What Makes RSA and ECC Vulnerable to Quantum Attack
RSA relies on integer factoring. ECC relies on elliptic curve discrete logarithms. Shor's algorithm solves both efficiently. Here is why, and what to do about it.
Insights
Expert analysis on quantum security, post-quantum cryptography, and enterprise risk from QSECDEF's Consulting Director.
Why 2030 Is Not the Safe Deadline Most Enterprises Think It Is
Most enterprises that have engaged with quantum risk planning have encountered 2030. It appears in NIST's deprecation schedule. It appears in NSA CNSA 2.0. It appears in BSI and ANSSI guidance. From a distance it reads as: do this by 2030. But that is not what it says.
Crypto Agility: The Architecture Principle That Future-Proofs Your Stack
The term 'crypto agility' appears in procurement documents, vendor briefings, and RFP responses with a frequency that has outpaced its precision. In most vendor usage, it means 'our product supports multiple algorithms.' That is not what NIST means by the term.
How to Start a PQC Migration Programme in Your Organisation
NIST finalised its first post-quantum algorithm standards on 13 August 2024 — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). The algorithm selection phase of the post-quantum transition is, for practical purposes, settled.
How a Post-Quantum Risk Assessment Scores Your Cryptographic Exposure
Most CISOs can tell you they have a quantum problem. Very few can tell you which of their systems are most exposed, which assets need to move first, and whether their current migration timeline is realistic given their data longevity requirements.
Q-Day Timeline Risk Calculator: How Long Does Your Organisation Have?
The question 'will quantum computers break encryption?' has an answer: yes, with a sufficiently large cryptographically relevant quantum computer, the public-key algorithms that protect most sensitive data will fail. The more pressing question is how long your specific organisation has.
Harvest Now Decrypt Later Risk Calculator: Quantify Your HNDL Exposure
Understanding the Harvest Now, Decrypt Later threat is not the same as knowing which of your data is already at risk. Most organisations that have absorbed the HNDL concept have not taken the next step: mapping their specific data categories against sensitivity, longevity, and current encryption strength.
Cryptographic Asset Prioritisation Matrix: Which Assets to Migrate First
PQC migration cannot happen across all systems simultaneously, resources are finite, and the wrong migration order leaves your highest-risk assets exposed for longest while consuming budget on lower-priority work. The Cryptographic Asset Prioritisation Matrix solves the sequencing problem.
Algorithm Sunset Timer: When Do Your Current Cryptographic Algorithms Expire?
Algorithm deprecation is not a future risk — it is a current compliance requirement with documented timelines published by NIST, NSA, and ETSI. The challenge is that they are distributed across multiple standards documents, written for different audiences, and updated on different schedules.
PQC Migration Decision Tree: Where Should Your Organisation Start?
PQC migration is not a bounded project with a clear entry point — it is a programme that cuts across every layer of infrastructure, with interdependencies that mean the wrong starting point generates rework, scope conflicts, and wasted budget. The PQC Migration Decision Tree gives you a structured recommendation.
PQC Readiness Checklist: 40-Point Assessment for Security Teams
Readiness in the context of PQC migration means something more specific than awareness of the quantum threat. Most organisations that consider themselves PQC-aware have not assessed whether their organisation is actually equipped to migrate — whether the cryptographic inventory is complete, whether vendors have defined upgrade paths.
Quantum Threat Exposure Assessment: Score Your Organisation Across Five Threat Vectors
Most quantum security tools ask how ready your organisation is to migrate to post-quantum cryptography. This tool asks a different question: across the specific ways a quantum-capable adversary would target your organisation, how exposed are you right now, on each one?
NIST PQC Algorithm Selector: Which Algorithm Is Right for Your Use Case?
NIST finalised three post-quantum cryptographic standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). For a security architect implementing PQC migration, the question is not which standard is best — it is which algorithm is appropriate for this specific use case.
OT Cryptographic Asset Prioritisation Matrix: Sequencing Quantum-Safe Migration for Industrial Systems
The conversation about OT quantum security migration tends to start in the same place: an asset with no upgrade path. The OT Cryptographic Asset Prioritisation Matrix is built for this reality — it prioritises the assets that can migrate, flags the assets that cannot, and gives you the constraint data needed to plan replacement procurement for the rest.
OT Protocol Quantum Vulnerability Scanner: Which Industrial Protocols Are Most at Risk?
Most quantum security discussions in operational technology focus on the systems. The scanner works at a lower layer: the communication protocols themselves. Industrial protocols like Modbus and DNP3 were designed decades before quantum computing was a practical concern, and many carry no native cryptographic protection.
Blockchain PQC Migration Effort Estimator: How Complex Is Your Quantum-Safe Upgrade?
Every blockchain operator knows migration to quantum-resistant cryptography is coming. What most do not know is how complex their specific migration will be. The effort varies by orders of magnitude depending on chain type, consensus mechanism, application layer count, and key migration scope.
Blockchain Quantum Exposure Assessment: Is Your Chain Prepared for Post-Quantum Cryptography?
There are two ways to assess blockchain quantum exposure. The technical approach scans at the protocol layer. The strategic approach asks: how dependent is your organisation on quantum-vulnerable blockchain infrastructure, and do you have any influence over the PQC migration timeline of the chains you depend on?
Blockchain Quantum Exposure Scanner: Which Wallet Types and Signature Schemes Are Vulnerable?
The Blockchain Quantum Exposure Scanner operates at the technical layer: it identifies which specific signature schemes, wallet address types, and protocol constructs in a blockchain environment carry quantum vulnerability. This is the tool for a security engineer or blockchain developer who needs protocol-level visibility.
PQC Opportunity Qualifier: Identify Which Prospects Are Ready to Buy Quantum Security Solutions
Quantum security is an emerging solution category with a large but unevenly distributed market. A pre-sales team without a structured qualification approach wastes discovery time on organisations that are 18 months from a budget decision, while missing organisations that have a compliance mandate, a funded programme, and no vendor relationship.
QKD Network Readiness Qualifier: Is Your Infrastructure Ready for Quantum Key Distribution?
An organisation considering quantum key distribution has already moved past asking whether quantum security matters. They are asking: is QKD the right solution for our specific requirements, and does our infrastructure actually support it? QKD is not the right answer for every organisation or every use case.
SATCOM C2 Cryptographic Readiness Assessor: Quantum-Safe Status for Satellite Command and Control
NSA CNSA 2.0 sets specific cryptographic transition requirements for national security systems, including satellite command and control. Most space programme security teams know the standard exists. What the assessor provides is a structured way to evaluate current cryptographic posture against those requirements.
What Is Q-Day and Why Your Security Team Needs a Plan Now
Q-Day is the threshold at which public-key cryptography ceases to provide security against a quantum adversary. Most enterprises are not preparing. Here is what security teams need to understand now.
NIST FIPS 203, 204, and 205: What Each Standard Requires
NIST published FIPS 203, 204, and 205 in August 2024. The algorithm selection phase is over. What security architects need to understand is which standard applies to which workload and what each one actually requires.
Harvest Now Decrypt Later: The Threat That Is Already in Motion
HNDL is not a theoretical risk. The NSA said in 2021 that adversaries are collecting encrypted data today. Here is what the evidence shows, what it means for your data, and what you can do about it.
NIST Post-Quantum Cryptography Standards: The Enterprise Summary
NIST published four post-quantum standards in August 2024. This is the reference a CISO or architect needs to understand what each standard does, which compliance framework applies, and how migration actually works.
How to Brief Your Board on Quantum Security Risk
Most board quantum security briefings produce awareness, not decisions. The CISO's challenge is translation. This is a practical guide to structuring a briefing that produces a budget approval and a mandate.
Quantum Security Risk in Financial Services: A Sector Guide
Financial services faces a structurally higher quantum security exposure than most sectors. Regulatory retention requirements, interconnected infrastructure, and documented state-actor targeting create a specific, mapped risk.
Quantum Security in the Supply Chain: Why Third-Party Risk Is Now a Quantum Problem
Most PQC migration programmes treat the perimeter of the problem as the perimeter of the organisation. It is not. Every supplier that exchanges encrypted data with your organisation is a cryptographic dependency you do not control.
QKD Explained: What Quantum Key Distribution Actually Does and Does Not Solve
QKD is a key exchange protocol with genuine information-theoretic security properties. It is also a specialised technology with fundamental limitations most enterprise assessments do not address honestly. Here is the full picture.
Why You Need a Cryptographic Inventory Before You Start PQC Migration
Every PQC migration programme has a first step. Most organisations get it wrong. Without a complete cryptographic inventory, there is no way to know what you are migrating, in what order, or when you are done.
How to Use a PQC Risk Assessment to Prioritise Your Migration Roadmap
A score without interpretation is noise. This guide explains the five factors behind the QSECDEF Post-Quantum Risk Assessment, what drives each factor score, and how to translate the output into a migration programme starting point.
