Change your cryptography without changing your code. TLS Lane performs two independent TLS negotiations on one connection — upgrading legacy crypto to post-quantum in real time.
NIST PQC · CNSA 2.0 · ML-KEM-768
A PQC-only server rejects every browser today. TLS Lane splices the handshake to make it work.
$ curl https://pqc.tlslane.com curl: (35) error:0A000410: SSL routines::ssl/tls alert handshake failure Server requires pure ML-KEM-768. Browser only speaks hybrid.
$ tlslane splice pqc.tlslane.com Splice handshake active Traffic to pqc.tlslane.com: client ← hybrid → TLS Lane TLS Lane ← pure PQC → server
$ curl -v https://pqc.tlslane.com * issuer: TLS Lane Root CA * SSL connection using TLS 1.3 / ML-KEM-768 / AES-256-GCM HTTP/2 200
Each side of the connection negotiates independently. The server doesn't change. The client doesn't know.
Server TLS Lane Client Protocol TLS 1.2 → TLS 1.3 Key Exch RSA → ML-KEM-768 Cipher AES-CBC → AES-256-GCM Status Unchanged → Upgraded
See every TLS handshake on the wire. SNI, cipher suite, key exchange, certificate chain. Safe, read-only.
$ tlslane
Splice the handshake for a domain or all traffic. TLS Lane intercepts transparently and negotiates each side independently.
$ tlslane splice example.com
Define rules for which domains get spliced, passed through, or blocked. Local policy.yaml or push from the management dashboard.
# policy.yaml in config directory
eBPF/TC inline interception preserves the original TCP connection. Proxy mode as universal fallback. macOS and Windows coming soon.
No proxy settings. No code changes. Monitor mode works instantly. Splice mode requires a one-time CA trust setup.
Pure ML-KEM-768, hybrid X25519MLKEM768, classical fallback. You choose the policy, TLS Lane enforces it.
Create a free account. Get your agent token and install command.
One command installs. Starts in monitor mode — see your crypto inventory instantly.
Enable splice to upgrade connections to PQC. Track progress on your dashboard.