Hero image

Know your Systems
Chart Your Course

Spice Labs is the fastest way to a Post-Quantum Cryptography (PQC) plan for your JVM estate. Point us at your Artifactory or DockerHub registry; we’ll generate a Cryptographic Bill of Materials (CBOM) and a color-coded PQC Security Report — red, yellow, green — across your Java, Scala, and Kotlin applications. No agents. No Software Bills of Materials (SBOMs). No guesswork.

Get Started F.A.Q.

Why is every PQC inventory incomplete?

A heap of labels and packages and CVEs

Step 01

The Inventory Gap

Existing PQC tools scan source code and network traffic. Neither analyzes the actual artifact: the built software, where the signing keys, certificates, and key-exchange mechanisms are buried. CNN calls Q-Day a greater threat than Y2K, and the PQC clock is running. Migration starts with a trustworthy Cryptographic Bill of Materials, generated in hours from your Artifactory or Docker Hub registry. No source code, no engineering burden, no heavy lifting.

Untangled web

Step 02

CBOM Generation

Point Spice Labs Surveyor at a single JAR or your whole Artifactory or Docker Hub registry. Surveyor walks the artifact set, analyzes each binary at the hash level, and produces a CBOM, even for custom-compiled crypto on legacy infrastructure if you provide the hash. The output is a machine-readable CycloneDX CBOM that flows into your Governance, Risk, and Compliance (GRC) and migration tooling, and into the AI agents now driving remediation work. For the humans who have to sign off, there’s a color-coded PQC Security Report: red, yellow, green.

Graphs with connectins and underlying context

Step 03

Measure, Track, Verify

Discovery is the starting line. Spice Labs measures PQC compliance against the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), the Payment Card Industry Data Security Standard v4.0 (PCI DSS v4.0), or NIST Internal Report 8547, and aggregates results across hundreds, even thousands, of projects into a single view trended over time. Diffing between surveys shows which quantum-vulnerable components have been remediated. Java Flight Recorder instrumentation drops into your Continuous Integration/Continuous Deployment (CI/CD) pipelines to catch quantum-vulnerable crypto invocations, including dynamically loaded providers and reflection-based algorithm selection that static analysis alone misses. Spice Labs complements remediation tooling from IBM Quantum Safe, QuSecure, Keyfactor, and others. We provide the measurement layer; they provide the fix.

The people and teams
we built Spice Labs for

CISOs & Security Leadership

Accountability is impossible without visibility. The board wants a PQC timeline and budget. Regulators want compliance evidence. You can’t scope what you can’t see. Spice Labs gives you portfolio-wide PQC posture, generated from your Artifactory or Docker Hub registry and measured against CNSA 2.0, PCI DSS v4.0, and NIST IR 8547 across hundreds, even thousands, of projects. Quantum risk isn’t only about confidentiality; it’s about whether the signatures authorizing SWIFT payment instructions, UAV commands, battlefield orders, and contracts can still be trusted. Build-by-build trending gives you board-ready evidence and a compliance trajectory you can present with your name behind it.

Engineering & DevSecOps Teams

Ownership is risky without certainty. You remediate what the scanner found, push the build, and close the ticket. But you worry the scanner didn’t find everything, and you have no way to prove it did. A regression slips in on the next commit. A vendored library surfaces in an audit. Your name is on the sign-off. Spice Labs gives you CBOMs generated straight from Artifactory or Docker Hub, a static analysis engine that flags hard-coded vs. configurable crypto across your Java, Scala, and Kotlin codebases, and Java Flight Recorder instrumentation in your CI/CD pipeline that verifies every build. Close the ticket and mean it.

System Integrators & PQC Consultancies

CNN says Q-Day is a greater threat than Y2K. And forgeries don’t expire. Gartner put PQC in the top six cybersecurity priorities for 2026, and every consultancy is forming a practice. The pitches will all sound the same: “We’ll do discovery, build a roadmap, manage the migration.” Spice Labs is your unfair advantage. Walk into the client meeting with a CBOM and a color-coded map of quantum-vulnerable algorithms across their Artifactory or Docker Hub portfolio, before the contract is signed. Scope with artifact-level precision instead of interviews and tribal knowledge. Show progress with build-by-build trends the client can see for themselves. The systems integrator who uses Spice Labs wins the deal because they show the client something nobody else in the room can.

What only Spice Labs can do

01

A CBOM From the Artifact Itself

Other PQC tools analyze source code or network traffic, and they need engineering access, source access, and meetings to do it. Then they still can’t see inside third-party applications, commercial software, and vendor containers. Spice Labs generates an evidence-based CBOM from the built artifact at the hash level: your own code, third-party software, and everything else in your Artifactory or Docker Hub registry. Agentless. No SBOM required. Works on legacy systems without modification.

02

Measure Compliance Across the Estate

One-time assessments go stale the day after they’re delivered. Spice Labs measures PQC compliance against CNSA 2.0, PCI DSS v4.0, or NIST IR 8547, configurable by jurisdiction and corporate standard, and aggregates results across hundreds, even thousands, of projects into a single view trended over time. And because the static analysis engine distinguishes hard-coded crypto from configuration-driven crypto and then analyzes the config files themselves, you get a crypto-agility posture view no other tool provides.

03

Prove It

When the board asks if PQC migration is on track, “we think so” isn’t an answer. CBOM diffing between Topographer surveys shows which quantum-vulnerable components have been remediated. That’s ground-truth measurement, not task completion metrics. Java Flight Recorder instrumentation validates every CI/CD build, and build-by-build trending shows the trajectory. Spice Labs gives you the evidence, not the estimate.

Get a PQC Assessment of your Estate

Three ways to try Spice Labs: drop a single artifact into Amuse Bouche for a quick taste, ask us for credentials to run the bulk tool against our sample Artifactory and see CBOM generation on real data, or point us at your own Artifactory or Docker Hub registry. For either of the last two, drop us a line below. You’ll get CBOMs for your JVM artifacts and a color-coded PQC Security Report (red, yellow, green) showing where quantum-vulnerable algorithms and harvest-now-forge-later risk live across your Java, Scala, and Kotlin applications. No agents. No SBOMs. No guesswork.

Resources