In 15 minutes, prove you can pick the right cipher, harden a JWT pipeline and manage keys with a KMS — the Plume Applied Cryptography badge makes your expertise undeniable.
The Applied Cryptography badge certifies your ability to design, implement and audit real-world cryptographic systems under professional constraints. The AI examiner probes eight core areas: symmetric encryption (AES-GCM, ChaCha20-Poly1305, nonce-misuse resistant modes like AES-GCM-SIV), asymmetric cryptography (RSA-OAEP, ECDSA, EdDSA, curve selection), password and data-at-rest security (Argon2id, bcrypt, scrypt parameter tuning), PKI and TLS certificate lifecycle (ACME, OCSP stapling, HSTS), JWT in production (HS256/RS256/EdDSA, short-TTL strategies, alg=none and key confusion pitfalls), key management with KMS and HSM (AWS KMS, HashiCorp Vault, Azure Key Vault, envelope encryption), classic crypto anti-patterns, and the post-quantum transition (ML-KEM, ML-DSA, hybrid schemes per NIST 2024 standards).
Unlike a LinkedIn skill endorsement or a multiple-choice quiz, a Plume oral forces you to narrate real projects, justify algorithm choices under follow-up questioning, and identify scenarios where adding encryption creates more risk than it removes. Claude Opus then reads the full transcript and produces a 0-100 score with a level (Novice, Proficient, Advanced, Expert) and a detailed breakdown of your strengths and gaps. You can't bluff your way through: the AI drills down wherever you generalize.
This badge is built for security engineers, senior back-end developers, cloud architects and DevSecOps consultants who need an objective proof of their cryptography depth before a technical interview, a consulting pitch or a promotion conversation. It's equally useful for hiring teams who want to filter candidates on applied crypto skills rather than self-reported familiarity.
What this badge evaluates
Here are the concrete dimensions the AI examines during the 15-minute oral.
Symmetric encryption
Choosing between AES-GCM, ChaCha20-Poly1305 and AES-CBC+HMAC based on context — nonce safety, performance on constrained hardware, and nonce-misuse resistant options like AES-GCM-SIV when IV uniqueness cannot be guaranteed.
Asymmetric crypto and digital signatures
Working knowledge of RSA-OAEP, ECDSA and EdDSA: curve selection (P-256, Curve25519), key sizes, PKCS#1 v1.5 vs PSS padding risks, and knowing when to use hybrid encryption versus pure asymmetric schemes.
Hashing and secret storage
Securing password storage with Argon2id, bcrypt or scrypt: cost/memory parameter tuning, salting, and clearly separating cryptographic hashing (SHA-256, BLAKE3) from key derivation functions like HKDF.
PKI and TLS certificate lifecycle
Setting up and operating a PKI: certificate issuance, rotation and revocation with Let's Encrypt, ACME automation, OCSP stapling, CRL distribution, certificate pinning tradeoffs, and HSTS preloading.
JWT and token-based authentication
Production JWT architecture: picking HS256/RS256/EdDSA for the right reasons, managing exp/nbf claims, designing revocation strategies (blacklisting, short TTL, refresh token rotation), and neutralizing alg=none and key confusion attacks.
KMS, HSM and key management
Integrating AWS KMS, HashiCorp Vault or Azure Key Vault into CI/CD pipelines and microservices: envelope encryption patterns, automatic key rotation, HKDF-based key derivation, and maintaining a full audit trail.
Crypto anti-patterns and pitfalls
Spotting and fixing common mistakes: reused IVs/nonces, ECB mode block patterns, RSA without proper padding, unauthenticated encryption, timing side-channels, and the false security of Base64 encoding or simple XOR.
Post-quantum cryptography
Strategic view of the NIST PQC transition: ML-KEM (formerly CRYSTALS-Kyber), ML-DSA (formerly CRYSTALS-Dilithium), classical+PQC hybrid schemes, crypto-agility design, and building a cryptographic inventory for existing systems under the 'harvest now, decrypt later' threat model.
How this badge is scored
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Technical precision and algorithm selection
35% of score
The candidate names exact algorithms, justifies choices with concrete arguments (performance, nonce safety, attack resistance, hardware constraints) and avoids vague statements about 'using strong encryption'.
Real-world project experience
25% of score
Examples are grounded in actual professional contexts: system architecture, business constraints, specific libraries or services used (OpenSSL, libsodium, AWS KMS), measurable outcomes and incidents handled.
Pitfall detection and anti-pattern awareness
20% of score
Ability to identify classic anti-patterns (reused nonce, alg=none JWT, ECB mode, unauthenticated encryption) and explain the concrete exploitability and blast radius of each failure.
PKI, key governance and lifecycle
12% of score
Understanding of the full certificate and key lifecycle: issuance, rotation, revocation, audit, and integration into automated DevSecOps processes such as ACME, Vault agent sidecar or KMS key policies.
Post-quantum readiness and crypto-agility
8% of score
Familiarity with NIST 2024 standards (ML-KEM, ML-DSA), awareness of the harvest-now-decrypt-later threat, and ability to sketch a migration strategy for a legacy system toward crypto-agile architecture.
How the oral exam unfolds
A Plume session takes about 20 minutes, from tech check to badge delivery.
1
Step 1
Tech check (1 min)
The AI verifies your mic and connection before starting. No software to install — everything runs in the browser. Make sure you're in a quiet room and your mic is working before you hit start.
2
Step 2
Context setting (2 min)
You introduce yourself briefly and describe the most complex project where you designed or implemented applied cryptography. The AI listens without interrupting to calibrate your starting level.
3
Step 3
Deep-dive questioning (10-12 min)
The AI examiner works through your algorithm choices (AES-GCM vs ChaCha20, RSA vs EdDSA), your PKI and TLS management, your JWT setup in production, your KMS or HSM integration, pitfalls you've navigated, and your view on the post-quantum transition. It follows up on every vague answer to separate real experience from surface knowledge.
4
Step 4
Edge cases and anti-patterns (2-3 min)
The AI presents one or two scenarios where encryption is the wrong answer or where a classic anti-pattern creates a real vulnerability. You identify the problem and walk through the fix.
5
Step 5
Score and badge delivery (under 10 min)
Claude Opus analyses the transcript, calculates your score (0-100) and assigns your level. Your badge, detailed report and shareable URL appear instantly in your Plume dashboard.
The 4 proficiency levels
Your score out of 100 translates into a level a recruiter can grasp at a glance.
Novice
Score 0-39
You know the broad concepts — symmetric vs asymmetric, what a hash is — but struggle to justify a specific algorithm choice or explain why AES-CBC without a MAC is insecure. You haven't yet shipped a cryptographic mechanism to production.
Proficient
Score 40-59
You've used TLS, JWT or bcrypt in real projects, you understand PKI basics and avoid the most obvious anti-patterns. You can explain the difference between confidentiality and integrity, but key management with KMS or HSM is still new territory.
Advanced
Score 60-79
You size algorithms to the context (AES-GCM-SIV where nonce reuse is a risk, Argon2id with proper memory parameters, EdDSA for signatures), you integrate a KMS into a CI/CD pipeline, manage the full TLS certificate lifecycle, and catch JWT pitfalls before they reach production.
Expert
Score 80-100
You design crypto-agile architectures, master envelope encryption and HKDF-based key derivation, build post-quantum hybrid schemes (ML-KEM + X25519), and can audit an existing codebase for timing side-channels, non-random nonces or weak key derivation. You're already thinking about harvest-now-decrypt-later.
Who this badge is for
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
Application security engineer
You design or audit cryptographic implementations across web and mobile backends and want an objective score to support a promotion case or strengthen your OSCP/CISSP application with evidence of applied depth.
Senior back-end developer
You handle data-at-rest encryption, JWT pipelines and KMS integrations but have never had an external validation of your crypto skills beyond code reviews from colleagues who trust you anyway.
Cloud architect or DevSecOps engineer
You wire HashiCorp Vault, AWS KMS or Azure Key Vault into CI/CD pipelines and want to prove your understanding goes beyond copy-pasting documentation into Terraform modules.
Independent security consultant
You pitch to clients on security engagements and a verifiable cryptography badge makes your proposal stand out when the client's technical team is ready to probe your actual expertise.
Developer pivoting into security
You have a solid dev background and are specialising in cybersecurity. The badge tells you exactly where you stand on applied cryptography before you apply to your first security engineering role.
Concrete use cases
Where and how your Applied Cryptography badge will help you day to day.
Security engineering interview
You're interviewing for a security engineer role at a fintech. Your Advanced badge in Applied Cryptography convinces the technical panel that you can handle AES-GCM, PKI operations and production JWT management, skipping the basic whiteboard questions and getting straight to system design.
Consulting RFP response
You're bidding on a contract to audit a bank's key management infrastructure. Your Plume score and detailed report replace a generic cover letter and give the CISO concrete evidence of your KMS, HSM and envelope encryption expertise before the first call.
Internal promotion case
You want to move from senior developer to security lead. Your badge gives your manager a concrete, readable artefact — a score, a level, a report — to support your promotion beyond 'trust me, I know crypto'.
Pre-training self-assessment
You're planning to upskill in post-quantum cryptography (ML-KEM, ML-DSA) and want to know your baseline first. The Plume report pinpoints exactly which foundational gaps to close before you invest in an advanced PQC training course.
Technical recruiting filter
You're hiring a security engineer and want to screen on real cryptography skills rather than self-assessed familiarity. Asking candidates to take the Plume badge before the first interview saves you 45 minutes of basics and surfaces the strongest candidates faster.
Freelance portfolio
You're a freelance security developer. The shareable Plume badge URL enriches your Toptal, LinkedIn or personal site profile with verifiable proof of TLS, JWT and KMS mastery, setting you apart from profiles that just list 'cryptography' as a skill with no evidence.
Prerequisites
A few minutes to check you have everything you need.
At least 1 year of professional experience using cryptography in a real system: TLS configuration, JWT implementation, data-at-rest encryption, PKI operations or similar.
Practical knowledge of at least one symmetric algorithm (AES) and one asymmetric algorithm (RSA, ECDH or EdDSA) — not just knowing the names, but having used them.
Prior hands-on use of a cryptographic library or service: OpenSSL, libsodium, Bouncy Castle, AWS KMS, HashiCorp Vault or equivalent.
A working microphone and a quiet room for the 15-minute oral.
A recent browser (Chrome or Firefox recommended) with microphone access enabled.
What you take away
At the end of your session you don't just get a score — here's everything that awaits you.
0-100 score and certified level
Get a precise score and a certified level (Novice to Expert) on your Applied Cryptography skills, computed by Claude Opus from the full analysis of your oral examination.
Detailed dimension-by-dimension report
A full report breaks down your score across every criterion: algorithm precision, PKI and TLS management, JWT security, KMS and HSM integration, and post-quantum readiness. You know exactly what to work on next.
Private audio recording
Your oral recording is stored privately in your Plume dashboard. Replay it to spot the moments you hesitated or over-generalised — the fastest way to prepare a sharper second attempt.
Instantly shareable badge URL
A verifiable URL is generated as soon as the analysis is complete. Drop it on your LinkedIn profile, your CV or a consulting proposal to back up your Applied Cryptography expertise with real proof.
Frequently asked questions about the Applied Cryptography badge
You should have used cryptography in a real professional setting, not just read about it. If you can explain why you chose AES-GCM over AES-CBC, or why Argon2id beats bcrypt for high-threat password storage, you're ready. The exam doesn't test mathematical cryptanalysis or finite field theory — it tests whether you make the right practical decisions under realistic constraints.
Other Cybersecurity & GDPR badges
Discover related skills you can validate with Plume.