For years, a large part of my research has focused on cryptography, entropy, TLS security, compliance, and the operational realities of deploying modern cryptographic systems at scale.

One thing I repeatedly ran into was a lack of accessible tooling that made it easy to quickly analyze real-world TLS deployments in a meaningful way.

I wanted a platform that could help answer questions like:

  • Which sites are still exposing deprecated cryptography?

  • How widespread are legacy TLS configurations?

  • Where is Post Quantum Cryptography beginning to appear?

  • How quickly is the internet modernizing its cryptographic posture?

  • How much cryptographic technical debt still exists across public infrastructure?

That is why I built TLSTest.io.

Originally, this platform was created to support my own ongoing research into cryptographic deployments and internet-scale TLS posture analysis. But over time, it became obvious that the broader security and cryptography community could benefit from access to the same tooling as well.

So instead of keeping it internal, I decided to make it publicly accessible.

What is TLSTest.io?

TLSTest.io is a cryptographic posture analysis platform focused on helping organizations, researchers, and engineers quickly identify insecure or outdated TLS configurations across internet-facing infrastructure.

The platform performs deep TLS scans designed to detect:

  • Deprecated protocols

  • Weak or legacy cipher suites

  • Insecure negotiation behavior

  • Outdated cryptographic configurations

  • Hybrid TLS 1.3 Post Quantum KEM support

  • Post Quantum Cryptography (PQC) adoption signals

Most importantly, TLSTest.io makes this accessible immediately.

Anyone can create an account and run up to 500 free scans per day.

No complicated onboarding.
No enterprise sales process.
No massive deployment requirements.

Just direct cryptographic visibility.

Built Around Real Research Questions

A large motivation behind TLSTest.io was simple curiosity.

I wanted to study:

  • how cryptography is actually deployed in the real world,

  • where modernization is succeeding,

  • where legacy systems continue to persist,

  • how organizations are approaching post-quantum migration,

  • and how quickly the internet ecosystem is evolving.

The reality is that internet cryptography evolves unevenly.

Some organizations aggressively modernize their infrastructure.
Others continue exposing protocols and cipher suites that should have disappeared years ago.

Having a platform that continuously exposes those trends creates opportunities for:

  • research,

  • measurement,

  • benchmarking,

  • and broader industry awareness.

TLSTest.io is as much a research platform as it is a security tool.

Public Internet Scanning

The current version of TLSTest.io is focused on scanning publicly accessible internet-facing services.

This means the platform can analyze:

  • public websites,

  • internet-accessible APIs,

  • exposed TLS services,

  • and external infrastructure reachable from the public internet.

At the moment, TLSTest.io does not directly scan:

  • internal corporate networks,

  • RFC1918/private address space,

  • internal Kubernetes services,

  • intranet-only applications,

  • or isolated development environments.

This design keeps the platform lightweight, scalable, and easy for the community to use immediately.

Detect Deprecated Protocols and Cipher Suites

One of the core goals of TLSTest.io is to help identify cryptographic technical debt that still exists across the internet.

The scanner flags:

  • deprecated TLS versions,

  • insecure negotiation options,

  • legacy cipher suites,

  • weak cryptographic primitives,

  • and outdated transport security configurations still exposed by endpoints.

This allows researchers and operators to better understand:

  • cryptographic drift,

  • modernization gaps,

  • and long-tail legacy exposure that continues to persist across the internet.

It also helps organizations prepare for:

  • modern compliance requirements,

  • future deprecations,

  • and evolving security expectations.

Hybrid TLS 1.3 Post Quantum KEM Detection

One of the capabilities I am personally most excited about is TLSTest.io's ability to identify Hybrid TLS 1.3 Post Quantum Key Exchange mechanisms already being deployed on the internet.

The current release can detect environments leveraging hybrid TLS 1.3 KEM-based approaches combining:

  • classical elliptic curve cryptography,

  • with emerging post-quantum key encapsulation mechanisms.

This is important because the industry is already beginning the transition toward quantum-resistant transport security.

Large providers and infrastructure operators have started experimenting with:

  • hybrid key exchange deployments,

  • quantum-resistant handshake negotiation,

  • and early-stage PQC transport integrations.

TLSTest.io helps surface those deployments and makes them easier to study.

From a research perspective, this creates opportunities to:

  • monitor real-world adoption,

  • observe deployment patterns,

  • benchmark ecosystem maturity,

  • and better understand how rapidly the internet is evolving toward post-quantum transport security.

Future Support for Post Quantum Certificate Signatures

While the current release focuses primarily on TLS transport negotiation and hybrid KEM detection, future versions of TLSTest.io are planned to expand visibility into Post Quantum certificate signatures as well.

This future functionality may include:

  • identifying PQC-capable certificate chains,

  • detecting hybrid certificate deployments,

  • analyzing quantum-resistant signature algorithms,

  • identifying experimental certificate ecosystems,

  • and tracking adoption of post-quantum PKI technologies.

As standards continue evolving and vendors begin deploying post-quantum certificate infrastructures, visibility into certificate-level cryptography will become increasingly important.

I believe the industry is still in the very early stages of understanding what large-scale PQC migration will actually look like operationally.

The goal of TLSTest.io is to help make those transitions observable.

Future Support for Private Network Scanning

One of the most requested future capabilities for TLSTest.io is support for scanning infrastructure that is not publicly accessible.

There are several directions currently being explored to support this securely.

Browser Extension Scanning

A future browser extension could allow users to:

  • scan internal applications directly from their browser,

  • analyze TLS posture for intranet applications,

  • inspect internal APIs,

  • and evaluate development or staging environments.

This model would allow scans to originate from within the user's trusted network environment while still leveraging TLSTest.io analysis capabilities.

Dockerized Enterprise Scanner

Another future direction involves a Dockerized deployment model for TLSTest.io.

This would allow organizations to:

  • deploy scanners directly inside private environments,

  • analyze internal infrastructure,

  • scan Kubernetes services,

  • evaluate east-west traffic endpoints,

  • and assess isolated development networks.

A containerized scanner could provide organizations with:

  • greater privacy,

  • local scanning control,

  • and internal cryptographic visibility without exposing services externally.

This becomes especially important for:

  • enterprise environments,

  • regulated workloads,

  • air-gapped systems,

  • and highly restricted infrastructure.

Future CBOM Support

Another major area planned for future development is support for Cryptographic Bills of Materials (CBOMs).

As governments and enterprises place increasing emphasis on cryptographic inventory management, organizations are being asked difficult questions such as:

  • Where is cryptography deployed?

  • Which algorithms are in use?

  • Which systems still rely on deprecated primitives?

  • Which applications are prepared for Post Quantum Cryptography migration?

  • Which environments are impacted by future cryptographic deprecations?

TLSTest.io aims to help answer those questions.

Future CBOM capabilities may include:

  • cryptographic asset inventory generation,

  • TLS cryptographic dependency mapping,

  • algorithm usage reporting,

  • deprecated algorithm identification,

  • PQC readiness analysis,

  • and exportable compliance-focused reporting.

From a research perspective, CBOM visibility could provide fascinating insight into how cryptographic technologies evolve across the broader ecosystem over time.

Why I Opened It to the Community

I strongly believe better cryptographic visibility should be more accessible.

Too much security tooling remains:

  • expensive,

  • difficult to deploy,

  • operationally heavy,

  • or inaccessible to independent researchers and smaller organizations.

TLSTest.io was initially built to support my own work, but I believe the broader community benefits when more people have the ability to inspect and understand the cryptographic systems that power the internet.

That is why every account can currently perform up to 500 free scans per day.

The goal is simple:
make modern cryptographic analysis more accessible to researchers, engineers, operators, and the security community as a whole.

The Future of Internet Cryptography

The internet is entering a major transition period.

Over the next several years we will see:

  • large-scale deprecation of legacy cryptography,

  • increasing compliance pressure,

  • broader TLS modernization,

  • wider deployment of hybrid cryptographic systems,

  • and gradual migration toward post-quantum algorithms.

Organizations that understand their cryptographic exposure today will be far better positioned for what comes next.

TLSTest.io was built to help make that visibility easier — both for my own research and for the broader community interested in understanding where internet cryptography is headed.