The quantum security market has a signal problem. Vendor claims in this space require specialist knowledge to evaluate. When a procurement lead or CISO cannot readily distinguish a product built on ML-KEM (NIST FIPS 203) from one built on a proprietary "quantum-enhanced" algorithm that has never been examined by an outside party, both look equally credible in a slide deck. QSECDEF operates a structured scrutiny process before listing any organisation or individual in its directory. This post explains what that process is, who can apply, and what being listed does and does not mean.
What QSECDEF checks
The vetting process asks applicants to answer a category-specific question set covering five domains. The specific questions vary by applicant type — a technology vendor is asked different things than an academic institution, because the evidence each can produce differs — but the scrutiny is equivalent across categories.
Core mechanism. Name the cryptographic algorithm, physical process, or methodology the work relies on — ML-KEM (FIPS 203), BB84, CV-QKD, or equivalent — and confirm a qualified external reviewer could examine it. Technology described only in proprietary terms, with no formal specification, does not pass this question.
Standards landscape. Identify the published standards the work relates to — NIST FIPS series, ETSI QKD specifications, ISO/IEC 23837 — and where the approach diverges from a published standard, state the technical basis for that departure.
External scrutiny. Describe any examination of core claims by a party outside the organisation: academic co-authors, third-party security auditors, peer-review records, open-source contributors. Internal testing does not meet this criterion.
Honest limits. State the specific technical, operational, or scale constraints on the work. A QKD system has distance limits and key rate trade-offs. A PQC implementation carries handshake overhead on constrained hardware. Absence of stated constraints is a disqualifying signal, not a strength indicator.
Verification pathway. Explain how a technically qualified outside evaluator could assess the core claim. The pathway does not need to be public — a private demonstration under NDA, a sandboxed evaluation build, or reference to published test vectors all qualify.
Auto-reject triggers — technically fraudulent phrases such as "unbreakable encryption" or "quantum-enhanced AES", refusal of any verification pathway — cause rejection regardless of anything else in the application.
Vetting assesses whether claims have a falsifiable, examinable basis. It does not assess product quality, commercial viability, or regulatory compliance. That distinction is stated in every listing.
If you meet the criteria and are ready to apply, begin your application at the application form. The programme team issues a tailored proposal within one working day, with the full qualification outcome confirmed within ten working days.
Who can apply
QSECDEF accepts applications from five categories. Each is assessed with a question set designed for the evidence that category can actually produce.
Technology Vendor. Organisations that build and sell a quantum security or AI security product: a PQC library, a QKD system, a quantum random number generator, an AI model assurance tool, an adversarial defence system. Company age and revenue are not criteria. A seed-stage startup with a published preprint and a named academic co-founder can meet the standard. Applications spanning quantum security, AI security, or both disciplines are equally welcome. Disclosure of any high-risk EU AI Act classification is expected at the point of application.
Systems Integrator / Consultancy. Organisations that deploy or advise on quantum security technology built by others — PQC migration practices, defence primes integrating QKD, technology consultancies advising on cryptographic inventory. The question set requires named professional credentials, credible past engagements, and disclosure of commercial relationships with vendors that could influence client advice.
Academic / Research Institution. Universities, national laboratories, and publicly funded research bodies — including EU Quantum Flagship partners and national cryptography research centres. The question set asks for a verifiable institutional profile, a recent publication or preprint record at named venues, and active funding details.
End-User Organisation. Banks, defence contractors, telecommunications operators, and government agencies that have deployed or are deploying quantum security technology as users rather than developers. The question set requires a verifiable role, an authorised scope statement, a concrete deployment description, and an internal sponsor who has approved the application.
Independent Expert. Individual consultants, researchers between affiliations, retired practitioners, and advisors acting in a personal capacity. The question set asks for a verifiable credential record, a traceable employment history, at least one recent named and verifiable output, two independent referees, and full disclosure of advisory roles or equity holdings.
What happens after you submit
The programme team issues a tailored proposal within one working day. The full qualification outcome is confirmed within ten working days. The process produces one of five outcomes.
Tier A (Flagship). All criteria met at a high level: established scrutiny record, detailed standards awareness, specific and credible constraints stated.
Tier B (Qualified Expert). All criteria met. Strong across all five domains. This is the standard pass outcome for most applicants.
Tier C (Community Contributor). Core criteria met. Appropriate for applicants in earlier stages of their work whose scrutiny record is limited but present and honest.
Tier D (Development Pathway). Where an application is substantively sound but falls short on one or two specific criteria, QSECDEF assigns it to a development pathway rather than a decline. This is not a lesser outcome. It means the application passed the foundational filter — no fraudulent claims, no auto-reject triggers — and the gaps identified are ones that can, with time and ordinary professional activity, be closed. The applicant is told precisely which criteria were not met and what evidence would satisfy them. A formal reassessment window opens at 12 months, or earlier if the applicant provides documented evidence that the gap has been addressed. There is no fee for reassessment. The standard applied at reassessment is identical to the standard applied at first application. Development pathway status is not published and is not visible to other members or to the QSECDEF audience. It is a working designation, held between QSECDEF and the applicant, for as long as it is useful.
Tier E (Declined). Auto-reject triggers present, or foundational criteria not met. Reapplication is possible if the programme of work develops.
The commercial tiers
The vetting gate is the same for every commercial tier. A Vetted Profile holder and a Headline Sponsor cleared identical scrutiny. The tier reflects how much an organisation chooses to invest in participation — not the quality of its technology.
Four commercial participation levels are available, each building on the one below.
Vetted Profile — structured directory profile, QSECDEF Vetted badge, searchability, monthly member digest inclusion. No speaking eligibility.
Featured Listing — above-fold category placement, logo on the category landing page, one editorial case study slot per year, Tier C speaking eligibility (breakout sessions and contributed talks).
Member Organisation — Tier B speaking eligibility (named session in the main conference programme), access to member-only sessions and working group observer status, content collaboration rights, two case study slots per year, priority directory placement.
Headline Sponsor — Tier A speaking eligibility (keynote or equivalent flagship slot), co-branded content programme. Available to technology vendors and systems integrators only. A maximum of four slots per year, a public cap.
A higher tier does not mean deeper vetting, a stronger technology, or a more credible claim. A Vetted Profile holder who has been quietly solving a specific problem for three years may be doing more important work than a Headline Sponsor. Commercial tier says nothing about that.
Vetted Profile membership is offered on annual terms. Full pricing, renewal conditions, and cancellation rights are set out in the Membership Agreement, which applicants receive and accept before payment is processed.
For QSECDEF's privacy policy, see our privacy policy.
What a listing signals
A listing in the QSECDEF directory means the organisation or individual answered a category-specific question set covering five technical domains. Their work — technology, methodology, or research — rests on a named, examinable basis. They know the standards landscape relevant to their field. Their claims have been examined by at least one party outside their own organisation. They have stated, specifically, what their work does not do. And there is a defined pathway by which a qualified evaluator could verify the core claim independently.
That is not a guarantee of product quality, commercial viability, or fitness for any particular deployment. It is a technical legitimacy check. Procurement leads and CISOs who use QSECDEF as a reference point should treat listing status as one signal among several in any purchasing or partnering decision. QSECDEF does not accept responsibility for commercial decisions made on the basis of listing status alone.
The higher the commercial tier, the more the organisation has invested in participating in the QSECDEF programme. That is all it means.
The standard exists because the field needs one. We intend to keep it defensible.
If you are unsure which category applies to your organisation, or want to understand the process before applying, contact the programme team at info@qsecdef.com. If you are ready to apply, begin at the application form.
