Change your cryptography without changing your code. TLS Lane performs two independent TLS negotiations on one connection — upgrading legacy crypto to post-quantum in real time.
NIST PQC · CNSA 2.0 · ML-KEM-768
A PQC-only server rejects every browser today. TLS Lane splices the handshake to make it work.
$ curl https://pqc.tlslane.com curl: (35) error:0A000410: SSL routines::ssl/tls alert handshake failure Server requires pure ML-KEM-768. Browser only speaks hybrid.
$ tlslane splice pqc.tlslane.com Splice handshake active Traffic to pqc.tlslane.com: client ← hybrid → TLS Lane TLS Lane ← pure PQC → server
$ curl -v https://pqc.tlslane.com * issuer: TLS Lane Root CA * SSL connection using TLS 1.3 / ML-KEM-768 / AES-256-GCM HTTP/2 200
Each side of the connection negotiates independently. The server doesn't change. The client doesn't know.
Server TLS Lane Client Protocol TLS 1.2 → TLS 1.3 Key Exch RSA → ML-KEM-768 Cipher AES-CBC → AES-256-GCM Status Unchanged → Upgraded
See every TLS handshake on the wire. SNI, cipher suite, key exchange, certificate chain. Safe, read-only.
$ tlslane
Splice the handshake for a domain or all traffic. TLS Lane intercepts transparently and negotiates each side independently.
$ tlslane splice example.com
Define rules for which domains get spliced, passed through, or blocked. Local policy.yaml or push from the management dashboard.
# policy.yaml in config directory
eBPF/TC inline interception on Linux preserves the original TCP connection. Proxy mode on macOS and Windows. Monitor and splice everywhere.
No proxy settings. No code changes. Monitor mode works instantly. Splice mode requires a one-time CA trust setup.
Pure ML-KEM-768, hybrid X25519MLKEM768, classical fallback. You choose the policy, TLS Lane enforces it.
Create a free account. Get your agent token and install command.
One command installs. Starts in monitor mode — see your crypto inventory instantly.
Enable splice to upgrade connections to PQC. Track progress on your dashboard.