Strategy / Crypto Agility
Crypto Agility Tool
Crypto agility is the capability to replace cryptographic algorithms, keys and protocols quickly, without breaking running systems, when standards change or an algorithm falls. Korthex ships the four technical building blocks: a current inventory (CBOM), risk and quantum-exposure scoring, a topologically-ordered migration plan with impact simulation, and a CI/CD gate that keeps the inventory honest on every commit.
What crypto agility actually requires
NIST runs a dedicated crypto-agility project for a reason: the post-quantum transition is the first industry-wide test of whether organizations can swap algorithms at all. Four capabilities decide it: knowing what you run (inventory), knowing what matters (scoring), knowing what to change in which order (migration planning), and making sure it stays fixed (continuous gating). Most organizations discover during the PQC transition that they lack the first one.
Inventory first: the CBOM
You cannot swap what you cannot see. The Korthex CBOM inventories every cryptographic asset across source code in 18 languages, dependencies, binaries, TLS and PKI certificates, databases and git history, with file:line evidence and a taint verdict per entry, exported as CycloneDX, SARIF, JSON or PDF. That is the foundation every agility framework, from NIST to the EU PQC roadmap, names as step one.
Scoring and simulation before change
Every finding carries severity, a taint-based reachability verdict and a post-quantum bucket. The migration plan orders changes topologically, with the replacement algorithm, an effort estimate in hours and the dependency order per item, and the impact simulation shows what a change touches before you make it. Swapping an algorithm stops being a leap of faith.
Agility as a pipeline property
An inventory from last quarter is trivia. The CI/CD gate regenerates the CBOM on every commit and fails builds that reintroduce weak or newly-deprecated cryptography, which turns agility from a project into a property of the pipeline. It also makes AI-assisted refactoring safe: assistants rewrite cryptography non-deterministically, and the deterministic gate verifies the result every time.
What tooling cannot do
Crypto agility also has an organizational half: ownership, key-management processes and vendor contracts. Korthex covers the technical half completely (visibility, scoring, planning, gating) and produces the evidence the organizational half runs on.
Frequently asked questions
How does crypto agility relate to post-quantum migration?
PQC migration is the first industry-wide exercise of crypto agility: RSA and ECC must give way to ML-KEM and ML-DSA on regulator timelines (NIST IR 8547: deprecated after 2030, disallowed after 2035). An organization that builds the inventory-score-migrate-gate loop for PQC keeps it for every future algorithm change.
Is a cryptographic inventory required?
Increasingly yes. PCI DSS 4.0 requirement 12.3.3 mandates a documented cipher-suite and protocol inventory, and NIST, BSI and EU migration guidance all define inventory as the first step. The CBOM is the machine-readable standard form.
How often should the inventory refresh?
Every commit. A scan finishes in under two minutes, so the CI/CD gate regenerates the CBOM continuously instead of annually.
Does Korthex rewrite the code automatically?
It generates the migration plan with per-item file:line, replacement algorithm, effort and dependency order, plus an impact simulation. Automated rewriting is on the roadmap (V2); today the plan drives your engineers or your AI assistant, and the gate verifies the result deterministically.