PQC Auditor
FINTECH €4990
DORA-aligned post-quantum audit. Delivered in five business days.
Built specifically for KNF-, UKNF-, BaFin- and EIOPA-supervised entities navigating DORA Art. 9-10 and the EBA/GL/2025/02 guidelines. A fixed-fee deliverable structured to support inclusion in your ICT risk register.
Aligned with DORA, traceable to NIST FIPS 203/204/205, and delivered in five business days.
Why DORA-supervised entities choose us
You can't migrate what you can't see
Most banks have no current inventory of the cryptography they actually run, and you cannot plan a post-quantum migration without one. We produce that inventory as a documented deliverable you can hand to an examiner.
Why the Big Four can't move fast enough
Big Four firms quote a 12-month engagement at six-figure EUR. We deliver in five business days because the supervisory deadline does not wait for an FY26 budget cycle.
Nobody else shows you a price
Fourteen out of fourteen EU PQC vendors we surveyed hide pricing behind "Request a demo". We publish €4990 because our scope is fixed.
Harvesting is already happening
Sixty-nine percent of organizations recognize the quantum risk, yet only five percent have moved to quantum-safe encryption (DigiCert Quantum Readiness Gap). Encrypted traffic captured today can be stored and decrypted once a quantum computer exists, so the cost of postponing the audit is already running.
From DORA articles to the actual standards
DORA Art. 9 requires protection of cryptographic keys based on an approved data classification, but no standard deliverable connects that article to NIST FIPS 203/204/205. Ours does, mapping every finding back to the specific standard.
What's in the report
Executive summary (3-6 pages) plus technical report (15-40 pages). Twelve standard sections including Cryptographic Bill of Materials (CBOM), per-finding FIPS mapping, DORA Art. 9-10 traceability matrix, a 0-3 / 3-12 / 12-24 month roadmap, scope, methodology, limitations and a comprehensive legal notice. SHA-256 hash of the source audit JSON in the appendix.
Three full sample reports — read before you buy
The companies are fictional Polish profiles, but the report structure, the legal-safe language and the FIPS traceability are exactly what you receive. None of our competitors lets you read a full report before you buy.
Bank Krajowy, FastPay and InvestPro are fictional companies created for demonstration only. They do not exist and should not be searched for.
Large bank — Bank Krajowy
500 employees, KNF-supervised retail + corporate. Legacy core, mobile, web. 18-month remediation roadmap.
Mid-market fintech — FastPay
50 employees, UKNF Payment Institution. Modern GCP stack, microservices. 9-month roadmap.
MVP brokerage — InvestPro
8 employees, MiFID II investment firm. Vercel + Supabase + Stripe. 6-month roadmap.
Methodology
1. Intake & scope
You submit domains, optional cryptographic-inventory hints and DORA register references. Five-step form, server-side validated, GDPR-bounded.
2. Passive scan
TLS handshake fingerprinting (sslyze), certificate-transparency log walk (crt.sh), security-header inspection. No active probing, no payload injection.
3. Analysis & independent verification
Our analysis engine builds a Cryptographic Bill of Materials (CBOM), classifies each finding against NIST FIPS 203/204/205, and maps it to the relevant DORA articles. An independent verification stage cross-checks every finding against the source scan data before anything is recorded.
4. Human review & delivery
An operator-cryptographer reviews the auto-generated report against the original scan data before approval. Executive PDF + technical PDF delivered via signed link.
Compare on the criteria that matter to a CISO
| PQC Auditor FINTECH | Big Four Quantum | NCC / Kudelski boutique | SaaS platform | |
|---|---|---|---|---|
| Price | €4990 fixed | "Contact us" (€100k+) | "Contact us" (€40k+) | Annual subscription |
| Delivery time | 5 business days | 8-24 weeks | 8-16 weeks | Ongoing |
| Per-finding FIPS 203/204/205 mapping | Yes | Implied | Implied | Product-mapped |
| DORA Art. 9/10 traceability | Yes | Yes | Partial | No |
| Money back if < 3 actionable findings | Yes | No | No | No |
| Public sample report | Yes | No | No | No |
Money-back guarantee
If the final report contains fewer than three actionable findings rated CRITICAL, HIGH or MEDIUM (excluding INSUFFICIENT_DATA fallbacks), we refund the full €4990. Severity classifications follow our published methodology; if you disagree with a rating, you may request an independent review within 14 days of delivery. Our reasoning is simple: if a regulated fintech in 2026 has fewer than three actionable PQC findings, your environment is genuinely ready and you should not have paid us.
Start FINTECH audit — €4990Frequently asked questions
Is your audit recognised by KNF / UKNF for DORA Article 9 evidence? +
Our deliverable maps each finding to DORA Articles 9 and 10 and to NIST FIPS 203, 204 and 205. It is compatible with EBA Guidelines on ICT and Security Risk Management (EBA/GL/2025/02) and the KNF Rekomendacja D format. Final regulatory acceptance is, as always, the supervisor's prerogative; our role is to provide the audit trail.
What is your relationship to NIST and ENISA? +
We do not certify on behalf of NIST or ENISA. We apply the published FIPS 203, FIPS 204 and FIPS 205 standards (effective 14 August 2024) and the ENISA Post-Quantum Cryptography current-state guidance to your environment, with citations in every finding.
How is this different from a SandboxAQ AQtive Guard subscription? +
SandboxAQ is a continuous monitoring product. We are a one-shot, fixed-fee audit producing an examiner-ready PDF. Many clients run both: AQtive for posture, us for the regulatory audit deliverable.
Why do you offer a money-back guarantee? +
Because if a fintech in 2026 has fewer than three actionable PQC findings, your environment is genuinely ready and you should not have paid us in the first place.
Can the deliverable be in Polish or German? +
Yes. Executive summary and technical body are available in English, Polish, German and Russian. Both versions are signed and dated. Default is English; specify another language in the intake form.