Live · ML-KEM hybrid (X25519MLKEM768) detection

Is your TLS
post-quantum yet?

Quantum-resistant key agreement is shipping in Chrome, Cloudflare, AWS, and OpenSSL 3.5+. Run a free twin-probe scan and find out whether your endpoint actually negotiates it.

Run a free scan Why it matters
checkpqc · twin-probe 
$ curl -s -X POST https://api.checkpqc.app/v1/probe \
  -H 'content-type: application/json' \
  -d '{"hostname":"cloudflare.com","port":443}' \
  | python3 -m json.tool

If PQC is configured 

{
  "target":   { "hostname": "cloudflare.com", "port": 443 },
  "hybrid":   { "ok": true, "tlsVersion": "TLSv1.3",
                "namedGroup": "X25519MLKEM768" },
  "classical":{ "ok": true, "tlsVersion": "TLSv1.3",
                "namedGroup": "X25519" },
  "verdict":  "HYBRID_ENABLED"
}

If PQC is not configured 

{
  "target":   { "hostname": "example.com", "port": 443 },
  "hybrid":   { "ok": true, "tlsVersion": "TLSv1.3",
                "namedGroup": "X25519" },
  "classical":{ "ok": true, "tlsVersion": "TLSv1.3",
                "namedGroup": "X25519" },
  "verdict":  "CLASSICAL_ONLY"
}

The two namedGroup values come from a twin probe: one ClientHello offers PQ-hybrid + classical, the other only classical. If both come back as X25519 the server has no PQC support; if the hybrid leg picks X25519MLKEM768 the server is shipping ML-KEM today.

Honest verdicts

Seven verdict codes that distinguish AVAILABLE_NOT_ACTIVE from NOT_READY — no false-positive marketing.

No accounts needed

Free scans without a login. Optional accounts in Phase 2 unlock history and bulk scans.

Privacy by design

We hash IP addresses with a daily salt and retain scan records for 90 days. See privacy.

What we test

  • TLS 1.3 hybrid PQC key agreement — X25519MLKEM768 SecP256r1MLKEM768
  • Negotiation behaviour when both PQC and classical groups are offered.
  • Whether the server breaks if PQC groups appear in the ClientHello (a real bug in older stacks).

We don't (yet) probe SSH, SMTP, IMAP, or non-TLS protocols. See the methodology for the limits.

Verdict legend

  • PQC_ENABLED server picked a pure-PQC group
  • HYBRID_ENABLED server picked a hybrid PQC+classical group
  • AVAILABLE_NOT_ACTIVE compiled in but didn't pick
  • NOT_READY no PQC support detected