scan network
Analyzes live TLS and SSH endpoints for cryptographic vulnerabilities, deprecated protocols,
and quantum readiness. Assigns TLS grades and quantum grades per target.
Usage
qtz-discovery-cli scan network <host:port> [...] [flags]
# Examples
qtz-discovery-cli scan network example.com:443
qtz-discovery-cli scan network example.com:443 api.example.com:8443
qtz-discovery-cli scan network --timeout 15s --format json example.com:443
qtz-discovery-cli scan network --insecure 10.0.0.1:8443
qtz-discovery-cli scan network --sni internal.example.com 10.0.0.1:443
qtz-discovery-cli scan network github.com:22
Flags
| Flag | Default | Description |
|---|
--timeout | 10s | Connection timeout per target |
--sni | — | Override Server Name Indication |
--insecure | false | Skip TLS certificate verification |
--protocols | auto | Protocols to probe: tls|ssh (auto-detects by port) |
--skip-vulns | false | Suppress individual vulnerability findings |
--skip-quantum | false | Skip quantum-risk analysis |
TLS Grades
| Grade | Meaning |
|---|
A+ | Exceptional — TLS 1.3, strong cipher, HSTS, OCSP stapling |
A | Excellent — TLS 1.3 or 1.2 with strong cipher and PFS |
B | Good — TLS 1.2, acceptable cipher, minor issues |
C | Degraded — weak cipher or missing forward secrecy |
D | Poor — TLS 1.1 or deprecated cipher |
F | Fail — TLS 1.0, no encryption, or critical certificate error |
Quantum Grades
| Grade | Meaning |
|---|
Q+ | Quantum-safe — PQC key exchange (e.g. X25519MLKEM768) detected |
Q | Quantum-aware — hybrid classical+PQC in use |
Q- | Classical only — no PQC, but strong classical cipher |
QV | Quantum-vulnerable — weak cipher or key exchange breakable by Shor's algorithm |
Vulnerability IDs
TLS
| ID | Severity | Description |
|---|
TLS10_ENABLED | High | TLS 1.0 supported — deprecated, POODLE-vulnerable |
TLS11_ENABLED | Medium | TLS 1.1 supported — deprecated |
NO_TLS13 | Low | TLS 1.3 not supported |
DEPRECATED_CIPHER | High | Weak or deprecated cipher suite in use |
NO_PFS | High | No perfect forward secrecy |
DHE_DETECTED | Medium | DHE key exchange (Logjam risk) |
OCSP_NOT_STAPLED | Info | OCSP stapling not enabled |
CERT_EXPIRED | Critical | Certificate is expired |
CERT_EXPIRING | High | Certificate expires within 30 days |
CERT_SELF_SIGNED | Medium | Self-signed certificate |
CERT_WEAK_SIG | High | Weak signature algorithm (SHA-1, MD5) |
CERT_WEAK_KEY | Critical | Key size below minimum (RSA < 2048) |
SSH
| ID | Severity | Description |
|---|
SSH_WEAK_HOST_KEY | High | Host key uses weak algorithm (DSA, RSA < 2048) |
SSH_NO_PQC_KEX | Low | No post-quantum key exchange method offered |
SSH_OUTDATED_SERVER | Medium | SSH server version with known vulnerabilities |
HNDL Risk
Harvest Now, Decrypt Later (HNDL) risk is assessed per endpoint.
Endpoints using RSA or ECDH key exchange without PQC are marked HIGH risk because
an adversary can capture the encrypted session today and decrypt it later with a quantum computer.