PQCAT Documentation — Getting Started, CLI Reference, and API

Getting Started

Follow these steps to install PQCAT and run your first compliance assessment.

1

Download PQCAT

PQCAT is a single executable file with no additional software required. Choose your platform below, then download the latest release.

# Step 1: Download the latest release
curl -LO https://github.com/soqucoin-labs/pqcat/releases/download/v2.0.1/pqcat-2.0.1-darwin-arm64.tar.gz

# Step 2: Extract the binary
tar xzf pqcat-2.0.1-darwin-arm64.tar.gz

# Step 3: Install to your PATH (rename to 'pqcat')
sudo mv pqcat-2.0.1-darwin-arm64 /usr/local/bin/pqcat
                                

For Intel Macs, replace darwin-arm64 with darwin-amd64 in all three steps. Alternatively, download directly from the GitHub Releases page.

# Step 1: Download the latest release
curl -LO https://github.com/soqucoin-labs/pqcat/releases/download/v2.0.1/pqcat-2.0.1-linux-amd64.tar.gz

# Step 2: Extract the binary
tar xzf pqcat-2.0.1-linux-amd64.tar.gz

# Step 3: Install to your PATH (rename to 'pqcat')
sudo mv pqcat-2.0.1-linux-amd64 /usr/local/bin/pqcat
                                

For ARM servers (e.g. AWS Graviton), replace linux-amd64 with linux-arm64 in all three steps.

# Download from GitHub Releases:
https://github.com/soqucoin-labs/pqcat/releases/download/v2.0.1/pqcat-2.0.1-windows-amd64.zip

# Extract the .zip and add pqcat.exe to your PATH.
                                

Or download manually from the GitHub Releases page and extract to any folder in your system PATH.

# Requires Go 1.25+
git clone https://github.com/soqucoin-labs/pqcat.git
cd pqcat
make
                                

This builds the open-source scanner edition. The Pro edition is available as pre-built signed binaries.

2

Verify Installation

Confirm PQCAT is installed correctly by checking the version.

pqcat version

Expected Output PQCAT v2.0.1 (Scanner Edition) Built: 2026-03-18 · Go 1.25 · darwin/arm64

3

Run Your First Scan

PQCAT can scan websites, source code, network ranges, and software inventories. Choose a scan type below to see how it works.

Scan a website or any TLS-enabled endpoint to assess its certificate chain, cipher suites, and signature algorithms.

pqcat scan tls example.com

Sample Output PQCAT Crypto Bill of Health — example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Quantum Readiness Score: 42/100 ● Quantum Vulnerable 12 assets ● Transitional 8 assets ● PQ Compliant 23 assets Top Migration Priority: → RSA-2048 certificates (12 instances)

Point PQCAT at a source code directory to find cryptographic function calls, hardcoded keys, and deprecated algorithm usage across 579 patterns in 39 file types.

pqcat scan code ./my-application/src

Sample Output PQCAT Crypto Bill of Health — ./my-application/src ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Quantum Readiness Score: 31/100 ● Quantum Vulnerable 8 assets ● Transitional 4 assets ● PQ Compliant 2 assets Top Findings: → RSA key generation in auth/crypto.go:142 → ECDSA signing in payments/sign.py:87

Scan an entire network subnet to discover all TLS and SSH endpoints and assess their cryptographic posture.

pqcat scan cidr 10.0.1.0/24

Sample Output PQCAT Crypto Bill of Health — 10.0.1.0/24 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Hosts Discovered: 47 · Endpoints Scanned: 83 Quantum Readiness Score: 58/100 ● Quantum Vulnerable 22 assets ● Transitional 31 assets ● PQ Compliant 30 assets

Analyze a CycloneDX or SPDX software bill of materials to identify cryptographic libraries and their quantum vulnerability status.

pqcat scan sbom ./vendor-sbom.cdx.json

Sample Output PQCAT Crypto Bill of Health — vendor-sbom.cdx.json ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Libraries Analyzed: 214 · Crypto Dependencies: 18 Quantum Readiness Score: 67/100 ● Quantum Vulnerable 3 libraries ● Transitional 6 libraries ● PQ Compliant 9 libraries

PQCAT classifies every discovered cryptographic asset into one of three zones: Quantum Vulnerable (replace immediately), Transitional (plan migration), or PQ Compliant (meets post-quantum standards).

4

Generate a Compliance Report

Create a self-contained HTML report that you can open in any browser and share with your team — no internet connection required to view it.

pqcat scan tls example.com \
  --framework fisma \
  --html report.html \
  --save-db
                            

--framework fisma scores against FISMA compliance requirements. --html report.html generates a visual report file. --save-db stores results for historical comparison.

Open report.html in your browser to see the full Crypto Bill of Health with interactive asset tables, zone breakdowns, and migration recommendations.

Scanner Modules

Seven discovery modules scan every cryptographic asset in your infrastructure.

Module	Command	Description
TLS/SSL	`scan tls <host>`	Certificate chain, cipher suites, and signature algorithms
SSH	`scan ssh <host>`	Key exchange algorithms and host key types
SBOM	`scan sbom <file>`	CycloneDX/SPDX crypto dependency analysis (180+ libraries)
PKI	`scan pki <path>`	Certificate chain walking and CA analysis
Source Code	`scan code <dir>`	Pattern scanning for crypto usage (579 patterns across 39 file types)
HSM/KMS	`scan hsm <endpoint>`	Hardware security module key type discovery
Network	`scan cidr <range>`	Subnet-wide TLS/SSH endpoint discovery

CLI Reference

Common flags and commands available across all editions.

Flag	Description	Example
--framework	Set compliance framework for scoring	`--framework fisma`
--html	Generate self-contained HTML report	`--html report.html`
--save-db	Persist scan results to SQLite database	`--save-db`
--config	Specify configuration file	`--config /etc/pqcat/pqcat.yaml`
--criticality	Override target criticality level	`--criticality critical`
--threatintel	Load threat intelligence sidecar	`--threatintel pqcat-intel.json`
--output	Set output format	`--output json`

Additional Commands

Command	Description
serve	Start web dashboard and REST API (Pro edition)
dashboard	Launch terminal dashboard (TUI, all editions)
config init	Generate documented configuration template
version	Show version, build, and edition information

Configuration

YAML-based configuration with a 6-level precedence chain.

Precedence (highest → lowest)

1	CLI flags (`--framework fisma`)
2	Environment variables (`PQCAT_FRAMEWORK`)
3	Explicit config (`--config path`)
4	Local directory (`./pqcat.yaml`)
5	User home (`~/.pqcat/config.yaml`)
6	System (`/etc/pqcat/pqcat.yaml`)

# pqcat.yaml — minimal example
framework: cnsa2
organization: "My Agency"

scanner:
  workers: 4
  timeout: 30s

database:
  path: pqcat.db

# Generate full template:
# pqcat config init
                    

Supported Frameworks

11 regulatory frameworks assessed in a single scan.

Framework	`--framework`	Sector
CNSA 2.0	cnsa2	Federal / NSA
NSM-10	nsm10	Federal
FISMA	fisma	Federal (NIST 800-53)
FedRAMP	fedramp	Federal Cloud
SP 800-131A	sp800131a	Federal
CMMC 2.0	cmmc	DoD Supply Chain
PCI DSS	pci	Financial
SOX	sox	Financial
HIPAA	hipaa	Healthcare
NYDFS 23 NYCRR 500	nydfs	Financial
SWIFT CSP	swift	Financial Messaging

Reference Documentation

Complete technical documentation is maintained on GitHub alongside the source code.

Getting Started & Installation

Quick Start Guide Install, first scan, generate reports — running in 5 minutes All Editions Deployment Guide Binary install, Docker, air-gap deployment, systemd, TLS hardening All Editions Architecture Overview Four-layer design, package structure, Go build tags All Editions

Administration & Security

Admin Guide RBAC roles, user management, audit logging, security configuration Pro Edition REST API Reference 22 endpoints: scans, reports, users, audit log, Prometheus metrics Pro Edition Security Policy Vulnerability reporting, response SLAs, supported versions All Editions

Operations & Compliance

Standard Operations Procedure Federal-grade SOP: configuration, fleet deployment, maintenance, state machines All Editions Changelog Version history, release notes, and security advisories All Editions

Development

Contributing Guide Development setup, testing, build commands, pull request guidelines All Editions Source Code (GitHub) Open-source scanner modules, CI configuration, issue tracker Apache 2.0

Need Help?

For technical support, licensed customers can email labs@soqu.org. For the open-source scanner, file issues on GitHub.

Request 7-Day Evaluation View on GitHub