Zero Trust Since 1939  ·  51.9979° N   0.7411° W

Cryptographic confidence for those who
cannot afford to fail.

The quantum threat is not hypothetical. Government, defence, and financial services organisations face a hard deadline — and most do not know where their cryptographic assets are today. Station Hex changes that.

We build the platforms and deliver the expertise that takes organisations from cryptographic chaos to cryptographic confidence — with full asset visibility, policy-driven compliance, vendor-agnostic key operations, and a clear post-quantum migration roadmap.

Discover. Assess. Migrate. Comply. Manage. Operate.
10+
Compliance Frameworks
100K+
Certs Assessed / Hr
4
HSM Backends
2035
CNSA 2.0 Deadline
// 0xReconCryptographic Asset Intelligence // 0xConductorVendor-Agnostic Key Operations // 0xVectorPQC Transition Consultancy // 0xMeshCross-Organisational Programme PKI CNSA 2.0NCSC/GCHQNIST SP800PCI-DSSISO 27001DORANIS2HIPAAGDPR // MOSCAQuantum-Threat Risk Scoring // CBOMCycloneDX 1.6+ Export // 0xReconCryptographic Asset Intelligence // 0xConductorVendor-Agnostic Key Operations // 0xVectorPQC Transition Consultancy // 0xMeshCross-Organisational Programme PKI CNSA 2.0NCSC/GCHQNIST SP800PCI-DSSISO 27001DORANIS2HIPAAGDPR // MOSCAQuantum-Threat Risk Scoring // CBOMCycloneDX 1.6+ Export
Product Suite

Four products.
One mission.

End-to-end cryptographic intelligence and operations — from PQC readiness consultancy through asset discovery, key operations, and cross-organisational trust federation.

Enterprise-grade cryptographic risk management and discovery. Discover every asset, assess against policy frameworks, score and prioritise risk, and plan your PQC migration with precision.

Asset Discovery Policy Assessment PQC Migration Risk Scoring CBOM Remote Agents
Explore 0xRecon →

Unified REST API for cryptographic operations across multiple backends — without vendor lock-in. Policy-enforced access control and forensic-grade audit trails across SoftHSM, AWS KMS, Azure Key Vault, and on-premise HSMs.

Multi-Backend Key Management Policy Engine Audit Trail Key Migration SIEM
Explore 0xConductor →

Structured advisory and assessment service combining the CARAF risk framework with the 11-step ETSI-aligned PQC transition process. Delivers quantified risk scores, a prioritised quantum-safe roadmap, and a technical solution architecture — evidence-based, not opinion-based.

CARAF Methodology MOSCA Scoring Quantum-Safe Roadmap ETSI TR 104 016 Regulatory Alignment
Explore 0xVector →
Coming Soon

Cross-organisational programme PKI platform for defence contracts, CNI partnerships, and allied operations. Stand up scoped, time-limited certificate trust channels between sovereign organisations in minutes — without modifying trust stores or sharing sensitive cryptographic policies.

Federated Trust Policy Privacy Mesh Agents Bilateral Consent Air-Gap Compatible
0xRecon Architecture

The Cryptographic
Intelligence Pipeline

From raw infrastructure scanning through to board-ready compliance reports — a complete, automated cryptographic intelligence workflow.

DISCOVERY TLS Scanning File System EJBCA/Keyfactor Azure Key Vault ADCS Luna HSM CRL Harvest Remote Agent NORMALISE Asset Model Deduplication Fingerprinting Change Detection ENRICH Business Context Asset Criticality Data Classification Compliance Scope INVENTORY SQLite WAL Mode Unified Store ASSESSMENT CEL Policy Engine NCSC / NIST PCI-DSS / DORA ISO 27001 / NIS2 CNSA 2.0 / HIPAA MOSCA Scoring Risk Prioritisation REPORTING HTML Dashboard PDF Reports DOCX Reports CycloneDX CBOM PQC Roadmap SIEM / Webhook Exec Summary Signed Reports REMOTE COLLECTOR Air-gapped / Isolated Networks
0xConductor Architecture

Every request.
Policy-first.

Every cryptographic operation passes through policy evaluation before reaching the backend HSM. Key material never leaves the hardware boundary.

CLIENT HTTP + API Key X-Request-ID RATE LIMIT 10MB max 429 LIMIT POLICY ENGINE classify operation requestor DENY → 403 403 FORBIDDEN CRYPTO SERVICE sign/verify/enc SoftHSM AWS KMS Azure KV PKCS#11 ⚹ Key material never exposed AUDIT LOG JSONL+SQLite+SIEM 200 OK ciphertext / signature // EVERY OPERATION IS LOGGED · KEY MATERIAL STAYS IN HSM · POLICY EVALUATED BEFORE EXECUTION
0xVector Architecture

The PQC Transition
Engagement Process

Six structured phases from engagement governance through to deliverable handover — combining automated cryptographic discovery with the CARAF risk framework and MOSCA theorem prioritisation.

PHASE 1 Engagement Objectives & scope Governance charter Clearance confirm Risk register 3–5 days PHASE 2 Preparation Scoping questionnaire Background review 0xRecon deployment Plan of action 1–2 weeks PHASE 3 Workshops Goals & scope (1–2) Asset inventory (3) Dependencies (4) CARAF scoring (5) Solutions (6–8) MOSCA priority (9–10) Roadmap (11) 5–8 days PHASE 4 Analysis Finalise CARAF scores Solution assessment Dependency conflicts Phased roadmap 2–3 weeks PHASE 5 Reporting Assessment Report Migration Strategy Quantum-Safe Roadmap Execution Blueprint 1–2 weeks PHASE 6 Delivery Playback session Deliverable handover Client sign-off Data destruction cert. 1 day TYPICAL DURATION: 8–12 WEEKS · LEAD TIME: 4 WEEKS FROM PO · ALL WORKING MATERIALS DESTROYED ON ACCEPTANCE
Compliance Coverage

Every framework.
One platform.

NCSC/GCHQ
UK Government cryptography standards
NIST SP 800
US post-quantum migration standards
CNSA 2.0
DoD quantum-safe migration 2030–35
PCI-DSS v3.2
Payment card cryptography
ISO 27001
Information security management
DORA
EU digital operational resilience
NIS2
EU network & information security
HIPAA
Healthcare data encryption
GDPR
EU data protection controls
SOX
Sarbanes-Oxley compliance
Post-Quantum Readiness

CNSA 2.0 Migration
Timeline

0xRecon maps every cryptographic asset against CNSA 2.0 phases — delivering a precise, risk-weighted roadmap to quantum-resistant infrastructure.

2024–2025
Phase 1
Research and evaluate PQC algorithms. Establish baseline cryptographic inventory.
2026–2030
Phase 2 NOW
Transition to PQC-ready algorithms. Deploy hybrid classical + post-quantum configurations.
2030–2035
Phase 3
Complete migration to quantum-resistant algorithms across all systems and services.
2035+
Phase 4
Classical algorithms fully deprecated. Quantum-resistant estate complete.
MOSCA Theorem

When does migration become non-negotiable?

0xRecon applies the MOSCA theorem to every cryptographic asset — calculating when post-quantum migration becomes urgent based on data shelf life, migration effort, and the quantum threat timeline. When X + Y exceeds Z, you must start now.

X + Y > Z
Shelf life + Migration time
exceeds Quantum threat
→ Migrate immediately
Use Cases

Built for regulated sectors.

Government & Defence
NCSC/GCHQ Compliance & DoD CNSA 2.0

Continuous monitoring of classified environments against UK Government cryptography standards. Full CNSA 2.0 migration planning with DoD compliance timelines and cryptographic supply chain visibility.

Financial Services
PCI-DSS, DORA & Regulatory Attestation

Payment processing cryptography standards, risk quantification for board reporting, and signed attestation to compliance frameworks for regulators. Third-party crypto inventory assessment.

Healthcare
HIPAA & Long-Term Data Protection

Data encryption and key management compliance, data shelf life tracking for long-term patient record protection, and PQC readiness planning for healthcare infrastructure audits.

Enterprise Security
M&A Due Diligence & Crypto Modernisation

Pre-acquisition cryptographic inventory, systematic retirement of weak algorithms, control of certificate sprawl, and crypto architecture assessment during cloud migration.

0xRecon

Discover your cryptographic estate.

Find every certificate, key, and cryptographic asset across your hybrid infrastructure — and understand exactly what risk it carries.

0xConductor

Liberate your key operations.

One API. Every backend. Policy-enforced, forensically audited cryptographic operations — without vendor lock-in.

0xVector

Plan your quantum transition.

Structured consultancy combining CARAF risk scoring with MOSCA theorem prioritisation — an executable quantum-safe roadmap, not a generic report.

Station Hex  ·  0xRecon

0xRecon

Cryptographic Asset Intelligence Platform

Enterprise-grade cryptographic risk management and discovery, purpose-built for government, defence, and financial services. Discover every cryptographic asset, assess against policy frameworks, and plan your PQC migration with precision.

PILLAR 1 · AD-HOC DISCOVERY                UNIFIED INVENTORY                PILLAR 2 · MANAGED INTEGRATION TLS Endpoint Scanning File System Discovery CRL Harvest & Analysis Protocol Analysis Remote Collector Agent UNIFIED INVENTORY deduped · enriched · versioned change detection · fingerprinting HEALTH A+ 94 / 100 EJBCA / Keyfactor Microsoft ADCS Azure Key Vault Thales Luna HSM Azure Managed HSM Policy Assessment Risk Scoring PQC Analysis Reporting SIEM / Export
Discovery Architecture

Dual-Pillar Discovery

Two complementary methodologies delivering both aggressive network-based asset discovery and deep managed-system integration.

Pillar One
Ad-Hoc Discovery

Network-based scanning that discovers cryptographic assets without prior knowledge of the environment.

01
Network TLS Endpoint Scanning
1000+ parallel scans, certificate chain validation, protocol negotiation detection, cipher suite cataloging
02
File System Discovery
Recursive scan for PEM, DER, PKCS#12, PKCS#7 — including embedded certificates in executables
03
CRL Collection & Analysis
Automated retrieval, validity checking, delta CRL support, forensic archiving for compliance audit trails
04
Passive Protocol Analysis
TLSv1.0/1.2/1.3 detection, weak cryptography warnings, SSLv3 deprecation alerts
Pillar Two
Managed Integration

Deep connector-based integration with enterprise PKI and key management platforms for authoritative inventory data.

01
EJBCA / Keyfactor
REST API with multi-tenant SaaS, CA hierarchy traversal, certificate enrollment and renewal orchestration
02
Microsoft ADCS
CA server discovery via LDAP, template enumeration, issued certificate history, enterprise CA visualisation
03
Azure Key Vault
Multi-tenant, service principal auth, key rotation tracking, version history, vault access policy mapping
04
Thales Luna HSM
Partition enumeration, PKCS#11 key extraction, firmware detection, partition access auditing
Policy Engine

CEL rules.
Any framework.

Every certificate is evaluated against a library of CEL (Common Expression Language) rules before a finding is raised. Rules have full access to certificate fields, business context, and asset metadata — allowing complex conditional logic without custom code.

01
Pre-built framework rules
NCSC, NIST, CNSA 2.0, PCI-DSS, ISO 27001, DORA, NIS2, SOX, HIPAA, GDPR — out of the box.
02
Custom rule authoring
Domain experts define organisation-specific policies using CEL expressions with AND/OR/NOT logic.
03
Policy versioning
Rule changes are tracked. Compliance evolution is auditable — compare posture before and after a policy update.
04
100,000+ certs/hour
Parallel multi-threaded evaluation with context injection and result aggregation by severity and category.
CRITICAL HIGH MEDIUM LOW INFORMATIONAL Immediate action CNSA 2.0: +50% Plan within 90d NIS2: +30% Schedule renewal HIPAA: +25% Monitor Log only 10 COMPLIANCE FRAMEWORKS EVALUATED IN PARALLEL NCSC · NIST · CNSA 2.0 · PCI-DSS · ISO 27001 · DORA · NIS2 · SOX · HIPAA · GDPR
Asset Enrichment

Beyond the certificate.
Business context included.

Raw cryptographic data alone cannot drive risk decisions. 0xRecon enriches every asset with business context before assessment — so risk scores reflect operational reality, not just algorithm strength.

CRYPTOGRAPHIC PROPERTIES SubjectCN=api.example.gov.uk IssuerNCSC Managed PKI CA AlgorithmRSA-2048 / SHA-256 Key size2048-bit ⚠ undersized Valid to2025-03-01 (expired) OCSPstapled · valid Chain depth3 (root · inter · leaf) SourceTLS scan · ADCS PQC stateVulnerable · Phase 2 FingerprintSHA-256: 3a:f1:... + BUSINESS CONTEXT CriticalityCritical ×2.0 ExposureInternet-facing ×1.8 Data classRestricted ×1.5 EnvironmentProduction Business unitIT Operations Ownerinfra-team@org ComplianceNIS2 · CNSA 2.0 GeographyUK · EU residency Migration pathUncertain DependenciesHigh — 7 upstream = RISK OUTPUT CRITICAL Score: 94 FINDINGS RSA-2048 below CNSA 2.0 minimum (3072-bit) Certificate expired 2025-03-01 — immediate renewal Quantum-vulnerable algorithm — Phase 2 migration Remediation: Replace cert · upgrade to RSA-4096 Est. effort: 4hrs · Owner: infra-team@org
Risk Engine

Weighted Risk Scoring

Risk scores are not flat severity labels. Every asset is weighted by criticality, network exposure, data classification, and compliance scope — producing a prioritised remediation queue that reflects real operational risk.

Asset Criticality Critical ×2.0 · Important ×1.5 Network Exposure Internet ×1.8 · DMZ ×1.4 Data Classification Restricted ×1.5 · Conf. ×1.3 Compliance Scope CNSA 2.0 +50% · NIS2 +30% MOSCA + WEIGHTED SCORE ENGINE X+Y>Z trigger PRIORITY QUEUE ① api.example.gov.uk — 94 ② vpn.internal — 78 ③ mail.org.uk — 61 ④ cdn-assets.org — 34 + N more assets ranked C+ HEALTH INDEX 62 / 100 ↓ from B- last scan EFFORT EST. ~48hrs to clear critical Reports + CBOM PDF · DOCX · HTML PQC Roadmap Gantt · Phase map
Distributed Scanning

No network
left behind.

Remote collector agents deploy directly into customer infrastructure — including air-gapped and classified networks. Policy evaluation runs locally on the agent. Only normalised findings travel over mTLS to the central dashboard.

CENTRAL DASHBOARD Unified inventory Policy management Reporting · RBAC port 5444 mTLS INTERNET-FACING TLS endpoint scanning 1000+ parallel hosts CRL harvesting collector agent INTERNAL NETWORK ADCS · Luna HSM File system scan Azure Key Vault collector agent AIR-GAPPED / ISOLATED Offline policy eval · delta sync collector agent · no internet req. CLOUD / SAAS EJBCA / Keyfactor Azure Key Vault CA hierarchy sync REST API connector DMZ Perimeter TLS scan Cipher suite audit collector agent mTLS · delta sync mTLS · port 5444
Engagement Lifecycle

From scope
to attestation.

0xRecon structures discovery work as a managed engagement — with scoping, finding review, remediation tracking, and signed deliverables at every stage. Built for professional services delivery and internal audit preparation alike.

01 · SCOPE Objectives · frameworks Compliance in scope Engagement record 02 · DISCOVER Dual-pillar scan Enrich · deduplicate Unified inventory 03 · ASSESS CEL policy evaluation Risk scoring · grading Findings · severity 04 · REPORT PDF · DOCX · HTML CycloneDX CBOM RSA-PSS signed 05 · REMEDIATE Finding review portal ROI · effort tracking Progress dashboard 06 · ATTEST Compliance attestation Signed audit evidence Regulator-ready COMPLETE AUDIT TRAIL · ALL OPERATIONS TIMESTAMPED AND ATTRIBUTED · IMMUTABLE LOGS
Algorithm Coverage

Every key type.
Every vulnerability.

0xRecon detects, catalogues, and assesses the full spectrum of key material found in enterprise infrastructure — from legacy RSA through to quantum-vulnerable ECDSA and emerging PQC algorithms — against CNSA 2.0 compliance requirements.

// CNSA 2.0 Minimums
RSA — minimum 3072-bit by 2030
ECDSA — P-384 minimum by 2030
AES — 256-bit required
SHA — SHA-384 minimum
PQC — ML-KEM / ML-DSA by 2030
Algorithm
Coverage
Quantum risk
CNSA 2.0
RSA
2048 → 4096-bit
High
≥3072
ECDSA
P-256, P-384, P-521
High
P-384+
EdDSA
Ed25519, Ed448
Medium
Review
AES
128, 192, 256-bit
Low
256-bit ✓
SHA
SHA-1, 256, 384, 512
SHA-1 critical
≥SHA-384
PQC
ML-KEM, ML-DSA, SLH-DSA
Resistant
Target ✓
Performance & Deployment

Enterprise scale.
Any environment.

1000+
TLS Endpoints
in Parallel
10K+
Certificates
Parsed / Min
100K+
Policy Assessments
per Hour
<30s
PDF Report
10K-Asset Estate
On-Premises

Single-server or multi-server with load balancing. Docker + Gunicorn + nginx. Systemd service management. Air-gap compatible.

Cloud

AWS AMI and Azure VM images available. Optional managed database integration. Auto-scaling and multi-region support.

Hybrid

Central dashboard in cloud or on-prem. Unlimited remote collectors in isolated networks. Delta sync minimises bandwidth overhead.

Outputs

Every format.
Every audience.

Every report is digitally signed with RSA-PSS-SHA256 and delivered with per-recipient AES-256-GCM encryption. Machine-readable outputs flow directly into CMDB and SIEM tooling.

0xRecon Assessment engine PDF · DOCX Signed · encrypted Board / C-suite Auditors · Regulators CycloneDX CBOM JSON · 1.6+ spec CMDB · SBOM tooling Security architects HTML · SIEM · API Webhook · tickets Analysts · SOC teams Splunk · ELK · JIRA

Start with a discovery engagement.

Find out what is hidden in your cryptographic infrastructure before regulators or adversaries do.

Station Hex  ·  0xConductor

0xConductor

Cryptographic Orchestration Service

A unified REST API for cryptographic operations across multiple backends — without vendor lock-in. Enforce policy-driven access control and maintain forensic-grade audit trails across SoftHSM, AWS KMS, Azure Key Vault, and on-premise HSMs.

CLIENT HTTP+API Key RATE LIMIT 429 POLICY ENGINE classify · eval · route 403 FORBIDDEN CRYPTO sign/enc/dec AUDIT LOG 200 OK result BACKEND HSMs SoftHSM AWS KMS Azure KV PKCS#11 GCP 🔜 KEY MATERIAL NEVER LEAVES THE HSM BOUNDARY
API Operations

Seven operations.
One endpoint surface.

Every cryptographic operation your applications need — exposed through a single, consistent REST API regardless of which backend HSM is performing the work.

POST /v1/keys
Key Generation

Generate keys on any backend with classification tagging, labels, and automatic lifecycle registration.

AES-256-GCMEC-P256/P384RSA-2048/4096
POST /v1/encrypt
Encrypt

Authenticated symmetric encryption or asymmetric encryption. Plaintext in, ciphertext out — key stays in HSM.

AES-256-GCMRSA-OAEP
POST /v1/decrypt
Decrypt

Symmetric or asymmetric decryption. Ciphertext in, plaintext out. Policy evaluated before operation executes.

AES-256-GCMRSA-OAEP
POST /v1/sign
Sign

Digital signature generation over arbitrary data. Private key never leaves the HSM — only the signature is returned.

EC-P256EC-P384
POST /v1/verify
Verify

Signature verification with automatic tamper detection. Returns {"valid": true} or denial with reason.

EC-P256EC-P384
POST /v1/wrap
Key Wrap

Wrap key material for secure transport between systems or backends. Used in key migration workflows.

AES-256-WRAP
POST /v1/unwrap
Key Unwrap

Import wrapped key material into a target HSM. Completes the secure key transport cycle.

AES-256-WRAP
DELETE /v1/keys/{id}
Key Delete

Secure key removal from the backend. Full deletion logged to audit trail with requestor attribution.

All backends
Multi-Backend Support

Your backend.
Our abstraction.

A single API surface across all major cryptographic backends. Migrate keys between providers without changing a line of application code.

BackendTypeAES-256-GCMEC-P256/P384RSA-2048/4096Key WrapStatus
SoftHSM 2Software PKCS#11✓ MVP
AWS KMSCloud HSM Service✓ MVP
Azure Key VaultCloud Key Mgmt✓ MVP
Generic PKCS#11Any HSM Device✓ MVP
GCP Cloud KMSGoogle Cloud HSM🔜 v1.2
HashiCorp VaultSecrets Management🔜 v1.2
Key Migration

Zero-downtime migration.
Between any backends.

Move cryptographic keys between backends without interrupting service. Dual-approval enforcement for sensitive classifications. Every migration permanently recorded in the key location history.

PENDING Request submitted PENDING APPROVAL Dual approval required SECRET / OFFICIAL-SENSITIVE only UNCLASSIFIED / OFFICIAL — no approval needed IN PROGRESS Transfer underway VERIFYING Test on target backend COMPLETE Registry updated FAILED ROLLED BACK KEY LOCATION HISTORY SoftHSM → 2025-01-10 AWS KMS → 2025-06-01 Azure KV → 2026-03-14 ✓ permanent record
Audit Trail

Every operation logged.
Immutably.

Append-only JSONL + SQLite. Every operation records who, what key, which backend, which algorithm, the outcome, and the matched policy rule — or the denial reason. Native Splunk and ELK SIEM integration.

AUDIT ENTRY — JSONL (APPEND-ONLY) timestamp:2026-03-14T09:41:22Z request_id:uuid4-a3f2-... operation:sign key_id:payments-signing-key requestor:payments-service backend:aws_kms algorithm:EC-P256 classification:OFFICIAL outcome:success matched_rule:allow-official-cloud denial_reason:null // denial_reason populated when outcome = denied GET /v1/admin/audit?operation=sign&outcome=denied&limit=100
SIEM Integration
Splunk
Forward JSONL directly to Splunk collectors
Native
ELK Stack
Syslog handler for Elasticsearch ingestion
Native
Syslog
Optional syslog server for centralised aggregation
Native
// Queryable via REST
All operations by a user
All operations on a specific key
All denied operations (security posture)
All ops by classification level
All failures and error events
Security Model

Defence in depth.
Seven layers.

Key material never leaves the HSM boundary. Every other layer adds an independent control — so compromise of one does not compromise the system.

07 · AUTHENTICATION API Key (X-API-Key) · mTLS client certs in v1.1 Protects: identity 06 · AUTHORISATION YAML policy engine · classification-aware · first-match-wins Protects: access 05 · RATE LIMITING Per-requestor thresholds · 429 Too Many Requests · 10MB max body Protects: availability 04 · TLS TRANSPORT All backend communications over TLS · no plaintext key material in transit Protects: transit 03 · REQUEST TRACING X-Request-ID correlation header · end-to-end tracing · linked in audit Protects: forensics 02 · IMMUTABLE AUDIT Append-only JSONL · all outcomes recorded · cannot be modified Protects: evidence 01 · KEY MATERIAL ISOLATION — NEVER LEAVES THE HSM · API RETURNS RESULTS ONLY
Policy Engine

Classification-aware
access control.

YAML-based rules enforce data classification before any cryptographic operation. SECRET data stays on-premise. Policy evaluated on every single request — no exceptions.

Unclassified
ALLOW
Fail-open · Public information
Official
ALLOW
General government/business use
Official-Sensitive
DENY
Fail-closed · Policy required
Secret
DENY
On-premise HSM only
Rules evaluated top-to-bottom · first match wins Rule 1 Rule 2 Rule N DENY → 403 immediate ALLOW → proceed no match → SECRET/OS → DENY OFFIC/UNCL → ALLOW Context available in every rule expression: operation · requestor · algorithm · classification · backend · key_id
# Deny SECRET on cloud backends - rule_id: "deny-secret-cloud" metadata: name: "SECRET on cloud backends" condition: type: expression expression: "classification in ['SECRET'] and backend in ['aws_kms', 'azure_keyvault']" findings: if_triggered: severity: critical title: "{classification} not allowed on {backend}" remediation: "Use on-prem HSM"
// Key Migration Approval Flow
Request migration with reason and target backend
Dual approval required for SECRET / OFFICIAL-SENSITIVE
Verify key functionality on target backend
Update registry — maintain full location history
Roadmap

What is coming next.

v1.0 Current ▼ now v1.1 Q2 2026 v1.2 Q3 2026 v2.0 Q4 2026
v1.0 — Current
Production Ready

Multi-backend abstraction, policy engine, audit logging, SIEM integration, key migration workflows, API key auth.

v1.1 — Q2 2026
PQC & mTLS

Post-quantum algorithms (ML-KEM-768, ML-DSA-65), mTLS client certificate authentication, key rotation automation.

v1.2 — Q3 2026
Extended Backends

GCP Cloud KMS, HashiCorp Vault, and HSM fleet management for organisations operating at scale.

v2.0 — Q4 2026
Multi-Tenant SaaS

Namespace isolation for MSPs, advanced RBAC, and a fully managed SaaS deployment model.

Liberate your cryptographic operations.

Deploy 0xConductor and eliminate cryptographic vendor lock-in for good.

Station Hex  ·  0xVector

0xVector

PQC Transition Consultancy

A structured advisory and assessment service helping organisations plan, evaluate, and execute migration from classical cryptographic algorithms to quantum-safe alternatives. Combining the CARAF risk framework with an 11-step ETSI-aligned transition process — evidence-based, operational, and executable.

MOSCA THEOREM · X + Y > Z = MIGRATE NOW TODAY 2028 2031 2035 NCSC critical NCSC all assets X — Data shelf life how long protection is needed Y — Migration time standards · vendors · certs · rollout Z — Threat timeline CRQC viable by 2031 (NCSC) X+Y>Z ↑ urgency P = Z − (X + Y) Negative P → migrate immediately · Lower P → higher priority · Adjusted for impact & classification PQC MATURITY L0 — Unaware L1 — No plan L2 — Assessed L3 — Roadmap L4 — Migrating 0xVector engagement output
The Quantum Threat

Your encrypted data
is already at risk.

Adversaries are intercepting and stockpiling encrypted data today — to decrypt it once a Cryptographically Relevant Quantum Computer exists. This is known as "harvest now, decrypt later." The threat is not future. The window to act is now.

TODAY Data encrypted & transmitted Classical crypto still holds INTERCEPTED & STORED Adversary harvests ciphertext now Encrypted traffic stored at scale CRQC ARRIVES ~2031 Quantum computer breaks RSA/ECDSA NCSC: plan for critical by 2031 DECRYPTED All stored data exposed Data with 10+ year shelf life is already at risk classified · healthcare · financial · legal Complex orgs need 3–5 years to migrate waiting until CRQC is imminent will be too late NCSC: goals & initial plans by 2028 that window is now
Assessment Methodology

Top-down. Function-first.
Dependency-aware.

Rather than enumerating every cryptographic primitive, 0xVector identifies high-level security-enforcing functions first. Each is then decomposed to expose constituent assets and dependencies — revealing architectural risks invisible at the algorithm level.

LAYER 1 · SECURITY-ENFORCING FUNCTIONS Secure Boot Code Signing Secure Comms PKI Management Authentication Data Encryption LAYER 2 · CONSTITUENT CRYPTOGRAPHIC ASSETS Hash: SHA-256 / SHA-384 Sign: RSA-4096 / ML-DSA Sign: ECDSA-P384 KMS: HSM / TPM TLS 1.3 / IPsec / SSH KEM: RSA / ML-KEM CA chain: Root / Int / Leaf CRL / OCSP lifecycle OIDC / SAML tokens Cert-based mTLS auth AES-256-GCM at rest HNDL exposure scoring CARAF Risk Scoring + MOSCA Prioritisation quantum vulnerability · likelihood · impact → risk score → urgency rank
Core Outcomes

Five deliverables.
One executable plan.

Every 0xVector engagement produces five defined documents, each written for a specific audience — from board risk exposure to engineering implementation procedures.

0xVector Engagement output Assessment Report C-suite · Board · Governance Asset Inventory Security architects · Engineers Migration Strategy Technical leads · Architects Quantum-Safe Roadmap Programme · Budget holders Execution Blueprint Delivery teams · PM · Governance
01
Comprehensive Risk Assessment
CARAF methodology applied to every in-scope cryptographic asset — quantified risk scores, confidence intervals, vulnerability characterisation, and MOSCA urgency ranking.
02
Quantum-Safe Roadmap
Prioritised, phased migration plan with realistic timelines, resource estimates, and dependency-aware sequencing aligned to NCSC 2028/2031/2035 milestones.
03
Technical Solution Architecture
Specific algorithm recommendations (ML-DSA, SLH-DSA, ML-KEM) with performance impact analysis and migration approach per asset — pure, parallel, or backwards-compatible.
04
Operational Transition Plan
Supply chain dependencies, certification constraints, vendor timelines, and budget realities incorporated into an implementation blueprint with RACI.
05
Governance Framework
Policies, accountability structures, monitoring approach, and decision framework for ongoing implementation and future crypto agility.
CARAF Risk Scoring

Quantified risk scores.
Not generic heatmaps.

The Crypto Agility Risk Assessment Framework combines quantum vulnerability class, likelihood of exploitation, and impact of compromise into a defensible, ranked priority score — calibrated per asset, not per organisation-type.

CARAF RISK MATRIX LIKELIHOOD OF EXPLOITATION → IMPACT OF COMPROMISE → MEDIUM CRITICAL LOW HIGH Internet TLS Root CA cert HNDL data Internal PKI Code signing Secure boot Firmware sig Ephemeral auth Test certs Low High
CARAF Scoring Dimensions
Quantum Vulnerability Class
Direct (Shor's — RSA/ECDSA) · Indirect (Grover's — symmetric) · Resistant
Likelihood of Adversary Exploitation
Internet exposure · adversary capability · sensitivity profile
Impact of Compromise
Data shelf life · classification · downstream trust dependencies
MOSCA Urgency Overlay
P = Z − (X + Y) · Negative P → immediate · adjusts for impact weight
// EXAMPLE OUTPUT
Asset: api.payments.corp TLS cert
Vuln: RSA-2048 → DIRECT (Shor's)
Likelihood: Internet-facing → High
Impact: PCI-DSS · payment data → Critical
MOSCA P: −2 years → MIGRATE NOW
Risk Methodology

CARAF + MOSCA.
Evidence over opinion.

0xVector applies the Crypto Agility Risk Assessment Framework alongside Mosca's Theorem to produce defensible, quantified risk scores — not generic heatmaps. Every recommendation is grounded in evidence gathered from your actual infrastructure.

// Mosca's Theorem
X + Y > Z
X — How long must data stay protected after migration
Y — Total migration time: standards, vendors, redesign, certification
Z — When will a CRQC be available (NCSC: critical by 2031)
When X + Y exceeds Z, migration is no longer optional. 0xVector calculates this for every asset in scope — giving you a ranked, evidence-based priority queue rather than a generic risk heatmap.
Engagement Variants

Right-sized for
your organisation.

Product Focused
Manufactured products & systems
Hardware constraints, supply chain, long lifecycle intersection with quantum timelines. Defence, aerospace, telecoms.
Enterprise Focused
Complex infrastructure estates
Cross-departmental coordination, phased rollout, business continuity. CISOs, enterprise architects, IT directors.
Critical Infrastructure
CNI operators & regulated sectors
Certification pathways, compliance timelines, government alignment. Energy, transport, water, telecoms.
Migration Strategies

Three approaches.
One per asset.

0xVector selects the migration strategy per asset based on its constraints — not a single approach for the whole estate. Dependency conflicts between assets are resolved before the roadmap is finalised.

Strategy 01
Pure Migration
RSA-2048 ML-DSA direct cutover · no legacy

Direct replacement of the vulnerable algorithm. Simplest operationally; requires all endpoints to support the new algorithm simultaneously.

Best for: ephemeral authentication · internal services · controlled deployments
Strategy 02
Parallel Operation
RSA-2048 ML-DSA New service legacy maintained · gradual cutover

Legacy and new algorithm run simultaneously during transition. Higher operational cost but enables phased migration without service interruption.

Best for: PKI hierarchies · mixed-client environments · phased enterprise rollouts
Strategy 03
Hybrid / Backwards-Compatible
RSA-2048 + ML-KEM Hybrid cert with fallback classical + PQC · ANSSI mandated

Classical and PQC algorithms combined in a single operation — protects against both classical and quantum attack during transition. Mandated by ANSSI; NCSC cautions for PKI use cases.

Best for: cross-org protocols · ANSSI-regulated deployments · high-assurance applications
Assessment Scope

Beyond certificates.
The full cryptographic estate.

0xVector scopes across every cryptographic function in the product or infrastructure — not just TLS and certificates. Scope is agreed at engagement and documented in the Plan of Action.

01
Algorithms & Protocols

Symmetric, asymmetric, and hash functions. TLS, IPsec, SSH, and proprietary protocol configurations.

02
PKI & Certificates

CA hierarchies, certificate lifecycle, key storage, distribution mechanisms, and revocation infrastructure.

03
HSM & KMS

Hardware security modules, key management systems, CA platforms, and cryptographic service provisioning.

04
Secure Boot & Firmware

Boot chains, hardware roots of trust, TPM/eFuse configurations, firmware signing and update mechanisms.

05
Code Signing

Software distribution security, update signing pipelines, binary integrity verification, and supply chain cryptography.

06
Authentication & Access

Certificate-based mTLS, OIDC/SAML token signing, access control mechanisms, and identity cryptography.

07
Encrypted Data Storage

Data at rest encryption, transmission security, and harvest-now-decrypt-later exposure assessment for long-lived data.

+
Third-Party Dependencies

Vendor PQC roadmap assessment, supply chain cryptographic dependency mapping, and external interoperability constraints.

Regulatory Coverage

Multi-jurisdiction.
Divergence resolved.

Five major national authorities have issued PQC migration guidance — with meaningful differences on hybrid mandates, algorithm selection, and timelines. 0xVector maps your estate against all of them and sequences migration to satisfy all simultaneously.

Requirement NCSC NIST ANSSI ASD BSI
Standards finalised ✓ 2024 ✓ 2024 Partial ✓ 2024 ✓ 2024
Hybrid mandate Caution PKI Optional Required Recommended Recommended
Planning deadline 2028
Critical assets deadline 2031 Active Active Active Active
All assets deadline 2035 TBC TBC TBC TBC
Jurisdiction conflict risk ANSSI hybrid mandate vs NCSC PKI caution — 0xVector identifies and resolves per-asset
Deliverable Suite

Every engagement
ships five documents.

Five deliverables, each written for its specific audience — from board risk exposure to delivery team execution procedures. Two-stage quality gate: peer review plus Head Consultant sign-off before release.

30–50 pages
C-suite · Board
Assessment Report

Quantum risk exposure overview · CARAF risk scores · PQC Readiness Maturity Score · regulatory compliance gap analysis · investment ranges.

20–30 pages
Architects · Engineers
Asset Inventory

Complete asset catalogue · implementation, trust & external dependency mapping · tooling validation reconciliation · vulnerability heat map.

40–60 pages
Tech leads · Architects
Migration Strategy

Algorithm recommendations per asset · pure/parallel/hybrid strategy selection · vendor engagement plan · crypto agility guidance.

25–40 pages
Programme · Budget
Quantum-Safe Roadmap

Phased plan · milestones & gate criteria · resource & budget estimates · dependency conflict resolution · NCSC 2028/2031/2035 alignment.

20–30 pages
Delivery · PM · Governance
Execution Blueprint

Implementation procedures per phase · governance framework · milestone criteria · monitoring approach · RACI for migration execution.

Add-on
Optional modules
Modular Add-Ons

Crypto Agility Review · PKI Migration Strategy · Regulatory Divergence Analysis · Executive Briefing · Algorithm Deep Dive · 0xRecon Integration.

Start your PQC transition now.

The NCSC deadline is 2031 for critical assets. Most organisations need three to five years to execute. Request an engagement today.

About Station Hex

The quantum threat
is not hypothetical.

We build enterprise cryptographic intelligence and operations platforms for organisations that cannot afford to fail. The CNSA 2.0 deadline is 2035. Most organisations do not know where their cryptographic assets are today.

Mission

Cryptographic confidence
for regulated industries.

The transition to post-quantum cryptography is the most significant cryptographic challenge of our generation. Station Hex builds the platforms that let security teams move from cryptographic chaos to cryptographic confidence.

Our products are built by practitioners who understand the operational realities of classified environments, regulated financial infrastructure, and enterprise PKI at scale.

0x
Team Photo or Company Image
0x4B455920 0x4D4154455249414C 0x43455254494649434154450A 0x545255535420414E43484F52 0x48534D20494E5354414E4345 0x454E43525950542044454352 0x59505420534947 0x56455249 0x46592050 0x4B49206869657261 0x 0x STATION HEX ZERO TRUST SINCE 1939 51.9979° N · 0.7411° W
Principle 01
Security by Design

AES-256-GCM at rest, mTLS in transit, immutable audit logs, and FIPS 140-2 validated backends. Security is not a feature — it is the foundation.

Principle 02
Regulatory Precision

Compliance frameworks maintained by practitioners who understand NCSC, NIST, and EU regulatory requirements — not generic checklists.

Principle 03
No Vendor Lock-In

Built on open standards — CycloneDX CBOM, PKCS#11, CEL — because organisations should own their cryptographic future, not rent it.

Ready to talk?

Request a technical briefing. We will map your cryptographic risk in a single call.

Contact

Let's talk
cryptography.

Request a technical briefing, ask about our products, or discuss a discovery engagement. We respond to all enquiries within one working day.

What to Expect
01
Same-day acknowledgement

We confirm receipt and route your enquiry within hours.

02
Technical pre-qualification

A brief call to understand your environment, compliance requirements, and timeline.

03
Tailored briefing

A focused technical session covering the capabilities most relevant to your use case.

// Secure Contact

For classified or sensitive enquiries, indicate this in your message and we will arrange a secure channel for further communication.