Scrutari is a hardened TLS gateway that terminates ML-KEM-768 hybrid handshakes in front of your enterprise SaaS — without rewriting your backend, without burning weeks on integration, and without the harvest-now-decrypt-later risk classical TLS leaves on the wire today.
Hermetic Rust runtime · TLS 1.3 only · No classical-only fallback · Single-process attack surface
Built on standards that hold up under audit.
Adversaries don't need a quantum computer to start hurting you. They need a packet capture and patience.
Encrypted business data traversing classical TLS today — customer PII, financial records, IP, healthcare records, source code, internal communications — is being captured and stored by nation-state and criminal actors who plan to decrypt it once Shor's algorithm becomes practical at scale. Every TLS 1.3 session you serve without ML-KEM is a gift wrapped for that future.
Most enterprise data isn't ephemeral. SOX retention is 7 years; GDPR's right-to-be-forgotten doesn't unwind a 2026 capture decrypted in 2032; HIPAA disclosure exposure runs 70+ years; medical, financial, and contractual records compound over a person's working life. The blast radius of a 'someday' decryption is measured in regulatory cycles, not quarters.
NIST has formally deprecated the classical-only stack starting in 2030, with full disallowance by 2035. Enterprise procurement cycles are already gating renewals on a documented PQ migration plan. 'We'll get to it' has stopped being an accepted answer.
We don't ship a kitchen sink. Each capability below is built for a single failure mode in the post-quantum migration path and verified end-to-end in our own continuous smoke suite.
ML-KEM-768 + X25519 hybrid key exchange terminated in our hermetic Rust gateway, with TLS 1.3 only and no classical fallback. AES-256-GCM and ChaCha20-Poly1305 AEAD. The proxy speaks the post-quantum handshake to the public internet and forwards plaintext to your unmodified backend over an internal trust boundary.
Customers add one TXT record (proof of ownership) and one CNAME (proof of routing). Our pre-flight resolver verifies both gates before issuing certs — no broken validations, no stuck ACME orders, no silent failures. The dashboard surfaces exactly which gate is open and which is still pending.
Every cryptographic surface in the gateway — KEM, AEAD, signatures, hash, RNG — surfaces as a single CycloneDX 1.6 cryptography bill of materials. Auditors get a machine-readable artifact instead of a slide deck; security teams diff CBOMs across releases to track exactly when a primitive changed.
No backend rewrite. No new SDK. No protocol fork. Two DNS records and a tenant configuration are the whole integration.
Add a single TXT record at `_scrutari-challenge.<your-host>` with the token the dashboard shows you. The gateway's resolver picks it up within seconds and flips your tenant's verification gate green.
Set a CNAME from your customer-facing host to `<tenant>.edge.scrutari.ai`. Our pre-flight resolver confirms the CNAME chain actually terminates at our edge before issuing certs — no broken validations, no silent failures, no rate-limit burns.
The gateway terminates ML-KEM-768 hybrid handshakes on your hostname and forwards plaintext to your existing backend over an internal trust boundary. Your service code never changes; your customers' browsers transparently negotiate the strongest cipher suite they support.
Scrutari is in early access for enterprise SaaS teams who've been told to have a migration plan by their largest customers and don't want to rebuild their TLS stack to get there. We'd like to talk to yours.