All FAQ Categories

What does Cryptosense do?

Cryptosense is a software company. We provide a tool that automates cryptography lifecycle management called Cryptosense Analyzer Platform (CAP). 

Who are Cryptosense’s customers?

Our customers are mainly large organizations that have complex IT infrastructure and strict compliance obligations, such as financial services firms, technology companies and banks.

What is Cryptography Lifecycle Management?

CLM is a combination of technologies and practices that allow an organization to control the ways that cryptography is used throughout their applications and infrastructure. At its heart is a dedicated CLM tool, where cryptography usage information is gathered, analytics are produced, and automated actions triggered. Cryptosense Analyzer Platform (CAP) is the leading CLM software, trusted by global banks, financial services firms and technology companies worldwide.

Why do you test cryptography? I thought it was always secure.

When perfectly implemented and maintained, cryptography provides security we can rely on. However, tiny errors in its usage can lead to total loss of protection, and our increasing reliance on cryptography means that these mistakes now carry significant financial and reputational risks. These errors are easy to make and hard to detect.

What are the business benefits of CLM?

Any organization that does not have full visibility on exactly how their cryptography is being used and managed is unable to accurately quantify and assess risk. Properly implemented CLM allows you to assess the state of security in your applications and infrastructure at any time, and optimise remediation efforts when required.

What is the Cryptosense Analyzer Platform (CAP)?

CAP is an analysis platform that takes input from a number of agents and combines the results to provide 360° visibility on the cryptography that secures your sensitive data.

What visibility does CAP offer?

CLM gives the security team visibility on all the encryption, signature and other operations they are using every time a user is authenticated, code is signed, a network security transaction occurs, or cryptography is used anywhere for any purpose; as well as the keys, certificates and data involved. It allows instant analysis of this information for security and compliance, and the ability to take action smoothly to change the way cryptography is used.

What makes CAP different?

Cryptosense is built on academic research and a fierce determination to provide the best technical solution on the market. We’re proud to be transparent about exactly what our tool does and how it works.

What does CAP consist of?

CAP consists of:

  1. The Analyzer Platform which also hosts the reporting web application, available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.
  2. Application Tracer (Java, .Net, OpenSSL)
  3. Network Scanner (TLS, STARTTLS, SSH)
  4. Filesystem Scanner (filesystems & containers)
  5. HSM scanner (PKCS#11)

Results are correlated in the Analyzer platform to provide a comprehensive inventory. All scans and traces are centralized in a CAP server which can be used in SaaS or installed on-premise. 

How does CAP’s Application Tracer work?

CAP’s lightweight application tracer agent sits inside a running application and records all the calls the app makes to its cryptographic libraries. See for more information.

Why does CAP have a filesystem scanner?

It allows us to give you better insights. Plenty of tools scan filesystems for certificates, but only CAP can also trace inside applications to show you which ones are used, and what they are used for.

How does CAP’s HSM Scanner work?

Our adaptive mutation-based fuzzing engine explores the corner-cases of the PKCS#11 standard as implemented in the device under test. The results are passed through more than 100 compliance and vulnerability filters to detect anomalies and weaknesses.

How do I use the data that CAP provides?

CAP has a full GraphQL API allowing easy integration with other tools

Does CAP need access to source code?

No. CAP’s Application Tracer agent sees 100% of calls to crypto libraries in a running application, without needing access to source code.

How is CAP deployed?

The analysis platform (Analyzer) hosts the reporting web application. It is available in SaaS hosted in our cloud or as a completely self-contained virtual machine licensed for use on-premises.

What is the minimum number of applications for a deployment?

In an on-premise deployment, the minimum number of applications covered is 50. The investment per application depends on the number of applications in scope. In SaaS, the minimum number of applications covered is 1.

Does CAP integrate in my DevOps toolchain?

Definitely. CAP works best when it’s deployed in DevOps.

What operating systems do CAP agents run on?

The Java tracing agent is OS-independent. The .NET tracer runs on .NET core or .NET framework. The filesystem scanner runs on Unix or Windows platforms. The OpenSSL tracer works on Linux for dynamically-loaded OpenSSL libraries. Further tracer coverage is on the roadmap including Python, JS/Node.js and Go.

Can CAP analyze cryptographic operations carried out inside public cloud providers?

Yes. Cryptosense has integrations for the big 3 cloud providers and includes tracing of KMS operations and details of the KMS keys referenced in reports, giving visibility e.g. on data keys used in storage encryption and their relationship to master keys.

Does CAP scan containers?

Yes, CAP can trace applications running in containers and it can also scan container images without running them.

Does CAP support central data collection?

Yes. All data in CAP instances can be queried through the GraphQL API, and the data collected centrally in any standard data analytics tool like Splunk or ELK.

Can CAP run on COTS or legacy applications without need to recompile them?

Yes, CAP can trace COTS or legacy applications without requiring access to their source code.

What are the requirements for the on-premise VM?

There are no particular requirements for the VM in terms of CPU power, though more powerful instances will produce reports faster. Disk space depends on the number of applications to be tested, since the traces will be stored on the disk in the on-premises version. Traces can be quite large (e.g. 2-5 GB for large web applications and extensive testing).

Does the VM need to communicate with a server in the cloud?

No, the VM can be run completely internally. On-premise customers receive all updates to the rule base just like SaaS customers. These updates are made available on our servers in the form of Debian/Red Hat packages every quarter, which on-premises customers can download and apply to their Analyzer VM. No data is ever sent from the Analyzer VM to Cryptosense or elsewhere.

What technologies is the VM based on?

The Analyzer VM runs on Linux using Python/Flask for the web application and OCaml for the analysis engine. We supply packages for Debian and for Red Hat Linux/CentOS.

How secure is the SaaS version of CAP?

We have a security policy document that describes in detail the measures we take. In general, we follow best practices for web development including making use of up to date and well-tested frameworks and libraries, paying attention to source code management and using a modern CI process, specific measures around attack vectors such as injection, cross site scripting and authorisation bypass, and having third parties carry out grey-box pen-tests. Traces are uploaded to the server under TLS encryption.

Where is the SaaS version hosted?

CAP is currently hosted on Amazon Web Services, but we can create on-demand instances elsewhere to suit customer compliance requirements.

What kinds of certificates can CAP detect?

CAP software contains an extensive parser for x.509 certificates and detects all formats including der or pem, encrypted or unencrypted certificates: PKCS#12 ( .p12, pfx), PKCS*7 (.p7b, .p7c, .p7), PEM (.cer, .crt, .der, .pem).

Where does CAP look for certificates?

CAP scans both on filesystems, and while dynamically tracing applications. The filesystem scanner detects encrypted keystores even if it cannot decrypt them. The CAP application tracer can also detect certificates inside the encrypted keystore if the application loads it.

What kinds of certificate stores can CAP detect?

CAP can detect different certificate stores such as Java key stores (.jck, .jks, .cacerts, .jceks) In addition, CAP's filesystem scanner can parse the certificates inside JKS, CACERTS and JCEKS keystores even without the keystore password.

Can CAP detect certificate usage?

Yes, CAP can identify certificate usage from the appropriate usage attributes in the x.509 certificate, and in addition, CAP application tracers can see exactly what operations certificates are used for inside applications.

Can CAP identify and build a certificate chain and identify self-signed certificates?


Does CAP have an out-of-the-box integration with Venafi?

Yes, we are a Venafi development partner and have a native integration that allows exchange of data in both directions, i.e. enriching of the CAP inventory scans with certificate data from Venafi TPP, and sending of orphaned certificates detected in CAP scans to Venafi TPP.

Can CAP identify hard-coded keys?

CAP combines static scanning with dynamic tracing to identify hard-coded keys and eliminate false positives.

Can CAP identify unprotected private/encryption keys or those that use a default vendor PIN/passcode?

Yes. CAP detects default passwords and unencrypted private keys on filesystems. Additionally, CAP also evaluates the security of every keystore credential used by the application, giving an estimation for the computational resources that would be required to break into that specific keystore type with that credential leveraging the latest Hashcat benchmarks.

Can CAP find PGP keys?


Can CAP identify which algorithms are being used?

Yes. CAP application tracers report all the calls made to cryptographic libraries, including identifying the algorithms used. CAP static scanners find calls to particular library interfaces which in many cases can also identify the algorithm used.

How does CAP enable companies to prepare for PQC?

The type of cryptography inventory that CAP collects, which includes details on how cryptography is called and what it is used for rather than a simple list of algorithms, conforms to what the NIST ‘Getting Ready for Post Quantum Cryptography’ guide prescribes as the kind of actionable inventory that allows playbook preparation for post-quantum migration.

How does CAP enable “crypto-agility”?

We believe that true cryptographic agility comes not from switching algorithms in a library, but from having a continuously up-to-date and complete view of the entire call stack that is using cryptography across applications. This means that when a cryptographic algorithm needs to be changed, we already know what the consequences will be for the rest of the application and can plan and monitor the transition in CI as the application changes.

Does CAP carry out algorithm switching?

No. Without full visibility on the entire cryptography ecosystem, switching algorithms will cause time-outs, data field overflows, key-storage issues, etc. This applies particularly to the transition to post-quantum or hybrid post-quantum/classical cryptography, which will introduce new limitations in terms of large key sizes, performance constraints, additional operations in protocols and so on.

How does CAP integrate in the Devops toolchain?

Yes. The Cryptosense approach to crypto-agility is to build a continuous cryptography inventory that stays up to date thanks to its integration into the DevOps toolchain for in-house applications and with business-as-usual scanning tools for other points in the infrastructure. This inventory is queryable via the GraphQL interface allowing immediate, actionable intelligence on where and how algorithms are being used facilitating a coherent crypto-agility programme.

Can CAP be scaled to a large environment with thousands of end points?

Yes. Tracers can be deployed at scale leveraging DevOps management tools, such as CI managers Jenkins and GitHub actions, build engines like Gradle and Maven, etc. Scaled-up use of the filesystem scanner can be facilitated with tools like Tanium. The collection and organisation of large amounts of data is accommodated by the platform that features customizable data retention rules, and multiple levels of hierarchy (slots, projects, and organisations) for structuring scan results and producing statistical summaries.

Does CAP support enforcement of a centralized cryptography policy?

Yes. CAP allows policies to be defined for the whole organisation or for specific sets of applications. There are a number of pre-set policies available, including FIPS, PCI-DSS and ENISA policies, as well as a full capability to create customized policies for your organization.

What is included in the license subscription?

A Cryptosense Analyzer Platform subscription includes the Analyzer platform, plus all the scanning and tracing agents. It also includes software updates, maintenance and support.

Are training, managed services, and professional services available?

Yes. Depending on your needs we can provide a package of services and training to help you get the most out of your subscription.

How much does a CAP licence cost?

The price depends on the number of applications in scope for the deployment, with degressive pricing for large numbers of applications. Testing and analysis are unlimited for identified applications during the license period. The user can deploy one or several instances, depending on their IT infrastructure and size. The number of instances does not influence pricing.

How can I purchase CAP for my organization?

Contact our team to discuss your project and get a quote for your deployment.