Hybrid PQC at your edge in one config line.

No cipher archaeology, no forked TLS library, no six-month spike. Point your edge at Secuur, set mode = "hybrid", ship. X25519 + ML-KEM-768 on every handshake, tracked to NIST automatically.

Start free ↗ Read the API

edge.config

# the one line
secuur.tls.mode = "hybrid"

# that's it. defaults:
kex  = x25519 + ml-kem-768
sig  = ecdsa-p256 + ml-dsa-65
track = nist-fips-203/204/205

Scan API

Grade anything, programmatically.

The same engine behind the website, as a JSON API. Gate deploys on it, wire it into CI, fail the build if a service ships classical-only.

request

# grade a host
$ curl https://api.secuur.me/v2/scan \
   -H "Authorization: Bearer $KEY" \
   -d '{ "host": "api.acme.com", "deep": true }'

response · 200

{
  "host": "api.acme.com",
  "grade": "D",
  "exposed": true,
  "kex": "ecdhe-p256",
  "hndl": "vulnerable",
  "fix": "enable ml-kem-768"
}

CIExit non-zero below your grade threshold — secuur scan --fail-under B — and quantum drift never merges.

ML-KEM handshake

Two secrets, one session key.

The client and server each derive a classical and a post-quantum shared secret, then KDF them together. Break one, the session still holds. Break both — nobody can.

Client

your app

ClientHello + key_share→

x25519 pub · ml-kem encaps→

ml-kem ciphertext · x25519 pub←

KDF(ss_classical ‖ ss_pq)🔒

Secuur edge

in front of origin

ASafe

scan api.secuur.me

We dogfood it. Scan us.

Every Secuur endpoint runs hybrid PQC — including the Scan API itself. Run curl api.secuur.me/v2/scan against us and you'll get an A. We won't ask you to run anything we don't.

Start free ↗

One config line away.

Self-serve from $49/mo. No sales call, no migration committee — just hybrid PQC on your next deploy.

Start free ↗ Grade a host first