The continuous post-quantum attestation standard

H33-PQ Verified™

Standard: H33-PQ · Runtime: HATS · Substrate: H33-74

Customers earn the H33-PQ Verified badge. HATS is the engine that keeps it alive — continuously, automatically, and with portable evidence at every cycle.

Most programs answer: “are you post-quantum?” H33-PQ Verified answers: “can you prove it continuously?”

H33-PQ Verified

92/100

Continuous Attestation

Last verified: 3 min ago

The pattern that already works

Standard versus runtime

Customers don’t buy compliance platforms because the platforms are the standard. They buy them because they automate the standard. H33-PQ Verified follows the same model.

Familiar

SOC 2

←Drata, Vanta

Familiar

ISO 27001

←Compliance platforms

H33

H33-PQ Verified

←HATS

The customer earns the H33-PQ badge. HATS is the attestation engine underneath. Same as SOC 2 ↔ Drata.

How the standard fits the stack

H33-PQ sits above the entire trust stack

The standard names what gets evaluated. HATS evaluates it continuously. Each substrate layer contributes evidence to the score.

H33-PQ Verified Standard

The certification, the brand, the buyer-facing claim

↓

HATS

Continuous Attestation Engine

↓

Evidence

Authority

Signatures

Encrypted Compute

Proofs

Why it’s different

Stop filling out questionnaires

Most certification programs are forms, evidence dumps, annual reviews, and a static badge. H33-PQ Verified replaces the entire loop with continuous machine-generated evidence.

× Old model

Audit / certification program

Fill out the questionnaire. Submit evidence. Wait for annual review. Receive badge. Hope nothing breaks between cycles.

✓ H33-PQ Verified

Continuous post-quantum attestation

HATS continuously evaluates the five pillars. Badge state automatically updates. Portable proof regenerated every cycle. No humans involved at Tier 1.

The 3-tier progression

Verified → Assessed → Certified

The word “certified” carries legal and commercial baggage — who certified it? can dead-end a sale. H33-PQ leads with machine-generated evidence and escalates to human review only where buyers require it.

Tier 1 · default

H33-PQ Verified

Automatic. Continuous. Machine-generated. HATS evaluates the five pillars and emits a portable PQ attestation every cycle.

No auditor required
Score regenerated ≤ 1 min
H33-74 artifact per state

Tier 2 · opt-in

H33-PQ Assessed

Independent third-party review of the H33-PQ findings. Continuous attestation continues underneath.

External reviewer
Quarterly cadence typical
Same H33-74 substrate

Tier 3 · regulated industries

H33-PQ Certified

Human review plus the H33-PQ evidence package. For environments where a signed human attestation is contractually required.

Auditor + H33-PQ evidence
Annual cadence typical
Portable certification artifact

The five pillars

What H33-PQ Verified actually measures

The standard scores the entire trust stack — not just cryptographic algorithms. Each pillar is evaluated continuously by HATS.

01 · Cryptography

100/100

ML-DSA presence
ML-KEM presence
SLH-DSA presence
Crypto agility configured
Key rotation configured

02 · Evidence

100/100

H33-74 compatible
Portable artifacts emitted
Independent verification enabled
Replayability confirmed

03 · Governance

95/100

H33-Root lineage active
Delegation controls active
Revocation controls active
Multi-party authorization (partial)

04 · Privacy

85/100

Agent-Zero available
FHE engines available
MPC controls available
Encrypted search active
ZK controls (configuration in progress)

05 · Verification

100/100

STARK proofs emitted
Conformance vectors validated
Independent verifier (CLI) shipped
Offline validation enabled

Σ Composite

92/100

Weighted across the five pillars
Regenerated continuously by HATS
Bound to an H33-74 attestation per state

Explainable scoring

Boards understand findings, not numbers

A composite score with no breakdown is a black box. H33-PQ Verified always emits the per-pillar score and the primary finding driving the result. Executive-readable by default.

H33-PQ Score: 92/100

Cryptography100/100

Evidence100/100

Governance95/100

Verification100/100

Privacy85/100

Primary finding: ZK controls remain in configuration. Affects Privacy pillar sub-score. Once enabled, composite score returns to 96/100.

Authority preservation

Why H33-Root makes the standard stronger

A company can be PQ-compliant today and lose it tomorrow because somebody changed a signing path, introduced a non-PQ dependency, added a new vendor, or deployed a vulnerable agent.

H33-Root governs the authority to make those changes. Every score-affecting change is bound to a delegation chain — H33-PQ Verified + Authority Verified is strictly stronger than H33-PQ Verified alone.

Board-level question: “Who approved the change that reduced our H33-PQ score?”

H33-PQ + H33-Root authority lineage produces a cryptographically verifiable answer. No other post-quantum program does.

Embed the badge

Drop one block of HTML on your site

The badge is a self-contained block of HTML. No JavaScript dependency. Renders identically on any framework. Score and timestamp update from a tiny JSON endpoint H33 hosts at /api/h33-pq/{customer-id}.json.

<!-- H33-PQ Verified badge — drop anywhere on your site -->
<a href="https://h33.ai/standards/post-quantum-verified/?id={your-customer-id}"
   target="_blank" rel="noopener"
   data-h33-badge="{your-customer-id}"
   style="display:inline-flex;align-items:center;gap:12px;
          padding:12px 18px;background:#0f0f10;border:1.5px solid #C9956C;
          border-radius:10px;color:#fff;text-decoration:none;
          font-family:system-ui,sans-serif">
    <img src="https://h33.ai/assets/images/h33-badge-logo-32-dark.png"
         alt="H33" width="30" height="30" style="border-radius:5px">
    <div>
        <div style="font:700 9px/1 monospace;color:#C9956C;letter-spacing:2.5px">
            H33-PQ VERIFIED
        </div>
        <div data-h33-score>--/100</div>
        <div style="font:400 10px monospace;color:#aaa">Continuous Attestation</div>
        <div data-h33-attest style="font:400 10px monospace;color:#888">
            Last verified: pending
        </div>
        <div style="font:700 9px/1 monospace;color:#666;letter-spacing:1.4px;margin-top:4px">
            POWERED BY HATS
        </div>
    </div>
</a>
<script src="https://h33.ai/assets/h33-pq-badge.js" async></script>

The optional h33-pq-badge.js fetches the latest score and timestamp from the customer endpoint every 60 seconds. Without it, the badge still renders — it just shows the last server-rendered state.

Implementation requirements

What HATS needs to evaluate the five pillars

For a customer to earn H33-PQ Verified, HATS needs read-access (or telemetry) to evaluate each pillar. None of this is novel infrastructure — instrumentation against existing systems.

Cryptography

read-only

Crypto library inventory (SBOMs, containers)
TLS endpoint scan results
Code-signing chain inspection
KMS / HSM algorithm support

Evidence

H33 substrate

H33-74 receipt stream
Replay-enabled bundle index
Verifier CLI distribution

Governance

H33-Root

H33-Root delegation tree
Authority binding on score-affecting changes
Revocation registry feed

Privacy

controls

Agent-Zero deployment telemetry
FHE engine usage logs
Encrypted search activation
ZK control configuration

Verification

substrate

STARK proof artifacts
Conformance vector results
Verifier CLI deployment
Offline validation reports

Output

portable

Composite score + per-pillar breakdown
Primary finding (human-readable)
74-byte H33-74 attestation per cycle

H33-PQ Verified™

Standard versus runtime

H33-PQ sits above the entire trust stack

Stop filling out questionnaires

Audit / certification program

Continuous post-quantum attestation

Verified → Assessed → Certified

What H33-PQ Verified actually measures

Boards understand findings, not numbers

Why H33-Root makes the standard stronger

Drop one block of HTML on your site

What HATS needs to evaluate the five pillars

See the verifier that powers every H33-PQ Verified badge.