The platform

Six modules. One audit trail. Zero shortcuts.

QUANTRA is not a scanner and not a wiki. It's the operating system for a regulated post-quantum migration — every action versioned, every finding attributable, every report reproducible.

QUANTRA console

1 · Inventory intake

System, asset and endpoint discovery. Bulk CSV with RFC-4180-ish parsing, manual entry, and Certificate Transparency log lookups via crt.sh. Two-step validation before commit. Confidence tagging: findings from CT-logs or missing metadata land as low_confidence until a human confirms.

Highlights
  • Bulk upload with pre-commit validation report
  • CT-log lookup by domain
  • App-layer de-duplication
  • External-ref tracking

2 · Deterministic risk scoring

A pure TypeScript engine applies weighted sub-scores (0.40 exposure, 0.25 sensitivity, 0.20 criticality, 0.15 lifetime). Scoring tables are stored in the database and versioned; bwe_admin users can activate new versions without code deployments. Reproducible for every audit.

Highlights
  • Version-locked tables per engagement
  • Confidence-gated headline score
  • RSA key-size aware
  • 10 unit tests covering edge cases

3 · AI-assisted findings

One-click drafting via Lovable AI Gateway (Gemini 2.5 Flash). Every draft records model, prompt version and input hash. A Postgres CHECK constraint refuses to store a finding in a report unless a named human approver signed it off.

Highlights
  • Auditable prompt versioning
  • Input-hash traceability
  • DB-enforced approval gate
  • Human-in-the-loop by design

4 · Report generation

Versioned, deterministic JSON snapshots of findings, assets and risk tiers. Print-to-PDF built in. Delivery transitions the engagement to saas_active and freezes the snapshot with an immutable input hash.

Highlights
  • Snapshot-based versioning
  • Immutable input_hash per version
  • Private engagement-scoped storage bucket
  • PDF-ready output

5 · Continuous SaaS monitoring

A deterministic scanner runs against delivered engagements, surfacing expired or expiring certificates, deprecated algorithms (SHA-1, DES, 3DES) and undersized RSA (< 3072 bits). Alerts include acknowledgment workflow and are RLS-scoped.

Highlights
  • Cron endpoint secured via CRON_SECRET
  • Per-engagement scan history
  • Acknowledgeable alerts
  • Fires on drift, expiry and new deprecations

6 · RLS multi-tenancy

Every table in the public schema enforces row-level security via can_access_engagement and is_bwe_staff helpers. No app-layer filters — cross-tenant queries return zero rows even for staff without the correct role. Verified by an automated cross-org test.

Highlights
  • Postgres RLS on every table
  • Security-definer helper functions
  • Automated cross-org test suite
  • Role: bwe_admin / bwe_analyst / client_owner / client_read

Ready to see it in your context?

Book a scoped demo with your own systems in mind.

Talk to BWE