DORA-aligned. NIST FIPS 203/204/205 traceable. Delivered in 5 business days.
The PQC audit your KNF examiner will accept.
30 to 80 times cheaper than the Big Four. Money back if we find fewer than three actionable findings.
NIST FIPS 203 · FIPS 204 · FIPS 205 · DORA Art. 9-10 · NIS2 Art. 21(2)(f) · ENISA PQC 2024 · EBA/GL/2025/02 · KNF Rekomendacja D · BSI TR-02102-1
Why DORA-supervised entities choose us
The discovery gap
Most banks have no current cryptographic inventory. Migrating to post-quantum cryptography requires full visibility into your cryptographic environment. We deliver that inventory as a deliverable, not as an estimate.
The Big Four retainer trap
Big Four firms quote a 12-month engagement at six-figure EUR. We deliver in five business days because the supervisory deadline does not wait for an FY26 budget cycle.
The "contact sales" silence
Fourteen out of fourteen EU PQC vendors we surveyed hide pricing behind "Request a demo". We publish €4990 because our scope is fixed.
The HNDL clock
Sixty-nine percent of organizations recognize the quantum risk; only five percent have implemented quantum-safe encryption (DigiCert Quantum Readiness Gap). Harvest-Now-Decrypt-Later harvesting is happening today. The audit cannot wait.
The DORA-PQC translation gap
DORA Art. 9 requires protection measures of cryptographic keys based on approved data classification. No standard deliverable connects this article to NIST FIPS 203/204/205. Our report does, per-finding.
Three full sample reports — read before you buy
Fictional Polish profiles. Real report structure, real legal-safe language, real FIPS-traceability. None of our competitors publishes a sample.
Large bank — Bank Krajowy
500 employees, KNF-supervised retail + corporate. Legacy core, mobile, web. 18-month remediation roadmap.
Mid-market fintech — FastPay
50 employees, UKNF Payment Institution. Modern GCP stack, microservices. 9-month roadmap.
MVP brokerage — InvestPro
8 employees, MiFID II investment firm. Vercel + Supabase + Stripe. 6-month roadmap.
Methodology
1. Intake & scope
You submit domains, optional cryptographic-inventory hints and DORA register references. Five-step form, server-side validated, GDPR-bounded.
2. Passive scan
TLS handshake fingerprinting (sslyze), certificate-transparency log walk (crt.sh), security-header inspection. No active probing, no payload injection.
3. AI-assisted analysis
Multi-agent pipeline (LangGraph + Claude Opus + critic model) builds a CBOM, classifies each finding to FIPS 203/204/205, maps to DORA articles. Independent critic verifies before persistence.
4. Human review & delivery
An operator-cryptographer reviews the auto-generated report against the original scan data before approval. Executive PDF + technical PDF delivered via signed link.
Compare on the criteria that matter to a CISO
| PQC Auditor FINTECH | Big Four Quantum | NCC / Kudelski boutique | SaaS platform | |
|---|---|---|---|---|
| Price | €4990 fixed | "Contact us" (€100k+) | "Contact us" (€40k+) | Annual subscription |
| Delivery time | 5 business days | 8-24 weeks | 8-16 weeks | Ongoing |
| Per-finding FIPS 203/204/205 mapping | Yes | Implied | Implied | Product-mapped |
| DORA Art. 9/10 traceability | Yes | Yes | Partial | No |
| Money back if < 3 actionable findings | Yes | No | No | No |
| Public sample report | Yes | No | No | No |
Money-back guarantee
If the final report contains fewer than three actionable findings rated CRITICAL, HIGH or MEDIUM (excluding INSUFFICIENT_DATA fallbacks), we refund the full €4990. Our reasoning is simple: if a regulated fintech in 2026 has fewer than three actionable PQC findings, your environment is genuinely ready and you should not have paid us.
Start FINTECH audit — €4990Frequently asked questions
Is your audit recognised by KNF / UKNF for DORA Article 9 evidence? +
Our deliverable maps each finding to DORA Articles 9 and 10 and to NIST FIPS 203, 204 and 205. It is compatible with EBA Guidelines on ICT and Security Risk Management (EBA/GL/2025/02) and the KNF Rekomendacja D format. Final regulatory acceptance is, as always, the supervisor's prerogative; our role is to provide the audit trail.
What is your relationship to NIST and ENISA? +
We do not certify on behalf of NIST or ENISA. We apply the published FIPS 203, FIPS 204 and FIPS 205 standards (effective 14 August 2024) and the ENISA Post-Quantum Cryptography current-state guidance to your environment, with citations in every finding.
How is this different from a SandboxAQ AQtive Guard subscription? +
SandboxAQ is a continuous monitoring product. We are a one-shot, fixed-fee audit producing an examiner-ready PDF. Many clients run both: AQtive for posture, us for the regulatory audit deliverable.
Why do you offer a money-back guarantee? +
Because if a fintech in 2026 has fewer than three actionable PQC findings, your environment is genuinely ready and you should not have paid us in the first place.
Can the deliverable be in Polish or German? +
Yes. Executive summary and technical body are available in English, Polish, German and Russian. Both versions are signed and dated. Default is English; specify another language in the intake form.