TYCHON Quantum Command - Architecture & Integration Diagram

System Overview

TYCHON is a stateless, single-binary cryptographic asset scanner. No persistent agent or service required. It runs on demand (or on a schedule) and pushes findings directly to SIEM/storage targets or writes files that existing log collectors pick up.

87+

TLS Cipher Suites Tested

44+

Plaintext Protocol Probes

Output Formats

Target Platforms

🎯

Scan Targets

Local & Remote

Local mode:
• Endpoints & workstations
• SCCM, Intune, Tanium deployment
• Filesystem & process memory
• VPN clients & IPSec tunnels
• Password managers

Remote mode:
• Servers & network devices
• IP / CIDR / range scanning
• TLS/SSL, SSH, plaintext probes
• Cipher suite enumeration

Orchestration:
Task Scheduler, Cron, K8s CronJobs

→

⚙️

TYCHON Scanner

Stateless Binary · Pure Go · ~45 MB

TLS/SSL Certs

SSH Keys

Cipher Suites

PQC Detection

CNSA 2.0 Score

Filesystem

Memory Scan

VPN Clients

IPSec Tunnels

Plaintext Probes

Password Mgrs

VDI Identity

Static Mode

Quantum Score

Output: JSON, NDJSON, CBOM,
Tychon, HTML, EventLog, FlatNDJSON

→

🖥️

Collection & Analysis

Push or Pull

Direct push (built-in):
• Elasticsearch / OpenSearch
• Splunk HEC
• Apache Kafka
• AWS S3 / Cloudflare R2
• Windows EventLog

File-based pull:
• Elastic Agent / Filebeat
• Splunk Universal Forwarder
• Logstash / Fluentd
• Datadog Agent

Analysis:
Dashboards · Alerts · Compliance · Tickets

Agentless Architecture · Dual Integration Model (Push + Pull) · No Runtime Dependencies

Layer 1 — Deployment & Orchestration

Enterprise Deployment Platforms

Management platforms that package, deploy, schedule, and orchestrate TYCHON across endpoints and infrastructure.

Microsoft SCCM / MECM

App deployment, scheduled tasks, hardware inventory integration

Microsoft Intune

Win32 app packages, Azure Sentinel integration, cloud-native deployment

Tanium

Real-time endpoint visibility, Tanium Deploy, Scheduled Actions

HCL BigFix

Endpoint management, Fixlet deployment, remediation workflows

CrowdStrike Falcon

Real Time Response (RTR), EDR-based deployment, Falcon LogScale integration

Ansible / AWX

Agentless automation, playbook orchestration, AWX/Tower workflows

Puppet Enterprise

Configuration management, declarative infrastructure, continuous compliance

VMware Workspace ONE

Unified endpoint management, cross-platform deployment, device compliance

Kubernetes CronJobs

CronJobs, ConfigMaps, Secrets, EKS / AKS / GKE container orchestration

AWS Lambda / EventBridge

Serverless scanning, event-driven triggers, S3 result storage

Azure Functions / Timer

Serverless compute, Timer triggers, Azure Blob storage integration

Manual / Script Execution

CLI invocation, PowerShell scripts, batch files, shell wrappers

↓Deploys & Schedules

Layer 2 — TYCHON Core Scanner

Cryptographic Discovery & Assessment Engine

Pure-Go stateless binary. No embedded OpenSSL, no external runtime dependencies. Runs identically on Windows, Linux, and macOS across x64 and ARM64 architectures.

TLS/SSL Certificate Discovery

X.509 parsing, chain validation, expiration tracking, key strength assessment

Cipher Suite Enumeration

87+ TLS 1.0–1.3 suites, weak cipher flagging, AEAD vs CBC detection

SSH Host Key Analysis

KEX algorithms, host key types, MAC & cipher algo enumeration, banner capture

Post-Quantum Crypto Detection

ML-KEM-768/1024, BIKE, HQC, FN-DSA, X25519MLKEM768, OQS hybrid groups

CNSA 2.0 Compliance Assessment

NSA CNSA 2.0 level scoring per connection, quantum-safe determination

Filesystem Scanning

Certificate file discovery (.pem, .crt, .cer, .p12, .pfx, .jks, .keystore)

Process Memory Scanning

Loaded crypto library detection, in-memory key/cert discovery (Windows & Linux)

Plaintext Protocol Detection

44+ service probes: HTTP, FTP, SMTP, IMAP, POP3, Telnet, LDAP, RDP, and more

VPN Client Detection

Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, WireGuard, OpenVPN

IPSec Tunnel Analysis

IKEv1/IKEv2 configuration discovery, algorithm strength, PFS assessment

Password Manager Detection

1Password, Bitwarden, KeePass, LastPass, Dashlane — version & config inventory

VDI Asset Identity

Stable host ID for non-persistent VDI pools (Azure VDI, Citrix, VMware Horizon)

Quantum Readiness Scoring

0–100 scale per-host assessment, PQC migration prioritization

Static Detection Mode

Full running process inventory via gopsutil; discovered, static, or both modes

Local Tracking Database

Opt-in encrypted tracking database (AES-256-GCM + gzip, owner-only). Enable with -enable-tracking.

Multi-Format Output

JSON, NDJSON (Tychon), CBOM, Flat NDJSON, HTML, Windows EventLog, CSV

↓Publishes Results

Layer 3 — Direct Integration Targets

Built-in Push Connectors (real-time)

TYCHON has native built-in capability to push scan results directly to these platforms without any intermediate agent or file drop.

Elasticsearch / OpenSearch

-posttoelastic — Bulk API, direct index push, ILM-aware

Splunk HEC

-posttosplunk — HTTP Event Collector, token auth, index routing

Apache Kafka

-posttokafka — real-time event streaming, SASL/TLS auth

AWS S3

-upload-s3 — automatic file upload, bucket/prefix config, lifecycle management

Cloudflare R2

S3-compatible via -s3endpoint; zero egress cost

Windows EventLog

-outputformat eventlog — native Windows event integration, SIEM pickup

Local File Output

JSON, NDJSON, CBOM, HTML, FlatNDJSON written locally for downstream pickup

↓Consumed By

Layer 4 — File-Based & Agent-Based Consumers

Agents & Tools That Read TYCHON Output Files

Third-party collectors and schedulers that monitor TYCHON output directories and forward data to SIEM/analytics platforms.

Elastic Agent / Filebeat

Custom logs integration, Fleet management, automatic JSON parsing

Splunk Universal Forwarder

File monitoring, log tailing, automatic forwarding to indexers

Datadog Agent

Custom log collection, file monitoring, JSON tag parsing

Logstash

File input plugin, JSON parsing pipeline, Elasticsearch output

Fluentd / Fluent Bit

Tail input plugin, JSON parsing, multi-output routing

QRadar / LogRhythm / Sentinel

Syslog or file-based NDJSON ingestion via Universal DSM / log source

Windows Task Scheduler

Scheduled scans, output file creation, local post-processing scripts

Linux Cron / systemd timers

Periodic scan scheduling, output rotation, systemd unit integration

AWS Lambda / S3 Triggers

S3 PutObject events, serverless processing, SNS/SQS fan-out

Snowflake Snowpipe

S3 Snowpipe auto-ingest, SQL analytics, BI/dashboard integration

Custom Scripts & Automation

Python / PowerShell / Bash file processors, enrichment pipelines

Layer Color Legend

Deployment Layer — platforms that deploy and schedule TYCHON

Core Scanner — TYCHON's cryptographic discovery engine

Direct Integrations — built-in real-time push connectors

File-Based Consumers — agents that read TYCHON output files

Architecture Notes

→ Stateless & Agentless — TYCHON is a single binary with no persistent service, daemon, or agent requirement. It exits cleanly after each run.
→ Pure Go, No OpenSSL — TLS negotiation is handled entirely in Go via utls + circl. No embedded OpenSSL binaries; no external library dependencies at runtime.
→ Dual Integration Model — Push (built-in connectors) and Pull (file-based agents) can run simultaneously. Drop a file and push to Elasticsearch in the same scan.
→ Cross-Platform Binary — Windows, Linux, macOS across x64 and ARM64. Single build per platform, no installers or runtimes needed.
→ CNSA 2.0 Compliance — Every TLS connection receives a per-connection CNSA 2.0 compliance level and quantum_safe boolean, enabling policy-based alerting on non-PQC infrastructure.
→ Plaintext Protocol Detection — 44+ service fingerprinting probes run after TLS/SSH fail; detects cleartext HTTP, FTP, SMTP, IMAP, Telnet, RDP, LDAP, Redis, MongoDB, and more.
→ VDI Identity Stability — Stable host identity chain for non-persistent VDI pools: CLI override → profile file → username hash → gopsutil hostname.
→ Enterprise Orchestration Ready — Designed to plug into existing management platforms (SCCM, Intune, Tanium, Ansible) with no custom infra required.
→ 7 Output Formats — JSON, Tychon NDJSON, CBOM (CycloneDX), Flat NDJSON, HTML, Windows EventLog, CSV — for different SIEM, compliance, and reporting patterns.
→ Local Change Tracking — Opt-in (-enable-tracking). Encrypted tracking database (AES-256-GCM + gzip compression, 0600 permissions) for asset baseline comparison and delta alerting. Off by default.
→ Cloud-Native Ready — Kubernetes CronJobs, AWS Lambda, Azure Functions, and Docker all supported for scheduled scanning in cloud environments.