Independent. No credentials. Provider-neutral. Cipherwake checks every deploy from outside and blocks the announce when your AI coder shipped something catastrophic — a broken homepage, a public /api/admin, a leaked service-role key, a new third-party script, a session cookie missing Secure, a TLS cert near expiry, or a declared invariant regressed. Cursor, Copilot, and Claude can’t honestly verify their own output. We do.
Free for any domain · 100 deploy-checks per repo / month · Drop a .cipherwake.json at your repo root and the gate fires on every deploy · Route assertions · AI Coder Protocol →
All five are ASM signals. Two — key persistence and the HNDL Blast Radius — are uniquely Cipherwake: no other ASM scanner surfaces them.
Or try in your browser — type any HTTPS domain:
Free · No signup · Anonymous · What is this?
Want it in your CI or browser? Get started for your team →
Monitor this domain daily — signed badge, 90-day history, email alerts. Founder Pro $19.99/mo · 5 domains · launch pricing locked while sub active · cancel anytimeCipherwake doesn't just compute a grade. We detect specific events on your public cryptographic surface and explain what changed, why it matters, and what to do — by email + dashboard, on every monitored domain.
Certificates can rotate while the private key stays the same. If that key is ever exposed, the blast radius covers traffic protected before AND after the cert change. We flag this on every rotation.
Third-party scripts are supply-chain risk. The Polyfill.io attack ran in the trust context of every site that loaded it. We watch every monitored domain for new vendor scripts and alert when one appears.
We map TLS public keys (SPKI fingerprints) across the internet. When the same key serves multiple unrelated domains — the Heartbleed/SolarWinds pattern — we make it visible. See the Key Map.
Adversaries are vacuuming TLS traffic now for decryption later — when CRQCs arrive. Our Decryption Blast Radius score quantifies how much of your encrypted traffic is at future-decryption risk based on today's algorithms + key persistence.
5eb74c0b…
observed 2026-05-18
One SPKI fingerprint observed across 8 hostnames in Cipherwake's certificate corpus. A single private-key compromise would have to be rotated everywhere this key serves traffic — and from the outside, you can't always see where that is. This is the kind of finding Cipherwake surfaces on every scan.
Observational only. Certificate Transparency logs are public; this is what we recorded. No claim about Google's security posture — sharing a key across owned hostnames is a normal operational choice. The point: across the wider corpus, the same observation surfaces shared keys between independent organizations too. How the Key Map works.
SSL Labs gives you a static grade. Uptime monitors tell you when your site is down. Header checkers list missing HSTS / CSP. Each is useful — none of them connect cert rotations + key persistence + vendor drift + HNDL exposure into one timeline with alerts. That's what Cipherwake adds.
Free scanners are useful — we use the same public signals. The difference is the workflow: Cipherwake keeps watching, keeps history, and connects certs, keys, vendors, headers, and HNDL exposure into one domain trust timeline. See the full feature comparison →
Pick whichever surface fits your workflow. All free, no signup, no API key. The Decryption Blast Radius API is the same one every surface here wraps.
scan · lock · diff · history · deps · cert · watch. Free on npm, ~3MB, zero deps.No signup, no API key, no repo secret. The scaffolded workflow uses GitHub OIDC for per-repo metering — Free covers 100 Trust Diff calls per repo per month. Push the file, open a PR, Cipherwake comments inline when cert / SPKI / HSTS / CSP / DMARC / vendor scripts drift since baseline.
Type a domain above to generate your workflow.Paste into
.github/workflows/cipherwake.yml
Type any domain above to get its live Decryption Blast Radius — a 0–10 score across keyExchange, certLifetime, keyPersistence, and subdomainScale, with the full finding list. No signup, no API key.
Every other PQC scanner answers a yes/no question: "is post-quantum crypto enabled?" That’s the wrong question. The HNDL question is how much past + future data unlocks when one harvested key gets decrypted. That’s a continuous score, not a checkbox — and cipherwake.io is the only tool built around it.
npx pqcheck <domain> in your terminal. Same scanner, two surfaces.Every public scanner gives you a snapshot. We give you a timeline. Every certificate we’ve observed for a domain. Every key rotation. Every score change. Every newly-appearing third-party script. SSL Labs, Hardenize, and Mozilla Observatory throw all of that away after the scan; we keep it. That history is what powers “your key rotated but your cert didn’t,” the security changelog timeline, and the confidence scoring that says “this score is based on N observations, not one lucky probe.”
It’s also free, forever, for anyone. Lookup any domain, any SPKI key, any vendor host. The full timeline is public. Disputes are public. The paid tier is monitoring, alerts, and portfolios — never the depth of the historical view.
Harvest-now-decrypt-later (HNDL) isn’t hypothetical. Nation-state SIGINT programs have been documented capturing and storing encrypted traffic at internet exchange points and undersea cables for years. The math says a cryptographically-relevant quantum computer arrives somewhere between 2030 and 2040 — and any encrypted record harvested before then becomes plaintext the moment it does. If your data still matters in 2038, your encryption needs to matter today.
The data with the longest sensitivity decay — medical records, financial histories, intelligence files, intellectual property — is also what adversaries care most about preserving for later. Banking sessions decrypted in 2038 still matter. PHI decrypted in 2038 still matters more.
Cipherwake is a stealth-mode venture building tools that measure quantum-decryption risk to the world’s most sensitive data. The underlying handshake protocol behind Tessera is patent-protected via a US provisional application, with non-provisional conversion in progress. The founding team combines clinical-medicine and cryptographic-systems backgrounds, with healthcare as the initial vertical focus. Public team identification will follow product launch.
Install Cipherwake from the Chrome Web Store — one-click install, no signup. Live grade in your toolbar for every HTTPS site you visit.
Edge Add-ons and Firefox AMO builds queued. Prefer the CLI? npx pqcheck <domain> works without install.