ImmuniWeb offers free tool to test quantum resilience of TLS stacks

ImmuniWeb has released a free online tool that checks whether websites are protected by post-quantum cryptography (PQC).

The tool analyzes SSL/TLS configurations and verifies their compliance with the latest quantum-resilient encryption standards from NIST. It also checks for adherence to PCI DSS, HIPAA, and other NIST cryptographic requirements. Available via both web interface and API, the tool is aimed at organizations looking to assess their preparedness for quantum-era threats. The tool is designed to simplify PQC readiness checks for organizations of all sizes, integrating into CI/CD pipelines via API for automated scanning.

ImmuniWeb’s SSL Security Test has performed over 173 million scans, with more than 56,000 tests conducted in the last 24 hours alone. In Q2 2025, only 10.63% of tested systems were compliant with NIST standards, highlighting a widespread gap in cryptographic readiness for post-quantum security. While 72.32% of systems received an “A” grade for SSL/TLS security, strong grades do not always translate into compliance: just 60.81% met PCI DSS requirements.

Quantum threats are no longer theoretical

Gartner named post-quantum cryptography (PQC) a top strategic technology trend for 2025 and urged organizations to start transitioning to PQC without further delay, citing lack of vendors’ preparedness and lack of organizational knowledge in dealing with PQC as the key obstacles on the way to PQC migration.

These “Harvest Now, Decrypt Later” attacks represent a comparatively novel threat, where cybercriminals collect highly sensitive encrypted data, which cannot currently be decrypted using modern technologies, and wait until quantum computing becomes powerful enough to break the encryption.

Earlier this year, Forrester backed Gartner’s concerns over PQC unreadiness and risks, estimating that current encryption will become vulnerable in 10 years from now, while emphasizing that this could happen much faster.

According to Cloudflare, just 38% of TLS traffic currently supports some forms of quantum-resistant encryption, a figure that varies by region. Cloudflare also noted that in some European countries, the adoption of quantum-resilient encryption was comparatively better.

Governments and agencies, including the European Commission, the UK National Cyber Security Center and the US Department of Homeland Security, have issued frameworks urging immediate planning for PQC migration.

“Many large organizations around the globe still seriously underestimate the risks of quantum attacks. First, with the Harvest-Now, Decrypt-Later attacks – already being deployed by both organized cybercrime and nation-state hackers, your data may already be at risk of a guaranteed compromise in the near future,” said Dr. Ilia Kolochenko, Chief Architect & CEO at ImmuniWeb.

“Second, although powerful quantum computers will quite unlikely become readily available to cyber-threat actors upon their creation, many vendors and organizations are totally unprepared for a rapid migration to post-quantum cryptography. Worse, some devices and business-critical systems simply do not support PQC and shall be replaced,” Dr. Kolochenko continued.

He also pointed to ImmuniWeb’s large-scale testing data: “According to ImmuniWeb’s statistics, based on over 100,000,000 tested SSL/TLS servers, millions of servers around the globe still rely on the SSLv3 protocol, which has been deprecated for over a decade. This is a telling illustration that PQC migration will likely take even longer. Therefore, it is dispositive to commence your PQC migration planning and implementation now.”

“We are delighted to offer a simple and efficient solution to organizations of all sizes to reliably verify their PQC preparedness with our free online SSL/TLS testing tool. It can be accessed either online with a user-friendly web interface or via an API for DevSecOps and CI/CD automation,” Dr. Kolochenko added.

ImmuniWeb also recently added a feature to check websites for protection against AI bots, including detection of anti-bot systems, firewalls, and “robots.txt” configuration. The tool helps organizations guard against unauthorized scraping by AI companies and data-harvesting bots.