Methodology library · Open + citable

Every tool. Every weight. Every limit we won't claim past.

Cipherwake publishes the methodology behind every shippable tool. Not categories — the actual formulas, weights, data sources, and explicit limits. The model: SSL Labs Server Rating Guide. Mozilla Observatory per-test docs. Have I Been Pwned source documentation. Trust is the moat; opacity is the competition's weakness.

Five-section structure on every page: what we measure → how we measure it → how it scores → what this tool does NOT claim → limitations + edge cases. The “does not claim” section pre-empts the technical-buyer objection (“are these guys reckless?”) and is, in our view, the strongest trust signal.

Core scoring

Decryption Blast Radius (DBR) — the score The continuous 0-10 score + A-F grade on every report. Four weighted components: keyExchange (50%), certLifetime (10%), keyPersistence (20%), subdomainScale (20%). Powers the public scan, CLI, and browser extension. Shipped · Read methodology →

Score components breakdown The four-bar component visualizer on every report — what each subscore measures, what its contribution looks like, when each component is the dominant cause of a failing grade. Shipped · Read methodology →

Timeline projection (Today / 2030 / Post-PQC) The three-bar timeline visualizer — which key-reuse multipliers we apply (1.0× / 1.18× / 1.35× / 1.55×), where the assumptions come from (NIST IR 8547, NSA CNSA 2.0), and the ranges we treat as honest. Shipped · Read methodology →

Scanner accuracy & test coverage The 195-test suite that verifies the scoring implementation matches the published methodology. Categories covered (math closure, monotonicity, ground-truth profiles, contradiction tests, SSRF defense, regression pins) + scoring changelog of every bug we've fixed. Shipped · 195/195 passing · Read methodology →

Surface-level scanners (free + open)

ASM completeness — SPF / DMARC / DKIM / headers / takeover Email-auth + security-header + DNS-takeover signals layered on the HNDL score. What checks run, what flags a failure, and why these aren't double-counted into the DBR. Shipped · Read methodology →

QXM — Quantum Exposure Manifest (cipherwake.lock) The committable artifact produced by npx pqcheck lock. JSON Schema v1, classification logic, what fields are stable + what may change, comparison to SBOM / CycloneDX. Shipped · Read methodology →

Browser extension v0.1 — toolbar grade What the extension reads, what it doesn't, the cache lifetime, the badge color rubric, and an explicit list of the data flows we refuse (page content, cookies, form data). Shipped · Read methodology →

Public watchlists / leaderboards How sectors are curated, how rankings are computed, the tie-break rules, the "appeal a score" path for listed domains, and what we do NOT do (sponsored placement is not allowed). Shipped · Read methodology →

Anomaly + retrospective tools (trust-critical)

Cert Activity Watch — 3σ anomaly detection The baseline math, the 3σ threshold rationale, the false-positive policy, and — critically — why we never publicly broadcast about specific named third parties. Pro-tier private monitoring only. Planned · Read methodology →

Post-Mortem Analysis Engine How retrospectives are correlated, the manual review gate, the rejection criteria (most drafts get killed), and the strict rule that we publish only AFTER the affected party or regulator confirms the breach. The trust-critical doc. Planned · Read methodology →

Tools coming with their own methodology pages

Per project rule: a tool ships with its methodology page in the same release. The following tools have placeholder entries that will become full methodology pages when the tool ships.

Sensitive Endpoint Classifier Auto-detection of login / payment / API / admin endpoints; per-endpoint HNDL weighting. Planned · methodology page deferred until ship

Harvestability Map / Path-to-Plaintext Visual chain of TLS hops with weak-link identification. Planned · methodology page deferred until ship

Supply-chain HNDL exposure (npm / PyPI / Maven) Quantum-aware lockfile audit, transitive dependency analysis. Planned · methodology page deferred until ship

Sleeper Asset Radar Dormant-subdomain + abandoned-cloud-asset detection via CT-log drift. Planned · methodology page deferred until ship

CertOps Failure Radar 47-day cert-world preparedness scoring. Planned · methodology page deferred until ship

CT-sourced brand phishing detector Levenshtein / homoglyph / IDN lookalike detection from new CT issuances. 1 free brand check, then signup. Planned · methodology page deferred until ship

Historical key-reuse timeline UI Forensic-grade timeline of every cert + reused key per domain. Planned · methodology page deferred until ship

One-Click Report Card (PNG + Markdown) Shareable export of any scan. Methodology will document what is + isn't included in the export, and the cryptographic provenance signature on the PDF. Planned · methodology page deferred until ship

Public Cert Anomaly Index Quarterly aggregate trend report. Macro statistics across our scan corpus, no individual domain naming. Distinct from Cert Activity Watch (which is private monitoring) — the methodology page will document the aggregation rules, sector segmentation, and explicit no-naming policy. Planned · methodology page deferred until ship

Score-history + Change-log + Diff explanations Per-score-change cause attribution ("cert lifetime dropped 90→47d, +0.3 to subscore"). Methodology will document the diff classifier and the cause-attribution heuristics. Planned · methodology page deferred until ship

Verified Monitoring Badge Embeddable "Monitored by Cipherwake" badge. Methodology will define what the badge guarantees, what it doesn't, and the rules for revocation when scoring lapses. Planned · methodology page deferred until ship

Browser Extension v0.2 — Supply-Chain Auditor Per-tab third-party script analysis. Distinct methodology from v0.1; will document the script enumeration, the third-party HNDL aggregation, and the v0.1-vs-v0.2 permission delta. Planned · methodology page deferred until ship

Tessera SDK PQC handshake / key-exchange library. Methodology page ships with the SDK; "Join waitlist" placeholder until then. Deferred · post-residency

Tools without per-tool methodology pages (and why)

A few items in our feature list intentionally do not get separate methodology pages, because they introduce no new measurement or claim about a domain — they are delivery formats, pricing tiers, or service engagements over the same scan signal documented elsewhere.

CLI (npx pqcheck) — same scan as the web tool; methodology = DBR.
API Access (Pro) — pricing tier over /api/scan; same output, no new claims.
Vendor Portfolio Monitoring (Pro) — bundles existing tools at scale; the underlying methodologies are already documented per-tool.
Cyber-Insurance Data Feed — bulk delivery of the same scan output.
White-glove Vendor-Risk Audit — services engagement; deliverables cite the per-tool methodologies.
CLM Partnership Licensing — B2B partnership; signal is licensed, not redefined.

How to cite

Each per-tool page is stable URL + citable. For papers / talks / regulatory submissions, cite the specific methodology page (e.g. cipherwake.io/methodology/decryption-blast-radius) rather than the hub. Versioning: methodology revisions are dated at the bottom of each page; older versions are kept reachable via inline diff links.

Source code that implements these methodologies is in the public CLI (npx pqcheck) and the QXM schema is published at /schemas/qxm/v1. Reach out at /feedback with corrections, edge cases, or methodology challenges — we revise rather than defend.