{"id":15919,"date":"2026-03-09T06:11:20","date_gmt":"2026-03-09T06:11:20","guid":{"rendered":"https:\/\/newestek.com\/?p=15919"},"modified":"2026-03-09T06:11:20","modified_gmt":"2026-03-09T06:11:20","slug":"pqc-roadmap-remains-hazy-as-vendors-race-for-early-advantage","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15919","title":{"rendered":"PQC roadmap remains hazy as vendors race for early advantage"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Post-quantum cryptography (PQC) has long sat on the periphery of enterprise security, with experts calling it inevitable but not urgent. That posture is beginning to shift.<\/p>\n

Earlier this year, Palo Alto Networks published<\/a> a blog announcing a new \u201cquantum-safe security\u201d initiative, framing it as a way for enterprises to assess where quantum-vulnerable cryptography exists across their environments and begin planning a transition. While the announcement<\/a> was light on technical specifics, it added to a growing security sentiment. Post-quantum threats are real.<\/p>\n

\u201cIDC\u2019s view is that post-quantum risk is no longer a distant, theoretical issue; it is becoming a present-day governance and operational risk, especially for regulated and data-intensive industries,\u201d said Sakshi Grover, senior research manager, security services, IDC Asia Pacific. While practical quantum attacks remain years away, security vendors are beginning to pull PQC out of the confines of a \u201cfuture theory\u201d and into present-day risk management.<\/p>\n

Rather than pushing sweeping architectural changes from the start, they are positioning discovery, inventory, readiness assessments, and crypto-agility capabilities as the first steps to get enterprises up to speed with quantum.<\/p>\n

But even that groundwork is far from straightforward.<\/p>\n

<\/a>Can\u2019t change what you can\u2019t see<\/h2>\n

At the heart of most PQC readiness offerings is a basic but difficult problem. Many organizations do not know where or how cryptography is used across their infrastructure. Encryption is embedded everywhere, from certificates and VPNs to APIs, firmware, identity systems, and third-party software. That sprawl makes it difficult to evaluate exposure to algorithms like RSA and elliptic curve cryptography, which are expected to be broken by sufficiently capable quantum computers.<\/p>\n

Palo Alto\u2019s messaging centers on this visibility gap. According to the company, its approach is to help organizations identify cryptographic usage that may not be quantum-safe and provide guidance on remediation paths. It isn\u2019t alone in trying to do this.<\/p>\n

Cisco frames the visibility problem in similarly operational terms, emphasising that readiness spans multiple phases rather than a one-time audit. \u201cCisco CX\u2019s Quantum-Safe Services delivers end-to-end support across discovery, monitoring, and migration\u2013plus strategic advisory and ongoing optimization to keep pace with evolving standards,\u201d said Christian Chisolm<\/a>, senior director of strategy & planning, Security & Trust Organization, Cisco.<\/p>\n

Companies like IBM have also been building cryptographic inventory solutions to catalog every encryption component. IBM\u2019s Quantum Safe Explorer (QSE<\/a>) performs static analysis of software to locate cryptographic assets, including libraries and dependencies, and pairs that with runtime monitoring through its Quantum Safe Advisor to build a comprehensive \u201cCryptography Bill of Materials.\u201d<\/p>\n

Some providers are focusing specifically on infrastructure-layer visibility. Cisco says its discovery currently concentrates on network cryptography exposure. \u201cWe currently detect: Digital certificates across management, control, and data places; Cryptographic protocols and algorithms (TLS\/SSL, SSH, IPsec, etc); Key exchange mechanisms on Cisco network devices; Trust anchors and hardware security elements within platform architectures,\u201d Chisolm said.<\/p>\n

Cloudflare, by contrast, emphasizes visibility at the connection layer rather than deep asset discovery. \u201cCloudflare provides visibility into which client devices and endpoints can successfully establish TLS 1.3 connections,\u201d Volker Rath, field CISO at Cloudflare, said.<\/p>\n

Certificate management vendors are also repositioning core functions for PQC readiness. DigiCert, for example, uses its Trust Lifecycle Manager<\/a> and related tools to help enterprises identify, inventory, and begin replacing vulnerable certificates with quantum-safe alternatives.<\/p>\n

Some are already ahead as the migration question looms<\/h2>\n

One of the earliest vendors to operationalize cryptographic discovery specifically for PQC readiness was Sandbox AQ, which emerged from Google\u2019s quantum research efforts. As early as 2022, the company argued that enterprises needed to inventory cryptography assets long before post-quantum algorithms could be deployed at scale.<\/p>\n

Initially offered as a consulting-driven assessment, that capability eventually evolved into a product, AQtive Guard, designed to continuously monitor cryptographic usage and flag quantum-vulnerable dependencies.<\/p>\n

In 2024, the platform\u2019s deployment<\/a> by SoftBank Corporation gave the company\u2019s claims a public validation, uncovering unnoticed vulnerable encryption and certificate issues across a large enterprise network. Beyond SoftBank, SandboxAQ has managed to secure high-profile engagements, including a partnership<\/a> to deploy AQtive Guard across multiple US Department of War entities to accelerate cryptographic visibility and PQC modernization.<\/p>\n

A handful of other vendors, too, have moved beyond experimental efforts to deliver more mature offerings. QuSecure offers the QuProtect <\/a>platform, combining crypto-agility with discovery so enterprises can embed quantum-resilient cryptography into existing infrastructure without rewriting application code. <\/p>\n

Some niche players are offering full-stack products that embed PQC across services. Companies like Post-Quantum<\/a> (UK-based) provide modular software for identity, VPNs, and encrypted messaging that is quantum-safe today, stressing crypto-agility and backward compatibility as part of readiness.<\/p>\n

\u201cThe approach to mass migration away from where we\u2019ve grown comfortable into new methods of encryption is no easy task,\u201d said Bart Willemsen<\/a>, VP analyst at Gartner. \u201cThe road towards continuous inventory, prioritization for replacement, and the ability to maintain connectivity in operations is a long one. What\u2019s more, we need to become and remain crypto-agile (we\u2019re likely going to have to do the same again, later, as has always been the case historically) and that repeatability demands consistency.\u201d<\/p>\n

Cisco argues that migration planning must account for legacy constraints, not just modern systems. \u201cLegacy systems present unique challenges \u2014 limited processing power, fixed firmware, and operational lifecycles spanning over 10 to 20 years. When direct upgrades aren\u2019t feasible, we deploy cryptographic abstraction layers: quantum-safe proxies or gateways that mediate communications on behalf of legacy devices, essentially wrapping vulnerable protocols in PQC-secured tunnels,\u201d Chisolm said.<\/p>\n

Cloudflare takes a different approach, positioning its network as a compensating control. \u201cThis means customers do not necessarily need to upgrade legacy systems or proprietary software to achieve PQC readiness, as the connection is secured at the edge, removing the opportunity for interception along the way,\u201d Rath said.<\/p>\n

\u201cHarvest now, decrypt later\u201d adds pressure<\/h2>\n

Part of the renewed urgency comes from the \u201charvest now, decrypt later\u201d<\/a> threat model, in which adversaries collect encrypted data today with the expectation that it can be decrypted once quantum capabilities mature.<\/p>\n

This scenario has shifted PQC from a hypothetical future problem to an immediate data protection concern, particularly for industries handling sensitive data with long confidentiality lifetimes, including telecommunications, finance, healthcare, and government.<\/p>\n

\u201cWe do hear of HNDL attacks, where conventionally encrypted content is no longer discarded but retained by criminals, who are seeing the (quantum) developments as an opportunity for their nefarious activities within 2-3 years,\u201d Gartner\u2019s Willemsen said. \u201cWhen criminals see opportunity around the corner, the quantum-based decryption risks are no longer theoretical; they are real.\u201d<\/p>\n

Vendors increasingly argue that action cannot wait for fully capable quantum computers. Cisco warns that organizations holding long-lived sensitive data should already be moving beyond assessments. \u201cAssessment is urgent, but active replacement is now imperative,\u201d Chisolm said.<\/p>\n

Cloudflare echoes the timeline concern while pointing to official guidance. \u201cThe National Institute of Standards and Technology (NIST) recommends organizations achieve full post-quantum readiness by 2030,\u201d Rath noted. \u201cGiven the complexity of updating infrastructure at scale, we recommend that enterprises begin planning the replacement process now to reduce stress, costs, and friction.\u201d<\/p>\n

NIST also finalized<\/a> multiple post-quantum cryptographic algorithms, giving vendors and enterprises targets for migration and reducing uncertainty. As organizations prepare for hybrid PQC deployments, combining classical and quantum-resistant algorithms, vendors are racing to ensure their offerings support evolving standards.<\/p>\n

\u201cWe have been monitoring the developments in quantum space for over a decade, and our strategic planning assumptions regarding the expected moment of compromise have consistently pointed towards around 2029,\u201d Willemsen pointed out. \u201cGiven the amount of work to be done for a successful migration and \u2018continuous in-control\u2019 situation, that should be read as \u2018tomorrow.\u2019\u201d<\/p>\n

<\/a>Readiness vs reality<\/h2>\n

Not everyone is convinced that today\u2019s PQC readiness offerings represent a fundamentally new category of security tooling.<\/p>\n

Much of what vendors are promoting: crypto inventories, certificate tracking, dependency mapping, overlaps with practices that security teams arguably should already have in place. In that sense, PQC may just be acting as a forcing hand for organizations to address longstanding blind spots rather than introducing entirely new technical requirements.<\/p>\n

Some vendors counter that the difference lies in depth and integration rather than concept. Cisco positions its approach as foundational rather than additive. \u201cTraditional encryption tools inventory certificates and track key lifecycles. Cisco delivers infrastructure-level quantum readiness, embedding NIST PQC algorithms into core protocols and hardware roots of trust.\u201d<\/p>\n

While NIST standards are now available, many commercial products and protocols have yet to fully integrate post-quantum algorithms. Even where support exists, performance trade-offs and interoperability challenges remain. IDC\u2019s Grover recommends a phased<\/a> transition. \u201cInstead of aiming for full-scale deployment, buyers should prioritize critical systems first, align with NIST timelines, and integrate PQC into broader GRC programs,\u201d she said.<\/p>\n

For vendors, the race is now about positioning. Being seen as a trusted guide through the PQC transition, rather than merely an algorithm provider, offers an opportunity to embed deeply into long-term enterprise roadmaps.<\/p>\n

Palo Alto Networks\u2019 entry into PQC readiness reflects a broader shift in how the market is approaching the issue. What was once largely the domain of specialized quantum security firms is now being taken up by mainstream security and infrastructure vendors as part of their core platform strategies. Network providers like Cisco are introducing quantum-safe protections for existing protocols, while HSM vendors like Futurex are adding post-quantum algorithm support to established key management systems used in regulated environments.<\/p>\n

Cloudflare, similarly, frames readiness as an architectural shift rather than a discrete tool deployment. \u201cWith Cloudflare, customers simply need to place their origin server behind the Cloudflare network, and Cloudflare manages the encryption and key management,\u201d Rath said. <\/p>\n

As more vendors formalize their offerings and additional customer deployments are disclosed, the edges of the PQC readiness market are likely to become clearer. What remains uncertain is whether enterprises will prioritize these efforts in the near term or treat them as part of the longer-term cryptographic modernization.<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Post-quantum cryptography (PQC) has long sat on the periphery of enterprise security, with experts calling it inevitable but not urgent. That posture is beginning to shift. Earlier this year, Palo Alto Networks published a blog announcing a new \u201cquantum-safe security\u201d initiative, framing it as a way for enterprises to assess where quantum-vulnerable cryptography exists across their environments and begin planning a transition. While the announcement… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15919","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15919"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15919\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}