Skip to content

AQtive Scanning

AQtive Scanning checks the TLS configuration of your external-facing domains — no sensors or data source setup required. Scan up to 100 domains at a time and see their supported TLS versions, cipher suites, certificate details, and PQC readiness in one view.

Important

AQtive Scanning results provide a snapshot view that isn’t stored in AQtive Guard (AQG). You can only access your results during your current session.

Scan domains

To scan one or more domains:

  1. From the AQG main menu, select AQtive Scanning.
  2. Enter your domain(s) in the input field, separated by commas (for example, aqme.com, api.aqme.com).
    • Enter up to 100 domains per scan.
    • Separate domains with commas, spaces, or new lines.
    • Enter domains with or without the protocol prefix. If you omit it, AQG assumes https://.
    • Duplicate entries are automatically removed.
  3. Select Scan to start.

AQG scans all your domains in parallel. You’ll see a loading indicator on each domain card while its scan is in progress.

Understanding your results

Your results summary depends on the number of domains you scanned.

Single domain scan

When you scan a single domain, you’ll see the full results directly on the page, including a summary and detailed breakdown.

Multiple domain scan

When you scan multiple domains, your results appear as a list of compact rows. Each row shows the domain name and a quick summary of its cryptographic posture:

  • PQC support — whether the domain is PQC supported or not supported.
  • Primary TLS protocol — the highest TLS version the domain supports (for example, TLS 1.3).

Row and pill colors reflect PQC support status. Select a row to open a sidebar with the full results for that domain.

Failed scans

If AQG can’t reach a domain or the domain doesn’t support TLS, it appears in an error summary at the bottom of the results. Select Rescan to try again.

Result summary

The result summary gives you a quick overview for each domain:

  • Post-Quantum (PQ) Support — tells you whether the domain’s key exchange configuration is resilient against quantum-capable adversaries. You’ll see one of two values:
    • Yes — all configurations use PQ-safe key exchange.
    • No — no PQ key exchange support detected.
  • Primary TLS Protocol — the highest TLS version the domain supports (for example, TLS 1.3).

Nodes

The Nodes section gives you per-IP results for each IP address and port combination discovered behind the domain. Each node provides two areas of detail: TLS versions and Certificates.

TLS versions

For each node, you can expand individual TLS versions to see version-specific details:

  • Cipher suites — the algorithm combinations the server negotiates at that version.
  • Signatures — the authentication algorithms the server offers at that version.
  • Key exchanges — the algorithms the server offers for establishing a shared secret at that version.
  • Forward secrecy — whether session keys remain protected even if the server’s private key is later compromised.
  • Weak ciphers — whether the server exposes any deprecated or insecure cipher suites.

Unsupported TLS versions appear as collapsed cards marked Not Supported.

Certificates

Each node also displays its X.509 certificates, grouped by signature algorithm (for example, ECDSA). Expand a certificate to see its details. For more on certificate concepts, refer to the Cryptography glossary.

  • Fingerprint — the SHA-256 hash that uniquely identifies the certificate.
  • Validity period — the start and end dates for the certificate.
  • Valid until — the expiration date for the certificate.
  • Issuer — the Certificate Authority that issued the certificate.
  • Subject — the domain or entity that the certificate identifies.
  • Digest algorithm — the hash function used to sign the certificate.

Rescan

To start a new scan, select Rescan in the top-right corner of the results view. This clears your current results and returns you to the input form.