You cannot manage what you cannot see. Most organisations acknowledge that cryptography underpins their security controls and digital infrastructure, yet the precise locations, functions, and dependencies of cryptographic assets are often poorly documented or completely unknown.

This lack of visibility creates significant challenges. Without a clear understanding of your cryptographic footprint, it becomes difficult to assess exposure to emerging threats, prioritise investment in cryptographic modernisation, or respond effectively when vulnerabilities are disclosed. The scale of the problem is substantial: a typical Windows environment may contain between 80,000 and 500,000 certificates, whilst iOS devices can hold 40,000 to over 200,000.

As the post-quantum transition accelerates, regulatory bodies and standards organisations now recommend building a cryptographic inventory as a foundational step in PQC readiness. This is not a task that can be addressed manually. Creating and maintaining an accurate cryptographic inventory by hand is no longer feasible given the volume and complexity involved.

For organisations preparing for post-quantum cryptography, adopting Zero Trust architectures, or seeking to improve operational resilience, a CBOM provides the baseline visibility needed to plan, prioritise, and act with confidence.

Unsung's Cryptographic Bill of Materials service provides a comprehensive discovery and assessment of cryptographic assets across your IT environment. We help organisations understand what cryptography they use, where it is deployed, and how it supports business operations.

Our CBOM engagement delivers a structured inventory that captures certificates, keys, algorithms, and cryptographic dependencies across infrastructure, applications, and services. This inventory becomes a critical input for risk assessment, compliance reporting, and transformation planning.

The service goes beyond simple asset discovery. We contextualise findings against your business requirements, identify areas of concern, and provide practical recommendations that support informed decision-making. Our approach is vendor-neutral and consultative, ensuring that outputs are relevant to your specific environment and strategic objectives.

For CISOs and security leaders, the CBOM also represents a high-value asset in its own right. It provides a roadmap of cryptographic dependencies and potential weak points, and as such must be appropriately protected and governed.

Unsung delivers CBOM engagements tailored to the scope and complexity of your environment. Our team of PKI specialists brings extensive experience from government and enterprise contexts, with many holding SC and DV clearance. We provide the rigour and assurance that sensitive cryptographic assessments demand.

Discovery and scanning

We deploy appropriate tooling to identify certificates, keys, and cryptographic configurations across your estate. This includes network-connected systems, cloud services, endpoints, and application environments. Where automated discovery is not possible, we conduct structured reviews of documentation, configurations, and system inventories.

Asset cataloguing

Discovered assets are catalogued into a structured inventory that captures key attributes: certificate details, algorithm types, validity periods, issuing authorities, and deployment locations. We normalise data from multiple sources to create a consolidated view of your cryptographic footprint.

Dependency mapping

We map cryptographic dependencies to business services and applications, helping you understand how certificates and keys support critical operations. This contextual layer enables prioritisation based on business impact, not just technical attributes.

Risk and readiness assessment

Each asset is assessed against current best practice and emerging requirements, including post-quantum readiness. We identify weak algorithms, approaching expiry dates, visibility gaps, and areas where governance or automation may be lacking.

Reporting and recommendations

Our final report is accessible to both technical and executive audiences. It includes a summary of findings, risk prioritisation, and practical recommendations that inform remediation planning, investment decisions, and cryptographic governance improvements.

Ongoing support

For organisations seeking continuous visibility, we can advise on tooling selection, process integration, and the establishment of ongoing CBOM maintenance as part of business-as-usual operations.

Outcomes

A completed CBOM engagement provides:

• Complete visibility of cryptographic assets across your organisation
• A structured inventory suitable for risk assessment and compliance reporting
• Clear identification of weak algorithms, expiring certificates, and visibility gaps
• Prioritised recommendations aligned to business impact and risk appetite
• A foundation for post-quantum transition planning and crypto-agility
• Inputs for regulatory compliance and audit evidence