Skip to content

Getting started

As organizations embrace digital transformation, cloud adoption, and artificial intelligence (AI), they face a significant increase in Non-Human Identities (NHIs) such as service accounts, API keys, device identities, and AI agents. Securing these NHIs is paramount.

The foundation for securing many NHIs is cryptography—the keys and certificates used for authentication and secure communication. However, managing this cryptographic landscape is complex due to its often siloed, poorly inventoried, and inconsistently managed nature.

This complexity leads to significant risks:

  • Outages caused by expired certificates.
  • Breaches resulting from weak or compromised keys.
  • Compliance failures due to unmanaged cryptographic assets.
  • Inability to prepare for future threats, such as those posed by quantum computing.

AQtive Guard (AQG) addresses these foundational challenges. It’s an AI-powered cybersecurity platform designed to manage and secure NHIs and other cryptographic assets. AQG provides an end-to-end cryptographic management platform that offers a full inventory of existing cryptography usage, including vulnerability and compliance analysis. It also offers a path to centrally managed, robust, and agile cryptography.

This guide introduces the key components of AQG and how they work together. The following diagram illustrates the principal elements and data flow.

img

  1. Host Machines and Cloud Network - The AQG yanadump tool processes live network traffic and extends monitoring to cloud assets via traffic mirroring, ensuring seamless coverage in hybrid environments.
  2. Data sources - AQG offers powerful AQG sensors, for in-depth cryptographic analysis of filesystems, applications, and physical and virtual networks. It also integrates with a variety of external data sources to centralize your IT assets and crypto inventory.
  3. Analysis - When AQG analyzes data, it evaluates detected cryptographic objects and NHI against the active rules.
  4. API - The AQG API enables integration and automation, and powers the AQG web UI.
  5. UI - Provides a user-friendly interface for monitoring your cryptography and NHI data.

Host Machines and cloud network

To gain comprehensive insight into cryptographic activity across physical and cloud infrastructures, AQG leverages the yanadump tool. This tool enables real-time processing of live network traffic and extends monitoring to cloud assets through cloud-native traffic mirroring, ensuring seamless coverage in hybrid environments.

Data sources

The first step in cryptographic management is understanding the existing cryptographic landscape. AQG achieves comprehensive discovery through a powerful combination of data sources.

AQG provides two types of data sources: Native AQG sensors and integrated third-party data sources.

Native AQG sensors

Native AQG sensors include the Filesystem Scanner, Java Tracer, and Network Analyzer. Developed by SandboxAQ, these sensors perform deep, comprehensive discovery, often identifying cryptographic assets that other tools might miss.

  • The Filesystem Scanner scans filesystems and container images to create a trace file containing cryptographic data.
  • The Java Tracer logs cryptographic calls made by a Java Virtual Machine (JVM) and its associated Java application, generating a trace file with cryptographic data.
  • The Network Analyzer processes static or streaming network traffic to detect Transport Layer Security (TLS) configurations and handshakes. It can be used with appliances like NetScout or cloud provider tools such as Virtual Private Cloud (VPC) Traffic Mirror.

Third-party data sources

AQG integrates with existing security and information technology tools, allowing ingestion of data from sources you may already use. Current integrations include:

  • Qualys - Import Qualys certificate and server scan data and analyze potential cryptographic vulnerabilities.
  • CrowdStrike: Import scans from CrowdStrike Falcon and generate a cryptographic analysis of available data.
  • ServiceNow: Ingest certificate data from ServiceNow for centralized certificate management and enhanced security posture.
  • AWS Key Management Service (KMS): Ingest data from AWS KMS for enhanced key management and security monitoring.
  • Palo Alto Networks: Ingest and analyze TLS handshake data from Next-Generation Firewall log files.
  • SentinelOne: Ingest SentinelOne data for installed applications and IT inventory details.

AQG can also ingest and analyze Cryptography Bill of Materials (CBOM) JSON files and Packet Capture (PCAP) files. This allows for immediate value while planning broader sensor deployment for deeper visibility.

Rules and profiles

In AQG, Rules are grouped together as Profiles. These profiles define the criteria for cryptographic analysis. When data is ingested, the system checks the detected cryptography against these rules. If a rule violation is detected, it becomes an Issue.

AQG offers built-in Profiles for NIST compliance and Post-Quantum Cryptography (PQC) readiness. For instance, the NIST Profile includes rules such as Certificate validity too long to help meet NIST recommendations. You can also create custom profiles and rules for specific organizational needs.

Inventory

Once data is ingested and rules are applied, this combined data flows into a unified Inventory. This inventory provides a comprehensive view of cryptographic assets, which can be browsed, filtered, and exported.

The inventory is organized into several categories:

  • Keys: Provides a comprehensive view of the keys within the inventory, including their type (e.g., Rivest-Shamir-Adleman (RSA) or Digital Signature Algorithm (DSA)), length in bits, and whether they have an associated private key. This helps identify potential weaknesses like short RSA keys.
  • Certificates: Offers a detailed overview of an organization’s digital certificates, including validity periods, signing algorithms, and issuer information. This is crucial for identifying certificates with long validity periods or those using quantum-vulnerable signature algorithms (e.g., RSA, Elliptic Curve Digital Signature Algorithm (ECDSA)).
  • Operations: Shows cryptographic calls made by applications and their various functions.
  • TLS Configs: Displays configurations related to TLS.
  • Handshakes: Represents TLS handshakes detected in network traffic between source and target addresses, detailing TLS versions and selected ciphersuites.
  • Secrets: Represents the discovery of sensitive assets, such as AWS access keys hardcoded in a Docker image.

Global filters, such as Profile, Severity, Source, and Current Scans can be applied to narrow down the visible data based on triggered rules.

IT assets

The IT Assets page provides an inventory of:

  • Hosts: Hosts provides an overview of scanned laptops and servers, showing their hostname, operating system, and last scan date. It also lists the data sources, like Qualys or the AQG Filesystem scanner, that contributed to the host information. Drilling into a host’s Details shows an in-depth view of the cryptography discovered on that host, including associated keys and certificates.
  • Apps: Lists applications that have been scanned.
  • Container Images: Provides similar information for cryptography discovered within container images, allowing tracking of cryptography within these dynamic systems.

API

AQG provides a comprehensive, robust API with endpoints for custom reporting or data exchanges with external systems. Data displayed in the UI can be easily accessed from these API endpoints using scripting languages like Python. For example, the API can automate cryptography status reports for specific IT assets, significantly reducing manual effort.

UI

Dashboard

When you first log into AQG, you’re presented with a comprehensive Dashboard. This serves as a central hub, providing an overview of the entire cryptographic environment and immediate insights into the status of scanned IT assets and overall cryptographic health.

Issues

The Issues page presents a consolidated and prioritized risk picture. AQG evaluates every key, certificate, and cryptographic operation against rules based on standards like NIST, Federal Information Processing Standards (FIPS), and other industry best practices.

Issues are ranked by Severity and the number of Occurrences, enabling a focus on the most critical concerns immediately. By selecting the Details of an issue, you can explore:

  • A brief description of the issue.
  • Guidance on how to resolve the finding.
  • Risk factors associated with not resolving it.
  • References for further information.
  • Specifications: The standard configuration of the rule that triggered the finding.

The Dashboard’s most critical section is Highest impact issues. This area immediately highlights out-of-policy findings, prioritized by severity and occurrences, enabling quick focus on the most pressing security and compliance concerns. To explore issue details, select View or navigate to the Issues tab in the main menu.