Last 24 hours · Jul 07, 2026 00:09 – Jul 08, 2026 00:09 UTC
Generated: 2026-07-08 00:09:10 UTC
NIST PQC Compliance
Per NIST IR 8547. TLS handshakes whose negotiated key exchange provides no post-quantum protection — exposed to 'harvest now, decrypt later' attacks once a cryptographically relevant quantum computer is available. Source: <b>rockfish-tls-pqc</b> Suricata plugin, which parses the ClientHello supported_groups extension and the TLS 1.3 ServerHello key_share NamedGroup directly off the wire (data Suricata's stock TLS event log does not surface). <b>server_lagging</b> = client offered PQ but server picked classical (silent exposure); <b>client_lagging</b> = client never offered PQ at all; <b>partial</b> = only one side of the handshake observed (typical TLS 1.2).
Non-PQ TLS Handshakes
9 rows
| Source | Destination | SNI | TLS | Chosen Group | Exposure | Handshakes |
|---|---|---|---|---|---|---|
| 10.1.4.20 | 13.107.42.14 | graph.microsoft.com | TLS 1.3 | X25519 | server_lagging | 2,417 |
| 10.1.7.51 | 104.18.32.7 | api.cloudflare.com | TLS 1.3 | X25519 | server_lagging | 1,134 |
| 10.6.19.21 | 52.96.165.34 | outlook.office365.com | TLS 1.3 | X25519 | server_lagging | 847 |
| 10.1.8.50 | 198.51.100.42 | legacy-payroll.acme.io | TLS 1.2 | — | client_lagging | 612 |
| 172.16.4.10 | 203.0.113.18 | vpn.contractor.example | TLS 1.2 | — | client_lagging | 489 |
| 10.1.12.203 | 44.226.122.5 | api.legacy-saas.com | TLS 1.2 | — | partial | 284 |
| 10.1.12.205 | 18.232.71.12 | oauth.aging-provider.io | TLS 1.3 | secp256r1 | server_lagging | 213 |
| 10.169.112.51 | 162.247.74.27 | metrics.thirdparty.io | TLS 1.3 | X25519 | server_lagging | 178 |
| 10.1.7.65 | 104.16.124.96 | hooks.slack.com | TLS 1.3 | X25519 | server_lagging | 94 |