About CipherM

One person. A migration the world has 5-10 years to ship.

CipherM is built in public by a solo engineer. The shape is deliberate: open scanner, public CBOM registry, honest pricing, slow burn on a regulatory tailwind that's already in writing.

Why this exists

In August 2024 the U.S. National Institute of Standards and Technology finalized three post-quantum cryptography standards: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). The Commercial National Security Algorithm suite (CNSA 2.0) mandates federal migration by 2035. PCI-DSS 4.0's crypto-agility requirements are effective today.

Every Fortune 5000 will have to inventory every place they use RSA, ECC, Diffie-Hellman, and SHA-1 — then migrate. Most have no idea where to start. The buyer is real, the deadline is real, and the inventory tooling is missing.

CipherM is the inventory layer. The OSS scanner reads your source code and configuration files — key generation, classical TLS, JWT, keystores, and cert/key files — and emits a Cryptographic Bill of Materials in CycloneDX 1.6, the SBOM industry standard. A companion validator checks whether your live TLS endpoints negotiate PQC-hybrid key exchange.

What we believe

Distribution is the constraint, not features. Snyk and Wiz could ship a PQC scanner in a quarter. They can't clone a public registry that 1,000 organizations have published their CBOMs to. We ship the registry first, the scanner second, the dashboard third.

Standards ownership compounds. Our Q-CBOM extension proposal to OWASP CycloneDX is a permanent contribution. Once auditors accept the format, the format gets the deals. We'd rather be cited than acquired.

Trust over magic. Crypto migration is one of the few domains where a bad auto-fix is worse than no fix. We will never ship one-click PRs. We ship high-confidence migration suggestions with explicit confidence scores and reasoning chains, and you decide.

Honest about pre-launch. We don't fabricate testimonials. We don't claim customers we don't have. We don't pretend Year 1 ARR is the goal — it's positioning for the 2027-2030 wave when budgets actually unlock.

What we won't do

  • Runtime EDR or kernel agents. That's a different company and you can't build Crowdstrike solo.
  • Adversarial-ML detection. Robust Intelligence and HiddenLayer own that space.
  • Quantum hardware design or quantum compute services. You need a PhD; we don't have one.
  • "Quantum AI" buzzword products with no defined buyer.
  • One-click crypto auto-fix. The blast radius is too high.

Who runs it

One person, currently solo. Background: iOS development, regulated-industry security adjacency, AWS Security Specialty in progress. Building CipherM alongside four other shipped iOS apps.

If you want to talk shop, the contact page reaches the founder directly. Sales emails go to /dev/null; technical questions get answered.