Change your cryptography
without changing your code.

TLS Lane splices the handshake on the wire — two independent TLS negotiations on one connection, upgrading legacy crypto to post-quantum in real time. One binary. No SDK. No origin changes.

FIPS 203 (ML-KEM) · CNSA 2.0 · M-23-02 · RFC 9794 hybrid

Get Started Free See How It Works
Live demo

See It In Action

A PQC-only server rejects every browser today. TLS Lane splices the handshake to make it work.

Without TLS Lane
$ curl https://pqc.tlslane.com

curl: (35) error:0A000410:
  SSL routines::ssl/tls alert
  handshake failure

Server requires pure ML-KEM-768.
Browser only speaks hybrid.
Enable splice
$ tlslane splice --pure-pqc pqc.tlslane.com

Splice handshake active
Traffic to pqc.tlslane.com:
  client ← hybrid → TLS Lane
  TLS Lane ← pure PQC → server
Connection spliced
$ curl -v https://pqc.tlslane.com

* issuer: TLS Lane Root CA
* SSL connection using TLS 1.3
  / ML-KEM-768 / AES-256-GCM

HTTP/2 200

Server configured to CNSA 2.0 strict-mode requirements — increasingly common in federal and defense acquisitions.

Try this yourself →
Why this matters

The Problem TLS Lane Solves

The problem

  • Browsers speak hybrid PQC, but servers demanding pure PQC reject them
  • Legacy apps stuck on TLS 1.2 have zero PQC path
  • Microservices, curl, IoT, custom clients don't auto-update like Chrome
  • "Harvest now, decrypt later" attacks are already happening

TLS Lane

  • Splice handshake: independent TLS negotiation on each side
  • Upgrades TLS 1.2 to TLS 1.3 without touching the server
  • Splices hybrid to pure PQC and vice versa
  • One binary, no code changes, no dependencies
Protocol transformation

What Gets Upgraded

Each side of the connection negotiates independently. The server doesn't change. The client doesn't know.

legacy.internal:443 
              Server      TLS Lane      Client

  Protocol    TLS 1.2            TLS 1.3
  Key Exch    RSA                ML-KEM-768
  Cipher      AES-CBC            AES-256-GCM
  Status      Unchanged          Upgraded
Capabilities

Two Modes, One Binary

Monitor

See every TLS handshake on the wire. SNI, cipher suite, key exchange, certificate chain. Safe, read-only.

$ tlslane

Splice

Splice the handshake for a domain or all traffic. TLS Lane intercepts transparently and negotiates each side independently.

$ tlslane splice example.com

Policy

Define rules for which domains get spliced, passed through, or blocked. Local policy.yaml or push from the management dashboard.

# policy.yaml in config directory

Cross-Platform

eBPF/TC inline on Linux for zero-copy capture — the original TCP connection is preserved. Userspace proxy mode on Linux, macOS, and Windows. Same management plane, same policy engine across all three.

Zero Friction

Single static binary, ~5 MB. systemd unit and CA installed in one step. Auto-detects OS, architecture, and glibc version. Monitor mode works instantly; splice mode adds one CA trust prompt.

PQC Ready

FIPS 203 ML-KEM-768 (NIST ratified), hybrid X25519MLKEM768 (RFC 9794), classical fallback for legacy peers. You choose the policy, TLS Lane enforces it.

15
Linux distros tested
2
Transport modes (eBPF + proxy)
0
Endpoint changes required
Quick start

Three steps to your first PQC handshake

01

Register

Create a free account. Get your agent token and install command.

02

Install & Run

One command installs. Starts in monitor mode — see your crypto inventory instantly.

03

Splice

Enable splice to upgrade connections to PQC. Track progress on your dashboard.

Get Started Free