QBITEL Bridge: Quantum-Safe Network Security in a Package

QBITEL Bridge offers AI-powered protocol discovery and post-quantum cryptography for
legacy infrastructure. Enterprises must weigh adopting it to safeguard their systems.

Most enterprise networks have a dirty secret: nobody knows exactly what is running on them. A hospital network built over 20 years has COBOL applications talking to modern REST services, HL7 medical devices communicating over undocumented serial-over-TCP wrappers, and PACS imaging systems using protocols nobody documented before the original vendor went bankrupt. A bank’s mainframe infrastructure processes crores of rupees per second over NEFT/RTGS using IBM SNA protocol extensions that predate the internet.

And all of it is encrypted — if it is encrypted at all — using RSA or ECDH. These are algorithms that a sufficiently powerful quantum computer will break.

Two converging crises are forcing organisations to act: the unknown protocol problem (you cannot secure what you cannot see) and the harvest-now-decrypt-later threat (adversaries are archiving your encrypted traffic today, waiting for quantum hardware to mature).

QBITEL Bridge is an enterprise-grade open source platform, released under the Apache 2.0 licence, built to solve both — simultaneously, and without requiring any changes to existing applications or infrastructure.

What QBITEL Bridge does

At its core, QBITEL Bridge does four things:

• Automatically discovers every protocol on your network— including undocumented and legacy ones — using a hybrid AI ensemble of CNN, BiLSTM, and Transformer models.
• Wraps all discovered protocols in NIST Level 5 postquantum cryptography, transparently, at the network layer.
• Deploys autonomous AI agents that monitor, classify, and respond to security events in under one second without human intervention.
• Translates legacy protocols into modern REST/gRPC APIs, auto-generating OpenAPI 3.0 specifications and SDKs in six languages.

The system sits between your existing infrastructure as a transparent bump-in-the-wire. It requires zero changes to applications, zero agent retraining, and zero downtime during deployment.

How the AI discovers unknown protocols

The most technically novel part of QBITEL Bridge is its protocol discovery subsystem. Traditional network security tools maintain signature databases. If a protocol is not in the database, it is invisible. QBITEL takes a fundamentally different approach: it learns protocol grammars from raw network traffic.

The discovery pipeline has five stages. Figure 1 illustrates how they connect.

Statistical traffic analysis: The StatisticalAnalyzer examines raw packet captures and computes field-level entropy, byte distribution patterns, and structural boundaries. Fixedvalue fields (like protocol magic bytes or version numbers) are distinguished from variable-content fields (like user names or transaction amounts) using Shannon entropy calculations. This produces a structural skeleton of the unknown protocol.

Grammar learning with PCFG inference: The GrammarLearner uses a probabilistic context-free grammar (PCFG) inference engine refined with the expectationmaximisation (EM) algorithm. Starting from the structural skeleton, it learns production rules — which fields appear in which order, what the valid value ranges are, and how messages relate to each other across a session.
This is the same class of technique used in natural language processing to learn the grammar of a human language from a corpus of sentences — applied here to binary network protocols.

Dynamic parser generation: Once a grammar is learned, the ParserGenerator compiles it into a working parser at runtime. The generated parser can decode live traffic, validate message structure, and extract field values — all without any human writing parser code. The parser generation layer achieves 50,000+ messages per second throughput.

The hybrid AI classifier: The ProtocolClassifier uses a hybrid ensemble with the Transformer model as primary:

• Transformer: Multi-head self-attention for capturing long-range dependencies across protocol sessions — the primary classification engine.
• CNN (convolutional neural network): Detects local byte patterns — equivalent to finding words in the protocol vocabulary.
• BiLSTM (bidirectional long short-term memory): Models sequence structure with CRF for field-level detection.
• Random forest: Provides a robust statistical baseline for edge cases.

The ensemble vote produces a confidence score. Protocols above a configurable threshold (default 0.7) are promoted from candidate to known status and added to the protection perimeter.

Protocol compliance validation: The MessageValidator enforces the learned grammar against live traffic, flagging anomalous messages that could indicate attacks, protocol fuzzing, or misconfigured clients.

Real-world performance on first pass: 89%+ discovery accuracy, completing in 2 to 4 hours on a typical enterprise network segment, reducing what traditionally takes 6 to 12 months of manual reverse-engineering.

The post-quantum cryptography stack

Once protocols are discovered, QBITEL wraps them in postquantum cryptography. The platform implements the full NIST post-quantum standardisation suite at Level 5, published as FIPS 203, 204, and 205 in 2024.
The PQCEngine class provides a single, domain-aware interface to all algorithms. Rather than requiring developers to select the right algorithm for their context, the engine accepts
a DomainProfile value:

from ai_engine.crypto.pqc_unified import PQCEngine,
DomainProfile
# Healthcare: constrained devices (64 KB RAM), uses MLKEM-
512
engine = PQCEngine(DomainProfile.HEALTHCARE)
# Automotive V2X: real-time (<1ms), uses Falcon for compact
signatures
engine = PQCEngine(DomainProfile.AUTOMOTIVE)
# Banking enterprise: maximum security, uses ML-KEM-1024 +
ML-DSA-87
engine = PQCEngine(DomainProfile.ENTERPRISE)
# Encrypt a payload
ciphertext, encapsulated_key = await engine.
encrypt(plaintext)
# Decrypt
recovered = await engine.decrypt(ciphertext, encapsulated_
key)

The engine supports hybrid classical/post-quantum key exchange — combining X25519 or P-384 ECDH with ML-KEM via hybrid schemes (X25519MLKEM768, P384MLKEM1024) — so existing TLS 1.3 stacks remain compatible while gaining quantum resistance.

NIST-standardised algorithms are:

• FIPS 203: ML-KEM (Kyber) 512, 768, and 1024 — key encapsulation for session keys
• FIPS 204: ML-DSA (Dilithium) at levels 2, 3, and 5 — digital signatures
• FIPS 205: SLH-DSA (SPHINCS+) — stateless hashbased signatures

Additional algorithms are:

• Falcon 512 and 1024 — compact signatures for bandwidth-constrained channels
• LMS (NIST SP 800-208, RFC 8554) and XMSS (RFC 8391) — stateful hash-based signatures

Advanced primitives are:

• Zero-knowledge proofs (ZKP) for privacy-preserving verification
• Verifiable random functions (VRF) and threshold signatures (t-of-n distributed signing)
• CNSA 2.0 support for defence and government deployments
• Crypto agility negotiation for seamless algorithm migration
• Encryption overhead on the hot path is under 1 millisecond.

Autonomous agents that respond in under a second

QBITEL Bridge’s security response layer is built around a multi-agent architecture with 16+ specialised agents. Agents are workers with typed capabilities including threat analysis, protocol analysis, anomaly detection, incident response, and compliance auditing.

Each agent inherits from BaseAgent, which provides:

• Lifecycle management (start, stop, pause, resume, health check)
• Inter-agent communication via a typed message bus with cross-system routing
• Persistent memory with configurable retention policies
• Automatic Prometheus metrics instrumentation
• Circuit breaker pattern for fault tolerance

The UnifiedAgentInterface bridges three agent subsystems — core agents, legacy whisperer agents, and BPO-specific agents — through a common protocol with a central registry.

The LLM integration layer connects agents to local or cloud language models — including Ollama for fully airgapped deployments. This enables agents to generate humanreadable incident reports, suggest remediation steps, and explain anomalies in plain language.

When a threat is detected, the system achieves subsecond security decision time with a 78% autonomous response rate — so most threats are contained without human intervention.

Translation Studio: From legacy to modern APIs

One of QBITEL Bridge’s most practically useful features is the Translation Studio. Once a legacy protocol is discovered and its grammar learned, the Translation Studio can:

• Auto-generate OpenAPI 3.0 specifications from protocol grammars.
• Produce production-ready SDKs in six languages: Python, TypeScript, Go, Rust, Java, and C#.
• Create REST/gRPC API wrappers around legacy protocol sessions.

This means a COBOL mainframe system communicating over an undocumented binary protocol can be exposed as a modern REST API — without modifying the mainframe, without writing custom integration code, and with quantumsafe encryption on the wire.

Domain-specific modules

QBITEL Bridge ships with purpose-built modules for six regulated industries.

Banking and finance: ISO-8583 and SWIFT protocol handling, PCI-DSS DTMF masking for call centre voice channels, a regulatory proof engine for RBI/SEBI compliance automation, HSM integration, and multi-authority threshold signatures for cross-bank transaction authorisation.

Healthcare: EHR proxy re-encryption compatible with FHIR/HL7/DICOM, homomorphic encryption for vital sign aggregation without exposing raw patient data, ABDM-compatible verifiable credentials, and FDA 21 CFR Part 11 compliance.

Automotive: V2X (vehicle-to-everything) group signatures for multi-vehicle coordination, CAN protocol support, and misbehaviour detection for rogue vehicle identification in C-V2X networks.

Aviation: ARINC 429/629-aware aggregate signatures, ADS-B and ACARS protocol handling, and forward-secure channel establishment for flight data links. Industrial and critical infrastructure: Modbus, DNP3, and IEC 61850 GOOSE message authentication for power grid substations, SCADA/PLC integration, and verifiable delay functions for timing sensitive industrial control sequences.

BPO and call centres: Real-time DTMF masking, SIP/ RTP quantum-safe encryption, CTI and IVR protocol support, SS7 overlay protection, and TN3270e/TN5250 mainframe
session tunnelling.

Architecture and deployment

The system has four primary runtime components. Figure 3 shows how they interact.

AI engine (Python 3.11+): Comprises the ML pipeline, agent framework, LLM integration, Translation Studio, crypto layer, and REST API. It uses FastAPI, PyTorch, LangGraph for agent orchestration, ChromaDB for vector storage, and Redis for distributed caching.

Rust dataplane (Rust 1.75+): Includes highperformance packet processing, PQC-TLS termination, protocol proxying, and eBPF-based container monitoring. It’s built with Tokio async runtime, and has protocolspecific adapters for ISO-8583, TN3270e, HL7 MLLP, and Modbus. Supports DPDK for hardware-accelerated packet processing.

Go controlplane (Go 1.22+): This has the management API, Kubernetes operator, Istio/Envoy xDS integration for service mesh deployments, admission webhooks, and device agent for edge deployments.

Web console (TypeScript/React): Comprises dashboard UI for monitoring, configuration, and compliance reporting.

The infrastructure is: Kubernetes-native with Helm charts, Apache Kafka for event streaming (100,000+ messages per second), Prometheus and Grafana for observability, and OpenTelemetry and Jaeger for distributed tracing.

Getting started

Run the following code:

# Clone the repository
git clone https://github.com/AXEwaves/qbitel-bridge.git
cd qbitel-bridge
# Install Python AI engine dependencies
pip install -r ai_engine/requirements.txt
# Build the Rust dataplane
cd rust/dataplane && cargo build --release
# Start protocol discovery on a network interface
python -m ai_engine.discovery.cli --interface eth0 --output
discovered.json
# Run with Docker Compose (includes Redis, Prometheus,
Grafana)
docker compose up -d
# Or deploy to Kubernetes with Helm
helm install qbitel-bridge ./deploy/helm/qbitel-bridge

Once discovery is completed, results are available via the REST API:

import httpx
async with httpx.AsyncClient() as client:
result = await client.post(
“http://localhost:8080/api/v1/discovery/analyze”,
json={
“traffic_data”: [“<base64_packet_1>”, “<base64_
packet_2>”],
“options”: {
“confidence_threshold”: 0.7,
“enable_adaptive_learning”: True
}
}
)
protocols = result.json()[“discovered_protocols”]
for p in protocols:
print(f”{p[‘name’]}: {p[‘confidence’]:.0%} confidence”)

The nine built-in compliance frameworks

QBITEL Bridge includes automated compliance engines for nine regulatory frameworks: SOC 2, GDPR, HIPAA, PCI-DSS 4.0, ISO 27001, NIST 800-53, BASEL-III, NERCCIP, and FDA 21 CFR Part 11. Audit-ready reports can be generated in under 10 minutes. The compliance agents continuously monitor for policy violations and produce evidence trails suitable for external audits.

Observability from Day One

QBITEL Bridge exports Prometheus metrics and OpenTelemetry traces out of the box. Every agent task, protocol discovery request, crypto operation, and cache hit is measured:

protocol_discovery_requests_total{status=”success”} 1547
protocol_discovery_duration_seconds_bucket{le=”0.15”} 892
qbitel_agent_tasks_total{agent_type=”incident_response”} 423
pqc_operations_total{algorithm=”ml-kem-1024”,
operation=”encapsulate”} 98412

Grafana dashboard configurations are included in ops/ grafana-dashboards/. Jaeger provides distributed tracing across the Python, Rust, and Go components.

Performance at a glance

• Protocol discovery accuracy: 89%+ on first pass
• Discovery time: 2 to 4 hours on a typical enterprise segment
• Parser generation throughput: 50,000+ messages per second
• Kafka event streaming: 100,000+ messages per second
• PQC encryption overhead: Under 1 millisecond
• Security decision time: Under 1 second
• Autonomous threat response rate: 78%
• xDS proxy support: 1,000+ concurrent proxies
• eBPF container monitoring: 10,000+ containers
• API gateway P99 latency: Under 25 milliseconds

What it cannot do yet

No tool solves everything, and transparency about boundaries is important. The current grammar inference engine performs best on binary protocols with fixed-length headers; text-based protocols with complex state machines (such as HTTP/2 or gRPC) show lower first-pass accuracy and may require additional training passes. Air-gapped LLM integration via Ollama is functional but slower than cloud-hosted models, and the quality of incident reports depends on the local model’s capabilities. While the PQC algorithms are NIST standardised and the platform uses liboqs and oqs-rs, the implementations have not yet undergone formal third-party cryptographic audit — contributions from the security research community on this front are especially welcome.

Why open source matters here

Security tooling that organisations cannot inspect is security tooling they cannot trust. QBITEL Bridge is released under the Apache 2.0 licence — you can read every line of the cryptography implementation, audit the ML models, and verify the claims independently. There is no open-core model and no vendor lock-in.

For India’s public sector, in particular, this matters enormously. DRDO, ISRO, and defence PSUs cannot deploy cloud-dependent foreign commercial tools in classified environments. An open source, air-gappable platform built on NIST-standardised algorithms with CNSA 2.0 support provides a path to quantum readiness that proprietary tools simply cannot offer.

The community is invited to contribute across several active areas: new domain protocol modules, additional LLM provider integrations, performance benchmarks on different hardware, compliance templates for new regulatory jurisdictions, and Translation Studio language targets.

For those who would like to contribute and get involved, here are a few important details:

• Website: bridge.qbitel.com
• Repository: github.com/AXEwaves/qbitel-bridge
• Issue tracker: GitHub issues on the same repository
• Security disclosures: security@qbitel.com
• General discussion: support@qbitel.com

The quantum-safe road ahead

The convergence of quantum computing and decades of legacy infrastructure debt is not a future problem. Adversaries are already harvesting encrypted traffic. Networks are already running protocols nobody documented. The gap between what enterprise security tools protect and what actually runs on enterprise networks has never been wider.

QBITEL Bridge addresses this gap with four open, inspectable technologies working in concert: hybrid AI ensemble for protocol discovery, NIST Level 5 post-quantum cryptography for forward-secure encryption, autonomous AI agents for sub-second incident response, and Translation Studio for legacy-to-modern API conversion. The platform deploys as a transparent network layer, requires no application changes, supports nine compliance frameworks, and is fully observable through Prometheus, Grafana, and OpenTelemetry.

For any organisation running legacy mainframes, industrial control systems, or regulated workloads — this is the open source foundation for a quantum-safe future.