METHODOLOGY · QORTRACE LABS

Four phases. Predictable. Auditable. Built for your CISO and your regulator.

Discover · Scope · Engineer · Sign. Every phase named, time-boxed, and accountable to a specific senior on our side. Below is exactly what happens, day-by-day, when you engage QorTrace Labs.

01
Day 030 minutes

Discover

We map your cryptographic surface and your harvest-now exposure on a single 30-minute call.

01
Surface walkthrough
TLS endpoints, KMS, code-signing pipelines, on-chain primitives, and any custom JCA / OpenSSL providers.
02
Risk hypothesis
Senior engineer drafts a CVSS-style risk hypothesis on the call, anchored to CNSA 2.0 and your sector's regulatory cliff dates.
03
Engagement match
We tell you, on the call, which of our four pillars (or combination) you actually need. We will tell you 'no' if you don't need us yet.
YOU RECEIVE
Discovery memo
1-page PDF · CVSS hypothesis + suggested pillar.
02
Days 1–55 business days

Scope

Fixed-fee scoping memo, signed both sides, before any engineer touches any code.

01
Phased plan
Sprint-by-sprint phasing with named senior leads, deliverables, milestones, and a hard end-date.
02
Read-only access
Scoped per-repo, time-boxed OAuth tokens to the artifacts we need (GitHub / GitLab / Bitbucket / self-hosted Git) — never write.
03
Mutual NDA + SOW
Standard mutual NDA. SOW signed on the new pricing — fixed-fee, no scope-creep invoices, no surprise phase-2.
YOU RECEIVE
Scoping Memo + SOW
Signed PDF · phased plan · named leads · hard end-date.
03
Weeks 2–NEngagement length

Engineer

Senior engineers embed with your team and ship production code into your repos.

01
Pair-programming
Your engineers learn the new primitives by writing them with us. We do not throw a PR over the fence.
02
Production deploy
Hybrid TLS, ML-KEM, ML-DSA, KMS migration, code-signing — staged rollout with telemetry. Customer-facing zero-downtime.
03
Weekly reviews
Every Friday: % hybrid handshakes, p99 latency delta, incident count, hours-burned vs hours-scoped — same 4 numbers, every week.
04
Runbook + telemetry
Prometheus / Datadog / OpenTelemetry dashboards + an incident runbook tested against game days before go-live.
YOU RECEIVE
Production rollout
Telemetry dashboard · runbook · merged PRs.
04
Final week5 business days

Sign

A signed Cryptographic Migration Certificate the regulator will accept.

01
Migration Certificate
Signed PDF + embeddable SVG, verifiable on the QorTrace public registry. Includes the full deliverable manifest hash.
02
Hand-off doc
Annotated final-state architecture, decision log, and a 12-month maintenance contract scope (optional).
03
Regulator pack
CNSA 2.0 / DORA / NIST gap-matrix updated to the post-engagement state, ready to drop into your security questionnaire.
YOU RECEIVE
Migration Certificate
Signed PDF · embeddable SVG · public verify URL.
METHODOLOGY v1.5
v1.5

FIPS 205 (SLH-DSA) attestation block — now in every certificate.

As of methodology revision v1.5, every Cryptographic Migration Certificate carries a dedicated SLH-DSA attestation row alongside its primary ML-DSA-65 signature. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, NIST FIPS 205) is the conservative backupto ML-DSA — it relies only on the security of a hash function, not on lattices, so it survives the speculative case where a structural attack is found against ML-DSA in the future. Co-signing with both gives your auditors a hedge that no single algorithmic break can compromise.

WHY · FAMILY DIVERSITY

One break shouldn’t take everything down.

ML-DSA is structured-lattice. SLH-DSA is hash-based. They share no mathematical foundation and no implementation primitives. A single cryptanalytic advance against one cannot invalidate the other — which is exactly the redundancy CNSA 2.0 wants you operating under by 2030.

  • Independent security base
  • No shared side-channel surface
  • Different validator code path
WHERE WE USE IT · CODE-SIGNING & FIRMWARE

Long-lived signatures get the strongest guarantee.

For artefacts that ship and are verified for years (firmware images, release tarballs, CI build manifests, Cryptographic Migration Certificates themselves), we co-sign with both ML-DSA-65 and SLH-DSA-SHA2-128s. Verifiers accept either; an attacker would need to break both families to forge.

  • Sigstore / Cosign multi-signature
  • Firmware ToFU pinning
  • Long-tail release archives
TRADEOFFS · SIZE & SPEED

Bigger signatures, slower signing — and worth it.

SLH-DSA signatures are 7–30× larger than ML-DSA and signing is two orders of magnitude slower. We keep ML-DSA as the primary handshake / TLS signature for live traffic and reserve SLH-DSA for the artefacts where a few extra kilobytes and a few hundred milliseconds don’t matter — exactly the artefacts where the extra hedge does.

  • SLH-DSA-SHA2-128s · 7,856-byte sig
  • ML-DSA-65 stays primary on TLS
  • Co-sign only on persistent artefacts
NEW ON v1.5 · CERTIFICATE ATTESTATION BLOCK
PRIMARY SIGNATURE
ML-DSA-65 · FIPS 204
Lattice · Level 3 · 3,309-byte signature
CO-SIGNATURE · NEW
SLH-DSA-SHA2-128s · FIPS 205
Hash-based · 7,856-byte signature · stateless
VERIFIER POLICY
EITHER valid → accept
Forge-resistance requires breaking BOTH families
METHODOLOGY VERSION
v1.5 · 2026-Q2
Auto-rolled to active engagements
See it on a sample certificate
THE FINAL ARTIFACT

A signed certificate the regulator will accept.

At the end of every engagement we issue a Cryptographic Migration Certificate — signed PDF + embeddable SVG — verifiable on the QorTrace public registry. The hash of the deliverable manifest is bound into the signature, so your security questionnaire respondent can prove not just that the work was done, but which work.

  • Hand-off to procurement & legal in one file
  • Public verify URL — auditors love it
  • Embeddable SVG badge for your docs site
  • Signed by our methodology key, not a person
See a sample certificate
QQORTRACE LABS
CERT · QTL-2026-0142
Cryptographic Migration
Certificate
Issued under the QorTrace Labs Methodology.
Verifiable at qortrace.com/verify/QTL-2026-0142
SUBJECT
[Client Name]
SCOPE
TLS 1.3 · CDN · KMS · Code-signing
PRIMITIVES
X25519+ML-KEM-768 · ML-DSA-65
COMPLIANCE
CNSA 2.0 · NIST FIPS 203/204
ENGAGEMENT
11 weeks · Senior-led
SIGNED
2026-04-30 · QTL-METHKEY-04
SHA-256 manifest · 04 f1 28 a3 d6 7e 0b 92 1a e4 c5 9d 3f 8b 11 6c …

Run our methodology against your stack.

30 minutes. No pitch deck. We will tell you which pillar you need (or that you do not need us yet).

Back to QorTrace Labs