Quantum Readiness Assessment
A systematic evaluation of your cryptographic infrastructure against quantum threats. Discover what is vulnerable, prioritize what to migrate first, and build a roadmap before adversaries exploit current encryption weaknesses.
Key Takeaways
- A quantum readiness assessment identifies every cryptographic algorithm, key, certificate, and protocol in your environment
- NIST finalized post-quantum cryptography standards in August 2024 (FIPS 203, 204, 205), making migration planning actionable now
- Organizations handling data with a confidentiality shelf life beyond 2030 face active harvest now, decrypt later risk today
- PTG's AI-powered scanning completes cryptographic inventory in days, not months
What Is a Quantum Readiness Assessment
A quantum readiness assessment (QRA) is a structured process that evaluates your organization's exposure to quantum computing threats and produces a prioritized migration plan. Unlike a standard vulnerability scan, a QRA focuses specifically on cryptographic dependencies: the algorithms protecting your data in transit, at rest, and in backup archives.
The core premise is straightforward. Quantum computers running Shor's algorithm will break RSA, ECC, and Diffie-Hellman, the three public-key cryptosystems that protect virtually all internet communications. The question is not whether this will happen but when. The Global Risk Institute's 2024 survey found that over 50% of quantum computing experts assign a significant probability to a cryptographically relevant quantum computer (CRQC) arriving by 2034.
A QRA answers three questions for your specific organization:
- What is exposed? A complete inventory of every cryptographic asset: TLS certificates, VPN tunnels, API keys, database encryption, code signing certificates, SSH keys, email encryption, and hardware security modules.
- What is the risk? A classification of each asset by data sensitivity, regulatory requirements (CMMC, HIPAA, PCI DSS), and confidentiality shelf life relative to quantum threat timelines.
- What do we migrate first? A prioritized roadmap with dependencies mapped, resource requirements estimated, and compliance milestones aligned.
Start Your Quantum Readiness Assessment
PTG's initial consultation is free. We scope your environment, identify your highest-risk cryptographic assets, and outline a migration timeline aligned to your compliance requirements.
The Five-Phase Assessment Process
PTG's quantum readiness assessment follows a repeatable five-phase methodology. Each phase produces documented deliverables that feed into the next, and the final output is a migration roadmap your engineering team can execute immediately.
Cryptographic Discovery
We deploy AI-powered scanning tools across your network, cloud infrastructure, and application stack to build a complete cryptographic inventory. This covers TLS/SSL certificates, VPN configurations, database encryption settings, key management systems, code signing workflows, and embedded firmware cryptography. The discovery phase typically completes in 3-5 business days for a mid-size enterprise.
Vulnerability Classification
Each discovered cryptographic asset is classified against quantum vulnerability. RSA and ECC key exchanges are flagged as quantum-vulnerable. AES-256 symmetric encryption is quantum-resistant (Grover's algorithm reduces its effective strength to 128 bits, which remains secure). Hash functions like SHA-256 are similarly reduced but remain adequate. The result is a color-coded risk map showing exactly where your quantum exposure lies.
Data Sensitivity Analysis
Not all quantum-vulnerable encryption protects equally sensitive data. We classify protected data by confidentiality shelf life: data that must remain secret for 5+ years faces active HNDL risk; data with shorter shelf lives can be migrated on a less aggressive timeline. Regulatory requirements from HIPAA, CMMC, PCI DSS, and sector-specific mandates factor into priority scoring.
Gap Analysis
We compare your current cryptographic posture against the requirements of NSA CNSA 2.0 (mandatory for National Security Systems by January 2027), NIST post-quantum standards (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), and any industry-specific frameworks that apply to your organization. The gap analysis identifies not just which algorithms need replacement but which systems, libraries, and vendors are blockers.
Migration Roadmap
The final deliverable is a phased migration roadmap with dependency mapping, resource estimates, budget projections, and compliance milestone alignment. We recommend building crypto agility into every migration phase so your infrastructure can adapt as PQC standards evolve. The roadmap includes quick wins (certificate rotations, TLS upgrades) alongside longer-term architectural changes (HSM firmware updates, custom protocol migrations).
Who Needs a Quantum Readiness Assessment
Defense Contractors and DIB Organizations
NSA CNSA 2.0 mandates quantum-resistant algorithms for National Security Systems acquisitions by January 2027. CMMC 2.0 assessors will increasingly evaluate cryptographic posture. If you handle CUI or classified data, your QRA timeline is the most urgent. PTG's CMMC-RP and CCA credentials mean we produce assessment documentation in the format CMMC assessors expect.
Healthcare Organizations
Protected Health Information must remain confidential for a patient's lifetime, often 50+ years. That shelf life far exceeds the projected timeline for quantum decryption. HHS proposed mandatory encryption updates in early 2026. A QRA maps your HIPAA compliance posture against quantum threat vectors and identifies which PHI systems to migrate first.
Financial Services
Banks, credit unions, payment processors, and insurance companies rely on RSA and ECC for transaction authentication, interbank communications (SWIFT), and customer data encryption. PCI DSS requires strong cryptography; as NIST deprecates quantum-vulnerable algorithms, PCI compliance will mandate PQC. A QRA identifies your transaction chain vulnerabilities before they become compliance violations.
Government Agencies and Contractors
OMB Memorandum M-23-02 requires federal agencies to inventory cryptographic systems and prioritize migration. State and local governments handling sensitive citizen data (tax records, law enforcement, vital statistics) face similar exposure. A QRA aligns your migration plan with federal guidance and helps justify budget requests with quantified risk data.
Quantum Vulnerability by Algorithm
Know Your Quantum Risk
Every week without a cryptographic inventory is another week adversaries can harvest your encrypted data. PTG's assessment delivers a prioritized migration plan you can act on immediately.
Assessment Deliverables
Every PTG quantum readiness assessment produces a standardized set of deliverables designed for both technical teams and executive stakeholders:
- Cryptographic Asset Inventory — Complete catalog of algorithms, key sizes, certificates, protocols, and their locations across your infrastructure
- Quantum Risk Register — Each asset scored by quantum vulnerability, data sensitivity, regulatory exposure, and HNDL risk window
- Gap Analysis Report — Current state vs. target state for CNSA 2.0, NIST PQC standards, and applicable industry frameworks
- Migration Roadmap — Phased plan with dependencies, resource estimates, budget ranges, and compliance milestones
- Executive Summary — Board-ready overview with risk quantification, recommended timeline, and investment justification
- Crypto Agility Recommendations — Architectural guidance for building algorithm-agile infrastructure to avoid repeated migration cycles
Frequently Asked Questions
How long does a quantum readiness assessment take?
For a typical mid-size organization (500-5,000 endpoints), the assessment takes 2-4 weeks. The AI-powered cryptographic discovery phase completes in 3-5 business days. Vulnerability classification and data sensitivity analysis add another week. The final deliverables, including the migration roadmap, are delivered within the fourth week. Larger enterprises with complex multi-cloud environments or legacy systems may require 6-8 weeks.
Is it too early to start a quantum readiness assessment?
No. NIST finalized its first three post-quantum cryptography standards in August 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA), making migration planning fully actionable. NSA CNSA 2.0 requires quantum-resistant algorithms for National Security System acquisitions by January 2027. Google set a company-wide PQC migration deadline of 2029 on March 25, 2026. The migration itself takes 18-36 months for most organizations, which means the planning window is already closing.
What does a quantum readiness assessment cost?
PTG's initial consultation is free. Full assessment pricing depends on the scope of your environment: number of endpoints, cloud services, on-premise systems, and regulatory requirements. Contact us for a scoping call and a detailed proposal. We structure engagements to deliver actionable results at each phase, so you see value from the first week.
Do we need to replace all our encryption at once?
No. The migration roadmap prioritizes by risk. Systems protecting data with long confidentiality requirements (healthcare records, classified information, financial archives) migrate first. Systems where data expires quickly (session tokens, short-lived API keys) can migrate on a longer timeline. Building crypto agility into your migration means you can swap algorithms incrementally without system-wide downtime.
What is the difference between a QRA and a standard security assessment?
A standard security assessment or penetration test evaluates your defenses against current threats. A quantum readiness assessment specifically evaluates your cryptographic infrastructure against future quantum threats. It requires specialized knowledge of post-quantum algorithms, NIST PQC standards, Shor's and Grover's algorithms, and the regulatory landscape (CNSA 2.0, OMB M-23-02). The two assessments are complementary, not overlapping. PTG's cybersecurity practice delivers both.
Ready to Assess Your Quantum Risk?
The first step is a 30-minute scoping call. We review your environment, identify your highest-priority cryptographic assets, and outline next steps. No obligation.