Guide
Your customer asked if you are quantum-safe. Now what?
Security teams at banks, insurers, and large enterprises have started adding a line to their vendor questionnaires: are you preparing for post-quantum cryptography? If you just got that question, here is what it means and how to answer it.
What they are actually asking
A quantum computer of the right size will break the public-key cryptography that protects almost everything online today, including RSA and elliptic-curve keys. The replacements are standardized (NIST published ML-KEM and ML-DSA in 2024), so the question is not whether a fix exists. Your customer wants to know whether you know where your cryptography is and whether you have a plan to move it.
The evidence that actually helps
Three things move a reviewer from “concerned” to “satisfied”:
- A cryptographic inventory: which algorithms and key types you actually run, not a policy that says you will look into it.
- A note on key exchange specifically, because that is the part exposed to “harvest now, decrypt later” and the part you can fix today.
- A CBOM (Cryptographic Bill of Materials), the machine-readable inventory format the US government has told CISA to define.
Where to start in ten seconds
Run a scan of your main domain. You will get a grade, a list of which endpoints already use post-quantum key exchange and which do not, a mapping to the cryptography controls reviewers cite (CSA CCM CEK-04, ISO 27001 A.8.24), and a downloadable CBOM you can attach to your answer.
Scan your domain
Free, and nothing to install.
Running a large or regulated estate and need the full inside-and-out inventory? Talk to us.