Free Quantum-Secure Hosting Is a Thing Now. I'm Using It.

I've been deploying websites for clients since around the time PHP was the only sensible answer, and over the years my checklist for picking a host has gotten boring. Uptime. SSL. A decent CDN. Push from GitHub. Move on.

So when I first saw pqc.kxco.ai marketing itself as post-quantum website hosting my reflex was a polite shrug. "Quantum-secure" reads like the kind of thing a sales deck adds in 2024 to feel current. I almost didn't bother.

I'm glad I did bother, because it turns out the thing is real, and there's a free tier, and the rest of the setup is genuinely interesting if you've been around web infra long enough to remember when Let's Encrypt was the new shiny.

Here's the webmaster's version. (What it actually is)

Strip away the marketing and pqc.kxco.ai is two products under one roof:

PQC Host — a static / serverless-style web host where every deployment you make gets signed with a post-quantum signature.

KXCO Bastion — a scanner that looks at your code before deploy and tells you if you're using cryptography that's going to break the day a useful quantum computer shows up.

That's it. No instance picker, no region selector, no RAM dropdown. You give it a GitHub URL or drag a folder onto the page and it figures out the rest. Framework auto-detection works in under three seconds — I tested it with a Next.js project, a plain HTML/CSS site, and a small Express API. All three deployed without me touching a config file.

The free tier — yes, actually free

$0/mo. No credit card. The free plan gives you:

One Bastion probe per day (more than enough for a single project you're iterating on)

ML-DSA-65 deployment attestations on whatever you push

Verification via the independent kxco-verify CLI tool — you can verify a deployment without ever touching KXCO's servers, which is the whole point

The paid tiers stack on top: $12/mo Starter gets you three sites, ten probes a day, and a custom domain; $49/mo Pro gets you ten sites and unlimited probes; Institutional and Enterprise plans go up from there for compliance workloads. For one personal site or a portfolio? The free tier is genuinely usable.

The crypto bits, in webmaster terms

I am not a cryptographer. I am a webmaster who has had to explain too many times to clients why they shouldn't store passwords in plain text. So I appreciate when a product can describe its security model in one paragraph instead of fifteen.

KXCO's pitch boils down to: RSA and ECDSA — the algorithms holding up most of the internet's authenticity right now — are going to be broken by Shor's algorithm once quantum computers get big enough. NIST has already standardized post-quantum replacements. KXCO uses two of them:

ML-DSA-65 (FIPS 204) — signs every deployment, so years from now you can prove "yes, this is exactly the code that went live on this date" even if every key currently in your password manager has been cracked.

ML-KEM-768 + AES-256-GCM (FIPS 203) — for encrypting stored deployments.

Both are rated NIST Category 3, which means they're equivalent to AES-192. Translation for the rest of us: if AES-192 is broken in your lifetime, civilization probably has bigger problems.

The bit I genuinely like is that the attestations remain verifiable forever, even if KXCO themselves go out of business. The signature is signed with a public key you can pin. Verification doesn't phone home. This is the part most "secure hosting" products quietly skip.

Bastion — the pre-deploy scanner

This is the part I'd recommend even if you ignored the hosting half.

You point Bastion at your project — package.json, your Dockerfile, your Terraform, your GitHub Actions YAML, even a live TLS endpoint — and it tells you, in under ten seconds, which bits of your stack are using cryptography that won't survive the post-quantum cutover. It currently catches twelve-plus quantum-vulnerable npm packages, RSA / ECDSA / SHA-1 anywhere you've stashed them, PEM keys sitting in environment variables, and so on.

The reports come with CycloneDX 1.6 CBOM exports on paid tiers, which is going to matter for compliance work over the next few years whether you like it or not.

I ran it against a five-year-old client project I'd been ignoring. It found a SHA-1 signing config nobody had touched since 2019. I would not have found that on my own.

How it stacks up

If you're picking between this and the usual suspects — Vercel, Netlify, Fly — the comparison is uneven, and that's the point.

Vercel and Netlify are better at what they're for: frontends with build pipelines, edge functions, A/B routing, deep Next.js integration. They are not trying to be quantum-secure. They are trying to be fast.

KXCO is going the other direction. The platform is intentionally narrower — fewer knobs, no region picker, no compute marketplace — and the differentiation is the cryptography. If you have a personal site, a portfolio, or a documentation host, and you'd like the deployment signed in a way that holds up in a post-RSA world, it's a one-click win. If you need a vCPU dial and Cloudflare-style edge logic, this is not your tool.

Where it sits in my stack now (For myself)

Marketing sites and portfolios → KXCO free tier

Client production sites with heavy build steps → still on the usual hosts

Anything I want a long-lived "this is the code I shipped" receipt for → KXCO, every time

Where I'm honestly undecided is the paid tiers. $49/mo Pro is fine if you're running ten client projects and want a single audit trail. The value really shines once you have something to defend — a regulated industry, a compliance audit, a contract that asks for post-quantum readiness. For a freelance webmaster shipping mostly small business sites, the free tier covers about ninety percent of what I need.

Closing thought

I spent most of my career picking hosts on price, ease of deploy, and "does the dashboard make me want to throw the laptop out the window." Cryptography never made the list. Honestly I'm not sure it should, for most of us, most of the time.

But free, doesn't suck, and the security model holds up for the next two decades instead of the next two years is a corner I didn't think existed until I tried it. Worth a Saturday afternoon of your time.