StackRox tracks network flows between workloads but only captures Layer 4 information (source, destination, port, protocol). There is no visibility into what TLS parameters are being negotiated on those connections.

This means there is no way to answer questions like:

• Which connections are still using TLS 1.2 vs 1.3?
• Which workloads negotiate cipher suites with classical-only key exchange (RSA, ECDHE) vs hybrid post-quantum (e.g., X25519MLKEM768)?
• Are any services presenting certificates with weak key types or short key sizes?

With NIST finalizing post-quantum cryptography standards (ML-KEM, ML-DSA) and NSA CNSA 2.0 setting transition timelines, organizations need to understand their current cryptographic posture before they can plan migration. StackRox already observes every network connection across secured clusters via eBPF -- it is well-positioned to surface this information.

What I'd like to see:

Capture TLS handshake metadata for observed network connections and make it available in the API, UI, and policy engine. Useful fields would include:

• TLS version (1.2, 1.3)
• Cipher suite
• Key exchange algorithm
• Server certificate key type and size
• SNI hostname

TLS handshake metadata can be extracted via eBPF without decrypting traffic by hooking into tcp traffic on the wire.

Why this matters for a security platform:

StackRox policies can currently evaluate image vulnerabilities, runtime behavior, and network flow destinations, but not the cryptographic properties of network connections. Adding TLS metadata would enable policies like:

• Alert on connections using TLS < 1.3
• Alert on cipher suites without forward secrecy
• Alert on key exchange without post-quantum algorithms
• Track certificate expiry across all observed connections (not just StackRox-managed ones)

Curious if any similar feature is in the works or if there is need for contributions for a feature like this to land in StackRox?