Most quantum security tools ask how ready your organisation is to migrate to post-quantum cryptography. This tool asks a different question: across the specific ways a quantum-capable adversary would target your organisation, how exposed are you right now, on each one? Five threat vectors, scored independently, combined into a single exposure profile. The distinction matters because a readiness assessment and a threat exposure assessment can produce completely different priority orders, and a CISO who has only one of them is missing half the picture. Score your quantum threat exposure

What the Quantum Threat Exposure Assessment Does

The assessment maps your organisation's exposure across five adversary-facing threat vectors. Where a readiness checklist measures what you have done, this assessment measures where a quantum-capable adversary would find the most opportunity.

Vector 1: Cryptographic Vulnerability

Your current algorithm inventory against quantum attack classes. RSA and ECDSA, broken entirely by Shor's algorithm. AES-128, weakened by Grover's algorithm. The algorithms you are running determine the surface area available to a quantum-enabled attacker, and this vector scores how much of your cryptographic estate sits in the vulnerable category. For background on the harvest now decrypt later dimension of this vector, see the linked article.

Vector 2: Data Longevity and HNDL Risk

The proportion of your organisation's data that carries long-term confidentiality requirements and is therefore at retrospective decryption risk. Data that needs to remain secret for 10 or more years is at risk from adversaries harvesting it now and decrypting it once a CRQC exists. This vector scores how much of your current data estate sits in that exposure category.

Vector 3: Authentication Infrastructure

The exposure of your identity and access management systems to quantum attacks on digital signatures. Authentication infrastructure is a high-value target for a quantum adversary because compromising it provides access to everything the identity system protects. The question is not just what algorithms your identity systems use, it is how much of your total operational capability sits behind authentication systems that would fail against a CRQC.

Vector 4: Network and Communications Exposure

TLS, VPN, and protocol-level quantum vulnerability across your communications infrastructure. External communications, internal network traffic, and any encrypted channel where the key exchange or certificate infrastructure uses quantum-vulnerable algorithms contributes to this vector score.

Vector 5: Supply Chain and Third-Party Risk

How dependent is your organisation on vendors and suppliers whose quantum security posture is unknown or unconfirmed? A supply chain that has not been assessed for PQC readiness is a vector of unknown size. Most quantum security assessments omit the supply chain vector entirely because it is harder to measure and requires uncomfortable conversations with vendors about their roadmaps. Leaving it unmeasured does not reduce the exposure; it just makes it invisible.

Inputs are self-assessment responses for each domain: 4 to 6 questions per vector, taking approximately 20 to 30 minutes total. The output is a scored exposure profile with individual vector ratings, an aggregate score, and prioritised next steps.

Quantum threat exposure radar showing five assessment dimensions and illustrative exposure levels Quantum Threat Exposure: Five-Vector Profile LOW MED HIGH CRIT V1 Crypto Vulnerability V2 Data Longevity V3 Auth Infrastructure V4 Network Exposure V5 Supply Chain Vector Summary V1 - Cryptographic Vulnerability RSA/ECDSA/AES-128 surface area CRIT V2 - Data Longevity / HNDL Long-lived data at retrospective risk HIGH V3 - Authentication Infra IAM / signature exposure to CRQC MED V4 - Network / Comms TLS, VPN, protocol-level exposure CRIT V5 - Supply Chain Vendor / third-party PQC posture LOW Aggregate exposure score HIGH Illustrative profile. Your organisation's scores are calculated from your specific inputs.
Illustrative quantum threat exposure profile across five adversary-facing vectors. Critical scores on cryptographic vulnerability and network exposure indicate immediate programme priority. The five-vector frame maps to distinct budget lines and accountable teams, making it more actionable for board reporting than a single aggregate percentage.

Why an Exposure Assessment Is Different From a Readiness Check

A readiness checklist tells you what you need to do. An exposure assessment tells you how urgently you need to do it, and through which specific vectors a quantum-capable adversary would approach your organisation first.

The two tools are designed to be used together, not as alternatives. A high score on Vector 2 (data longevity) with a low readiness score on cryptographic inventory is your single highest priority: you have long-lived sensitive data at HNDL risk, and you do not yet know which of your assets are protecting it or how vulnerable those assets are. The combination of the exposure assessment and the post-quantum security gap assessment outputs is more actionable than either alone.

The five-vector model maps to how a nation-state adversary with quantum capability would actually approach an enterprise target. Cryptographic vulnerability is the direct attack surface. Data longevity determines which historical records are worth targeting now for future decryption. Authentication infrastructure gives access to active systems. Network exposure gives visibility into current communications. Supply chain exposure is the indirect route, a vendor or supplier with weaker quantum security than your organisation becomes a path to your systems.

For board reporting, the five-vector frame is more useful than a single percentage. "We have high exposure on vectors 2 and 4, medium on vectors 1 and 3, and low on vector 5" gives the board a concrete narrative that is harder to dismiss than an aggregate maturity score. It also naturally maps to resource allocation: different vectors require different types of remediation, involving different teams and different budget lines.

As quantum security requirements mature, regulators and auditors are increasingly looking beyond cryptographic inventory status to actual risk exposure. No current regulatory framework mandates a specific quantum threat exposure assessment format, but an exposure-based analysis demonstrates the depth of risk management that regulators are seeking under frameworks such as NIS2 (Article 21) and DORA's ICT risk management requirements. Documenting your organisation's exposure across specific threat vectors provides a defensible record of active risk management, the kind of evidence that supports supervisory dialogue. An organisation that has a documented exposure profile is better positioned for those conversations than one that has only a checklist score.

Our tools are designed as directional tools only. Advice and standards are changing rapidly and although we update tools as new information is periodically released they are not designed as a replacement for expert advice. If your organisation results show high-priority exposure the next step is to contact our team or speak to a qualified expert member.

How to Complete the Quantum Threat Exposure Assessment

Step 1. Open the assessment. No registration required.

Step 2. For each of the five vectors, answer the domain questions. The questions are structured at the level of what you know about your organisation today. If you do not know the answer to a question, the honest response is "unknown", flagging it accurately is more valuable than assuming a favourable position.

Step 3. Vector 2 (data longevity and HNDL risk) requires a view on your proportion of long-lived sensitive data. If your organisation does not have a precise answer, the tool provides guidance on how to estimate. A rough estimate based on your data categories is more useful than skipping the question.

Step 4. Vector 5 (supply chain) requires an honest assessment of vendor quantum readiness. If you have not yet conducted a vendor PQC assessment, the accurate answer is "unknown." Mark unknown vendors as unknown rather than assuming readiness. The tool's gap summary will flag this specifically, which is the correct output, unknown vendor posture is a real gap, not a neutral position.

Step 5. Review the vector scores on completion. Each vector receives a score based on your responses.

Step 6. Review the aggregate exposure score and the priority next-steps output. The aggregate combines the five vector scores into an overall exposure rating with prioritised recommendations by vector.

Step 7. Export or save the report. The output is designed for use in board briefings and programme planning.

How to Interpret Your Quantum Threat Exposure Score

High-exposure vectors: require immediate attention in your migration programme. Not a note for the next quarterly review, a programme action this quarter. For Vector 2 (data longevity), that may mean beginning a data minimisation review for long-lived data that does not need to exist. For Vector 4 (network and communications), it may mean prioritising TLS and VPN infrastructure in your first migration tranche.

Medium-exposure vectors: include in your primary migration programme window. The risk is real but does not drive the programme schedule ahead of high-exposure items.

Low-exposure vectors: schedule in later tranches. Monitor quarterly. Low scores do not mean zero exposure, they mean the combination of factors in that vector currently presents less urgent risk than the higher-scoring dimensions.

The relationship between this assessment and the PQC Readiness Checklist is direct: a high exposure score on a vector where your readiness checklist also shows a low score is your highest priority migration task. Conversely, a high exposure score where your readiness is genuinely strong may indicate that your existing programme is appropriately focused. Use both outputs together.

For supply chain (vector 5) high scores: use the PQC Migration Decision Tree to determine where vendor readiness fits in your programme sequencing. Vendor assessment is typically a longer lead-time activity than internal migration work, and it needs to start earlier.

Presenting the results to your board: the five-vector frame maps naturally to strategic resource decisions. Each vector corresponds to a different budget line and a different set of accountable teams. "We have high exposure on authentication infrastructure" points to a specific programme, it is harder to deprioritise than "we have a 67% readiness score."

Discuss your results with a QSECDEF expert member. A directional assessment is the starting point, not the programme. If your results show high-priority exposure, the next step is a discussion about a structured migration programme with defined milestones. Request a consultation with our team or find a qualified expert member.