What we’re shipping next.

The QorTrace Labs methodology is versioned and re-issued on a rolling 90-day cadence. Below is the current public roadmap.

LIVE · UPDATED JUST NOW
SHIPPING NOW

Cryptographic Migration Certificate v1.5

Live on every active engagement. v1.5 adds a FIPS 205 (SLH-DSA-SHA2-128s) co-signature beside the ML-DSA-65 primary so an algorithmic break against either family alone cannot forge an attestation.

NEXT 90 DAYS

Hardware-token attestation

FIDO2 / WebAuthn attestation for engagement signers.Target: Q3 2026

NEXT 90 DAYS

Repo-OAuth Inventory v2

Direct GitLab Self-Managed and Bitbucket Server connectors.Target: Q2 2026

LATER

Continuous Cryptographic Monitoring

Standing telemetry feed — classical-fallback alerts after the migration ships.Target: Late 2026

07 · BEFORE YOU CLICK INTO A SERVICE

Frequently asked.

Service-specific FAQs sit on each service’s detail page — these are the cross-cutting questions buyers ask before they pick a pillar.

How is QorTrace Labs different from my existing PQC consultancy?
We do not pitch a 200-slide deck and hand off to a junior. Every engagement is led by one of the senior engineers above, fixed-fee scoped within five business days, and ends with a registry-verifiable certificate — not a recommendation deck.
Do you sign mutual NDAs?
Yes — standard. Most clients have an MNDA we can countersign before the discovery call. We default to redacting client names from public case studies and release them 1:1 to qualified prospects under NDA.
What is the smallest engagement you take?
Two-day CISO PQC Readiness Workshop is the smallest. Cryptographic Inventory ships in 4–8 weeks. Full PQC Migration Engineering averages 11 weeks. We do not do half-day reviews.
Do you sub-contract or staff augment?
No. Every engineer billed on your engagement is a QorTrace Labs engineer. We do not white-label external talent.
What stacks have you shipped this on?
Cloudflare, Fastly, Akamai, AWS CloudFront, NGINX, HAProxy, Envoy, AWS / GCP / Azure KMS, Thales, Entrust, plus EVM L1/L2, Solana, Aptos, Sui. Anything else, we extend.
Can you start under an existing MSA with QorTrace?
Yes. Labs engagements can be SOW'd against your existing QorTrace MSA — your procurement team only sees one supplier on file.
06 · START A CONVERSATION

Tell us about your
cryptographic surface.

One business day to a senior engineer. NDAs available on request. All engagements scoped, fixed-fee, and led by a senior on the call.