Get access to our live events, papers and training
Join the Tuesday 3pm CET peer reviews
Request our membership pack
Join the Tuesday 3pm CET peer reviews
PROFESSIONAL NETWORK
Join the World's Largest Community of Quantum Security Professionals
QSECDEF brings together the practitioners, policymakers, and vendors actively shaping the post-quantum transition. Members share early intelligence on tooling, procurement developments, and regulatory shifts before that information reaches the public domain. This is the professional network the field converges on.
More than 1,200 members from 40+ countries, including Five Eyes governments, NATO member institutions, and the leading quantum vendors are already part of the community.
EVENT INVITATIONS
Get Early Invitations to Quantum Security Events and Webinars
QSECDEF hosts closed briefings, practitioner webinars, and in-person events attended by defence agencies, central banks, and critical infrastructure teams. Members receive invitations before public registration opens. Several events are members-only and never open to the public.
600+ organisations across 40+ countries are represented in our member community, including defence ministries, NATO institutions, and Five Eyes government agencies.
THREAT INTELLIGENCE
The Briefing That Closes Your Quantum Threat Picture
Most organisations have a PQC roadmap. Fewer have a reliable signal on where the actual threat timeline sits, which vendors' claims hold up under scrutiny, and what peer organisations at your maturity level are doing. QSECDEF membership exists to close that gap. One briefing cycle has changed procurement decisions at organisations you would recognise.
Members include CISOs, heads of cryptography, and national security advisors from 40+ countries. The Five Eyes and NATO institutions read what we publish.
1,200+MEMBERS
40+COUNTRIES
600+ORGANISATIONS
Check your email and junk email for information and add us to your safe senders list.
Enterprise Post-Quantum VPNs: A Deployment Comparison
Post-quantum VPN migration is not a single task. Enterprise VPN infrastructure spans three distinct protocol families, each with a different standardisation path, different integration mechanism for ML-KEM, and different maturity level in enterprise vendor implementations.
Enterprise Post-Quantum VPNs: A Deployment Comparison
5 July 2026
Steven Vaile, Director, Quantum Security Defence
<p>Post-quantum VPN migration is not a single task. Enterprise VPN infrastructure spans three distinct protocol families, each with a different standardisation path, different integration mechanism for ML-KEM, and different maturity level in enterprise vendor implementations. The comparison below is for network security architects who already know migration is coming and want an honest picture of where the protocol ecosystem stands, which vendor versions actually support what, and how to structure an evaluation before the next infrastructure refresh cycle.</p>
<h2>How VPN protocols handle key exchange and where PQC fits</h2>
<p>Enterprise VPN deployments fall into three protocol categories with separate PQC migration paths. The differences are not cosmetic.</p>
<p>IPsec/IKEv2 is the dominant protocol for site-to-site and gateway VPNs. Key exchange uses the IKEv2 protocol with Diffie-Hellman groups specified in the IKE SA negotiation. PQC integration adds ML-KEM as a new DH transform type. The IETF IPSECME working group document draft-ietf-ipsecme-ikev2-ml-kem had reached RFC Editor stage as of knowledge cutoff August 2025. [ASSUMED: verify the current RFC number if published before relying on the draft identifier in procurement specifications.] IETF RFC 9242 (2022) addresses the intermediate exchange mechanism required to handle the larger message sizes that ML-KEM introduces in IKEv2. Hybrid mode, combining a classical DH group with ML-KEM, is supported in the IETF specification and is the recommended transition approach.</p>
<p>OpenVPN uses TLS 1.3 for control channel key exchange. PQC integration follows directly from TLS 1.3 post-quantum extensions, using hybrid key exchange constructions. OpenVPN 2.6 and later supports external key exchange plugins that can incorporate ML-KEM via the Open Quantum Safe liboqs-based oqs-provider for OpenSSL 3.x. This is not a standalone TLS plugin; it operates as an OpenSSL provider, meaning OpenVPN loads oqs-provider through its standard OpenSSL 3.x provider mechanism. In this configuration, OpenVPN uses X25519 with ML-KEM-768, matching RFC 9496 X-Wing or equivalent IETF hybrid constructions. This integration path is not a production-supported configuration from the OpenVPN project itself; it is a research and early-adoption path requiring the operator to build and maintain the oqs-provider integration. [ASSUMED: verify current OpenVPN documentation and oqs-provider compatibility matrix for the specific OpenVPN and OpenSSL 3.x version in your environment before any deployment decision.]</p>
<p>WireGuard operates differently from both. Its cryptographic design is static and hardcoded: Curve25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption, BLAKE2s for hashing. The design explicitly excludes algorithm negotiation to eliminate downgrade attacks. That is a security property of WireGuard. It is also why PQC integration requires a protocol extension rather than a configuration parameter change. The Rosenpass project (Schmidt et al., 2023, IEEE S&P) addresses this: Rosenpass runs a separate PQC key exchange alongside WireGuard, mixing the output into WireGuard's session key to produce a hybrid construction. The Rosenpass specification is published and formally verified. Enterprise management tooling for Rosenpass is not yet at the maturity level of the IPsec ecosystem.</p>
<p>The TLS 1.3 foundations that underpin both OpenVPN and web-based VPN gateways are covered in <a href="/insights/post-quantum-tls-what-changes-stays-same/">Post-Quantum TLS: What Changes and What Stays the Same</a>.</p>
<h2>Enterprise vendor comparison: Cisco, Palo Alto, Fortinet</h2>
<p>The status below reflects public vendor announcements and early release note disclosures as of knowledge cutoff August 2025. VPN product software changes frequently. Before any deployment decision, verify against the current release notes for the specific software version and hardware platform in your environment. Vendor announcements and production feature availability are not the same thing.</p>
<table>
<thead>
<tr>
<th>Vendor</th>
<th>Protocol</th>
<th>PQC feature</th>
<th>Software version</th>
<th>Hybrid mode</th>
<th>FIPS 140-3 PQC status</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>Cisco</td>
<td>IPsec/IKEv2</td>
<td>ML-KEM-768 and ML-KEM-1024 as IKEv2 key exchange methods</td>
<td>IOS XE 17.13 (2024) [ASSUMED: verify exact version and platform support in current release notes]</td>
<td>Supported (classical DH Group 19/20 + ML-KEM)</td>
<td>Pending [ASSUMED: verify CMVP status]</td>
<td>Verify feature flag availability per ASA/FTD platform; not all platforms run the same feature set simultaneously</td>
</tr>
<tr>
<td>Palo Alto</td>
<td>IPsec/IKEv2</td>
<td>Hybrid post-quantum IKEv2 including GlobalProtect VPN</td>
<td>PAN-OS 11.x [ASSUMED: verify specific version in current release notes]</td>
<td>Supported</td>
<td>Pending [ASSUMED: verify CMVP status]</td>
<td>Confirm whether GlobalProtect (client VPN) and site-to-site are both supported in the same version</td>
</tr>
<tr>
<td>Fortinet</td>
<td>IPsec/IKEv2</td>
<td>ML-KEM as IKEv2 phase 1 key exchange in FortiGate site-to-site</td>
<td>FortiOS 7.6+ [ASSUMED: verify in current FortiOS release notes]</td>
<td>Supported</td>
<td>Pending [ASSUMED: verify CMVP status]</td>
<td>Feature availability varies across FortiGate hardware models; check platform compatibility matrix</td>
</tr>
</tbody>
</table>
<p>The caveat in the Notes column for every vendor is operational, not cautionary boilerplate. Enterprise deployments routinely run software one to three major releases behind current. A network architect assessing PQC readiness across their VPN estate must check the deployed software version, not the vendor's most recent announcement. A vendor may have shipped ML-KEM support in its latest release while the deployed estate is two versions earlier with no PQC capability at all.</p>
<p>For the broader picture of post-quantum tunnel provider status, see <a href="/quantum-news/post-quantum-vpns-ml-kem-tunnel-providers/">Post-Quantum VPNs: ML-KEM Deployment Status Across Tunnel Providers</a>.</p>
<h2>Consumer and cloud VPN provider status: what enterprise architects can learn</h2>
<p>Enterprise architects should not deploy consumer VPN products in enterprise environments. This section is about what consumer VPN deployment experience tells us about protocol feasibility.</p>
<p>Cloudflare was an early adopter of post-quantum hybrid TLS, deploying a hybrid construction using Kyber768 (the draft algorithm that became ML-KEM) in its 1.1.1.1 DNS service and WARP VPN product in 2023. Following NIST finalisation of FIPS 203, Cloudflare has published intentions to migrate from the Kyber draft construction to ML-KEM-768 per the final standard. [ASSUMED: verify current WARP deployment status against Cloudflare's technical blog.] Cloudflare Research has published performance benchmarks for the hybrid key exchange: approximately 1 KB additional data in the TLS ClientHello, with negligible latency impact on modern server hardware. That figure is the most useful data point from consumer VPN experience for enterprise architects: hybrid ML-KEM-768 TLS is proven at internet scale, and the overhead is not a blocking concern for performance planning.</p>
<p>NordVPN has announced ML-KEM-768 hybrid deployment in its desktop and mobile applications, using a hybrid approach where both the classical IKEv2 and ML-KEM shared secrets are combined in session key material. [ASSUMED: verify current NordVPN implementation details and whether the feature is default or opt-in.] ExpressVPN had referenced post-quantum research in its communications but had not deployed a production ML-KEM implementation as of knowledge cutoff August 2025. [ASSUMED: verify current status.] Treated as a pattern rather than individual data points, the consumer VPN ecosystem shows ML-KEM-768 hybrid deployment at commercial scale is operationally feasible, which supports the case for enterprise IKEv2 hybrid deployment on purpose-built platforms.</p>
<h2>What to evaluate: the six-dimension enterprise VPN assessment</h2>
<p>For enterprise IPsec/IKEv2 site-to-site VPN assessment, the six dimensions that matter are:</p>
<ol>
<li><strong>Protocol support.</strong> Does the deployed software version support ML-KEM as an IKEv2 transform type? Not the announced version. The version running in production today.</li>
<li><strong>Hybrid mode.</strong> Is classical DH combined with ML-KEM hybrid mode supported? Which DH groups can be combined with which ML-KEM parameter sets? For CNSA 2.0 environments, the hybrid must use ML-KEM-1024; for commercial use, ML-KEM-768 applies.</li>
<li><strong>FIPS 140-3 validation.</strong> Is the post-quantum module FIPS 140-3 validated, or is the validation pending? For US government environments, an unvalidated module is not a usable production option regardless of algorithmic correctness.</li>
<li><strong>Interoperability.</strong> Has the vendor tested interoperability with other vendor implementations against the IETF IPSECME working group test vectors? Multi-vendor VPN estates, which are common in large organisations, need active interoperability testing. Individual vendor claims of compliance with the IETF draft are not equivalent to tested interoperability between two different vendors' implementations.</li>
<li><strong>Performance at scale.</strong> What is the measured IKE handshake overhead with ML-KEM-768 or ML-KEM-1024 on the specific hardware platform, at the expected number of concurrent tunnels? The Cloudflare performance data on TLS hybrid overhead is a useful reference, but enterprise gateway hardware processing thousands of concurrent IPsec SAs is a different workload profile than TLS at an internet edge.</li>
<li><strong>Management plane.</strong> Does the VPN management console support configuring PQC algorithm selection per tunnel? An environment where hybrid ML-KEM is enabled globally but cannot be scoped to specific tunnels or peer groups creates operational management complexity during phased rollout.</li>
</ol>
<p>WireGuard with Rosenpass is technically sound but operationally immature for most enterprises. The Rosenpass protocol has been formally verified by Girol et al. (2023) and the tooling is actively maintained. Central key management, monitoring integration, and policy enforcement tooling for Rosenpass is not yet comparable to what the IPsec ecosystem provides. If WireGuard is part of your environment, evaluate Rosenpass in a pilot context before committing to enterprise-wide deployment. The protocol works; the enterprise management layer is the open question.</p>
<h2>A practical starting point: assessing what you currently run</h2>
<p>Before evaluating vendor roadmaps, a network architect needs an accurate picture of their current VPN estate. Three questions produce the information that makes everything else tractable.</p>
<p>First: which VPN software version is actually running in production across each site-to-site tunnel group and each client VPN gateway? Not the version in the procurement contract. The version returned by the management console today. Organisations that have not refreshed VPN firmware in 18 months or more are likely running versions that pre-date any vendor's post-quantum feature releases, regardless of what the vendor's current product sheet shows.</p>
<p>Second: which key exchange algorithm is in use per tunnel? IPsec IKEv2 SA logs record the negotiated DH group. If your estate shows DH Group 2 (modular exponential 1024-bit) or DH Group 14 (2048-bit MODP) in production tunnels, the first migration objective is not PQC but moving to ECDH Group 19 or 20. Deploying ML-KEM hybrid on top of weak classical groups is poor ordering. The classical component should be Group 19 (P-256) or Group 20 (P-384) before adding ML-KEM. Groups 19 and 20 are already mandated under CNSA 1.0 for NSS environments; their absence in commercial VPN estates is common.</p>
<p>Third: is there a multi-vendor boundary in the VPN estate? Site-to-site tunnels between a Cisco endpoint and a Fortinet endpoint require interoperability testing specifically for the PQC key exchange negotiation, not just for the standard IKEv2 base protocol. Identifying multi-vendor boundaries before beginning PQC deployment lets the interoperability testing be planned as a programme task rather than discovered as a production incident.</p>
<p>These three questions can be answered from existing management console data and IKEv2 SA logs without any new tooling. The answers determine whether the PQC migration is a near-term configuration change or a multi-phase firmware and renegotiation programme.</p>
<h2>Deployment timeline: when you must act</h2>
<p>NIST IR 8547 (November 2024) specifies that RSA and ECDH are deprecated for new use from 2030. For VPN infrastructure, that means new VPN deployments from 2030 must use PQC or hybrid PQC key exchange. Existing deployments must complete migration by 2035. Both dates carry weight for network architects planning infrastructure.</p>
<p>The operational implication is straightforward but frequently missed. Most enterprise network infrastructure runs on refresh cycles of three to five years. A network architect planning a VPN infrastructure refresh now who does not specify PQC-capable platforms as a mandatory requirement is locking in quantum-vulnerable infrastructure for another five years, taking the estate to 2031 or later on non-compliant kit. The 2030 new-use deadline will already have passed by the time that refresh cycle ends. The specification conversation is not something to defer to the next procurement cycle. It is a requirement for the current one.</p>
<p>For organisations in scope for CNSA 2.0, the timeline is tighter: the software and network device category begin-transition date was 2025. If your NSS-category VPN infrastructure has not begun transition, the NSA timeline is already behind you.</p>
Identity infrastructure sits at the boundary of most enterprise security models. For IAM engineers and security architects, post-quantum migration of SAML assertions and OIDC tokens requires understanding where quantum vulnerability actually lives and what major identity providers support today.
The concern that post-quantum TLS will slow down HTTPS connections is widespread and, in most production environments, wrong. This analysis covers Cloudflare deployment data, Chrome GREASE findings, Apple PQ3 numbers, and the four variables that actually determine production impact.
Classical optical repeaters work by measuring the incoming signal and re-amplifying it. Measure, copy, transmit. This is precisely what quantum networks cannot do. The no-cloning theorem, proved by Wootters and Zurek in 1982, establishes that an unknown quantum state cannot be copied. Quantum repeaters solve this constraint through entanglement swapping — without ever measuring the quantum state being transmitted.
Leading Canadian provider of quantum-safe-by-design cryptographic infrastructure strengthens QSECDEF's mission to secure the transition into the Quantum-AI era.
Belden Inc., a global provider of network infrastructure solutions, has joined forces with Quantum Security & Defence to accelerate the adoption of quantum-secure standards across critical industries.
Israeli quantum computing startup Classiq has teamed up with NVIDIA and the BMW Group to optimise the architecture of electric vehicle mechatronic systems using quantum algorithms and GPU-accelerated simulation.
French quantum computing startup C12, a spin-off from the Physics Laboratory of the Ecole Normale Superieure in Paris, has closed an €18 million funding round to develop carbon nanotube-based universal quantum computers.
Dutch quantum technology company Qblox has closed a $26 million Series A round led by Quantonation and Invest-NL, funding the expansion of its modular, scalable quantum control stack technology.
So what would IBM a leading Quantum Computing company and French Quantum platform leader Pasqal, announce a plan to join forces, what IBM already has it's own Quantum computing platform?
The quantum world just got a lot more interesting. Quantinuum, the largest integrated quantum computing company globally, has introduced the industry’s first quantum computer boasting an impressive 56 trapped-ion qubits
The United States of America, in its most recent Entity List under the Export Administration Regulation (EAR), has added 37 quantum research organizations from China restricting them from gaining access to resources from the US. Of the 37 organizations, 22 are China’s top firms within the quantum te
A new chip called "Xiaohong" is the biggest quantum computing chip developed in China so far. It was developed by a team of scientists at the Center for Excellence in Quantum Information and Quantum Physics, part of the Chinese Academy of Sciences (CAS).
Quantum computing is an evolving field that has sparked a huge global interest due to its massive potential and capabilities. It remains one of the biggest frontiers of technology in the 21st century as governments, institutions, and private companies are all investing in the space and rightfully po
Aramco, a leading global integrated energy and chemicals company that creates value and economic benefits to people and communities worldwide by providing energy supply to them has partnered with Pasqal, a global leader in neutral atom quantum computing technology to deploy the first quantum compute
Finland via the Finnish Technical Resource Center (VTT) is working with CSC, operators of LUMI, a pan-European supercomputer located in CSC’s data center in Kajaani, Finland to develop quantum algorithm for future applications.
Pasqal, a leading quantum computing company that develops neutral atoms quantum processors in 2D and 3D arrays to bring the realisation of practical quantum computing applications in solving real-world
The Jülich Supercomputing Centre (JSC) at Forschungszentrum Jülich has partnered with Goethe-University Frankfurt, ParTec, and Quantum Machines to develop a 10+ superconducting qubit system and integrate it into their high-performance computing (HPC) infrastructure.
Amazon and IQM have joined forces to establish IQM’s quantum computing service on Amazon Web Service (AWS) via Amazon Braket, increasing the platform's usefulness. IQM is a global leader in the development of superconducting quantum computers, building…..
According to The Record, a White House top official, Anne Neuberger, the White House’s top cyber advisor, has reported that the National Institute for Standards and Technology (NIST) will release post-quantum or quantum-resistant cryptography algorithms in the coming weeks.
Automated guided vehicles (AGVs) are portable robots that follow along marked lines or wires on the floor or use radio waves, vision cameras, magnets, or lasers for navigation to transport heavy materials or items within industrial facilities.
Quantum computing is an evolving field that applies quantum mechanics to solve complex computational problems. These problems are deep numeric and systemic problems that are found in almost all areas of life. Consider communication, for example, its applications cut across fibre optics, point-to-poi
A new study published in the journal Science details how researchers from MIT brought two layers of ultracold magnetic atoms at 50 nanometers -the closest distance ever achieved- and its importance in the development of quantum technology
Quantum key distribution (QKD) is a secure communication process that involves the exchange of encryption keys between two particles within a quantum state in a safe and guaranteed environment. This can enable the encryption (securing) and description (revealing) of messages shared between those two
The potentials of quantum technology are enormous with applications spanning across healthcare, mobility, sensing, defence and military, aviation, computing, communications, technology, and so on. These and many more are industries that could be revolutionised by quantum technology once it achieves
IBM has been a world leader in the field of quantum technology for years and they have developed various solutions to prove their placement as an industry leader.
These companies have led the revolution of transforming supercomputers that solve computational problems sequentially using bits to quantum computers that have the potential to solve complex computational problems on multiple quantum states using qubits.
Where to study quantum technology in 2026: the ten leading research institutions for quantum computing, quantum information, quantum communications, and quantum sensing, with what each programme is known for.
Poznań Supercomputing and Networking Center (PSNC), ORCA Computing, and NVIDIA partner to accelerate the development of Hybrid Quantum Classical High-Performance Computing.
It has been rather fascinating to read the latest dispatch from the U.S. Department оf Energy, which has just announced an chunky infusion оf $7 million into five quantum tech firms under the Phase II Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR)
The future holds immense promise for quantum technology across various fields, including cryptography and security, optimisation, drug discovery, machine learning…..
The electron’s spin is truly a perfect candidate for a quantum bit (qubit) – a basic unit of information in quantum computing. Many researchers are trying to find suitable qubits for specific applications. One of them is a research group led by Josep Orenstein at the Lawrence Berkeley National Labor
The Australian Government has announced that it will be investing in PsQuantum, a US company based in Palo Alto California. This investment is valued at 940M AUD (650M USD) and the structure will be a mixture of grant, equity, and loans - here is why…
Purdue University is bringing together leading researchers to collaborate with industry, government, and academia to develop chip-scale quantum systems to power the technology of the future
As quantum technology reaches its potential it has the likelihood of being able to crack the majority of existing security codes because of the way that such security systems are mathematically constructed - this is how its fixed
PsiQuantum has recently unveiled its latest advancements in quantum computing tools: the Quantum Resource Estimation Format (QREF) and the beta version of Bartiq, a Quantum Resource Estimator.
A network architecture by Photonics Inc and Zurich Instruments may help scale quantum networks around the globe and provides quantum algorithm services to solve complex computational problems.
The Universities of Melbourne and Manchester have collaborated to develop an ultra-pure Silicon chip for quantum computing. This breakthrough research could enhance the potential for the production of scalable and accurate quantum computers.
What is Quantum Computing? Quantum computing is the application of quantum mechanical theories in technology to solve complex problems (defined as problems with multi-dimensional variables) and have information stored as quantum bits or qubits.
Just a few weeks after announcing a €2.5M European Union grant, Paris based Welinq have formed a partnership with French Quantum Computer Hardware company Pasqal to interconnect quantum processors in an effort to address the current scalability issue of quantum computation. Welinq uses quantum memo
In the world оf computing, the juxtaposition оf analog and quantum paradigms opens a fascinating discourse оn the nature оf computation itself. Analog computers, relics оf computing history, are making a surprising comeback, interfacing with the cutting-edge realm оf quantum computing. Th
This article delves into the essence of quantum methodologies and frameworks, exploring their structure, operational mechanisms, potential applications, benefits, and the challenges they present.
Quantum optics, a field at the intersection of quantum physics and optical science, is driving a revolution in how we process, transmit, and manipulate information. By harnessing the quantum behaviors of light, this technology opens new frontiers in communication, computing, and sensing, presenting
PKI is the trust architecture underlying TLS, code signing, SSH, and most of enterprise security. RSA and ECDSA sign every link in the chain. Shor’s algorithm breaks both. Here is what that means and what replaces it.
The quantum threat to VPN security is present-tense: adversaries are capturing encrypted sessions now. This article explains which layer of a VPN tunnel is vulnerable, how ML-KEM addresses it, and which providers have shipped production post-quantum implementations.
At most enterprise security conferences in 2026, quantum computing and artificial intelligence share a stage. This article maps where the capabilities diverge, where they converge, and what the difference means for security architecture decisions.
A practitioner holding a CISSP, a CISM, and a GIAC GSEC in 2026 has credentials that satisfy most employer qualification frameworks. Put that same practitioner in charge of their organisation’s post-quantum cryptography migration programme and they will find that none of those credentials tells them how to select between ML-KEM-768 and ML-KEM-1024.
Four NIST standards were finalised in August 2024. They do not tell you which one to deploy first, which protocol represents the fastest migration path in your environment, or whether hybrid schemes are a destination or a waypoint. This is the practical decision framework for security architects in 2026.
The honest answer is that neither body offers what a quantum security professional actually needs. That is not a criticism. It is a statement of timing: NIST finalised ML-KEM, ML-DSA, SLH-DSA, and FN-DSA as standards in August and October 2024. Certification curricula operate on multi-year review cycles. What follows is a role-by-role assessment of which body's credentials serve quantum security professionals best given where the curricula actually are today.
The two terms are not interchangeable, and treating them as if they were produces real planning errors. NIST's Cryptography Resource Center uses post-quantum cryptography to mean classical algorithms running on standard hardware that resist quantum attacks. Quantum cryptography most commonly refers to quantum key distribution, which requires dedicated quantum optical hardware. They are fundamentally different migration paths.
In 1994, Peter Shor published a mathematical proof: on a quantum computer of sufficient size, integer factorisation and the discrete logarithm problem collapse from computationally infeasible to afternoon job. RSA security rests on the first problem. Every form of elliptic curve cryptography rests on the second. Both fall to the same core technique.
A quantum computer breaks the key exchange step of end-to-end encryption, not the bulk message cipher. The risk profile varies by application design. Signal and Apple iMessage have already shipped post-quantum key exchange. PGP email has not.
What a quantum security engineer actually does, what the role pays in 2026 in the US and UK, what skills matter at interview, and where the career leads. For the cybersecurity professional considering a pivot and the hiring manager writing the job description.
The news cycle treats quantum computing as either an existential emergency arriving next year or a distant curiosity with no current relevance. Both framings are wrong. What follows is an evidence-based answer to a precise question: when will a quantum computer become capable of breaking the encryption that protects internet communications, and what does that timeline mean for decisions you need to make now?
If you run a small business and someone has told you that quantum computers will soon break your encryption, the natural question is: does this actually affect me, and what do I need to do about it? The honest answer is more nuanced than either "nothing to worry about" or "you need an immediate security overhaul." The threat is real. For most small businesses, the response is measured and manageable.
No single qualification solves the quantum security problem in 2026. The certification market has not caught up to NIST’s post-quantum standards. Here is how to build the right combination, and in what order.
Zero Trust Architecture removes implicit network trust. Post-quantum cryptography migration removes algorithm vulnerability to a future quantum adversary. A ZTA deployed without PQC migration has cryptographic guarantees that expire in the 2033 to 2035 window, simultaneously across every pillar.
Google's Willow chip and IBM's Nighthawk processor are genuine scientific milestones. Neither changes the 2033-2035 Q-Day central estimate. Understanding why requires a short tour of what these announcements actually showed — and what they did not.
Available quantum security training clusters at opposite extremes: PhD-depth theory with no migration connection, or awareness briefings that explain Q-Day without equipping anyone to act. A rigorous practitioner curriculum sits between those positions. This article defines what it must contain.
There is no single EU quantum security regulation. There is instead a cluster of four general cybersecurity instruments whose requirements for cryptographic controls happen to include quantum vulnerabilities within their scope. This article maps what NIS2, DORA, the EU AI Act, and the Cyber Resilience Act each require in relation to quantum security.
Google's Willow chip in December 2024 confirmed below-threshold quantum error correction in hardware for the first time. Understanding what it demonstrated, and what it did not, is essential context for any Q-Day planning conversation. This article explains why error correction is the gating factor for Q-Day and what the Willow result changes.
Underwriter questionnaires are beginning to incorporate quantum security posture into risk assessment. This article maps what a credible answer looks like, and how DORA's ICT risk management framework shapes what an insurer expects to see from EU financial entities.
Less than the briefings suggest, but more than the sceptics acknowledge. This article works through the hardware landscape as it stands in 2026, assesses what published results mean when read carefully, and separates the engineering milestones that matter from the noise.
NIST published FIPS 203, 204, and 205 in August 2024. DORA entered full enforcement in January 2025. The regulatory infrastructure exists. The CPD infrastructure does not yet match it. This article maps the frameworks that do exist, identifies where quantum security competency sits within each, and sets out what a complete quantum security CPD record looks like in 2026.
Every security professional has read the headlines about national quantum programmes. What most enterprise security teams have not done is translate those headlines into a specific threat model for their organisation. This article does that translation, using official sources only, and draws a clear line between what the intelligence community has confirmed and what requires labelling as a planning assumption.
The IBM Nighthawk and Google Willow announcements attracted more executive-level attention than any quantum hardware development in years. Both results are genuine progress. Neither changes the 2033–2035 Q-Day central estimate that security planners rely on. This article compares four architecturally distinct approaches and frames progress against the metric that actually matters: fault-tolerant logical qubits.
Security teams at financial institutions, critical infrastructure operators, and defence contractors typically carry memberships with ISC(2), ISACA, or BCS. Those associations do important work. They also cannot serve as specialist quantum security communities, and in 2026 that distinction has started to matter in ways that are operationally concrete rather than theoretical.
Quantum security training is a buyer's market in the worst sense: provider marketing has converged on the same vocabulary regardless of actual quality. This article is a quality framework you can apply to any programme — verifiable from a curriculum document, a sample session, or a direct conversation with the programme team.
The standard reassurance that older data is encrypted and therefore protected does not hold against a CRQC running Shor's algorithm. This article explains why 2018-era TLS archives carry a specific and growing risk reaching its credible lower bound in 2030, and what risk management options remain for organisations that cannot re-encrypt historical archives.
The quantum threat does not map uniformly onto cryptography. Shor's algorithm breaks asymmetric cryptography completely. Grover's algorithm weakens symmetric cryptography. Those two outcomes require different responses on different timescales. This article explains the distinction and what it means for migration planning.
Hardware announcements in quantum computing follow a reliable pattern: a large headline number, a spectacular benchmark, and a wave of coverage about what it means for encryption. The coverage rarely explains the one piece of information that would let a security professional make a sensible risk judgement: the difference between a physical qubit and a logical qubit.
Critical national infrastructure is a different post-quantum problem. The data lifetimes are longer, the patching cycles are slower, and the disruption potential of a future decryption event is not a data breach notification. It is a power cut.
Every time you sign a contract digitally, download a software update, or visit a website over HTTPS, a digital signature is working in the background. The mathematics underpinning those signatures has a problem: a future quantum computer will be able to break it. NIST published its transition timeline in November 2024, and the clock is now running.
If you are evaluating hybrid post-quantum TLS deployment for production infrastructure, this article provides the numbers: CPU cycles, key sizes, bandwidth overhead per TLS handshake, real-world latency data from Cloudflare and Chrome deployments at scale, and the QUIC-specific constraints practitioners routinely underestimate.
Government security programmes increasingly encounter QKD in briefings and vendor pitches, often without a clear picture of where it has been deployed, what problems emerged, and why two leading government cybersecurity agencies have explicitly declined to endorse it. This article provides that picture.
Most post-quantum migration guidance directs organisations to ML-DSA for all signature needs. For firmware signing pipelines, long-lived code signing infrastructure, and document archiving with 50-year retention requirements, however, defaulting to ML-DSA without evaluating the alternatives leaves a technically superior option on the table. XMSS and LMS produce smaller signatures than ML-DSA-87 and carry the most conservative security assumption available in any deployed signature scheme today.
Writing about quantum threats to blockchain almost always starts at Layer 1: Shor's algorithm breaks secp256k1, Bitcoin and Ethereum wallet keys are at risk, the community needs to migrate. What it omits is where most on-chain economic activity actually runs today. Arbitrum and Optimism together process more transactions per day than Ethereum mainnet. These Layer 2 rollup systems sit on top of the ECDSA vulnerability, and they introduce a different and more complex PQC migration surface than Layer 1 alone.
The terminology around quantum security has drifted badly enough that practitioners working from plausible-sounding assumptions are making procurement decisions, technical designs, and board presentations based on claims that do not hold up. Nine misconceptions, each with a concrete consequence when acted upon.
Most organisations do not have a cryptography problem. They have a hardcoded cryptography problem. The distinction matters because the solution to the first is algorithm replacement, and the solution to the second is architecture redesign. Post-quantum migration forces both, but the architectural work is what takes years and what the PQC literature consistently underweights.
Before 2021, most cyber insurance questionnaires asked whether you had a firewall and an incident response plan. Then ransomware losses climbed steeply enough to move underwriters. The same mechanism exists for post-quantum cryptography. Loss events have not occurred yet, but the architecture of how quantum risk enters the insurance market is visible now.
When Apple launched iMessage PQ3 in February 2024, coverage declared that iPhones were now quantum-safe. When Google deployed hybrid post-quantum TLS through Chrome, similar statements followed. Both claims require qualification. Post-quantum on mobile is not a single thing. It describes at least four distinct cryptographic layers on a device, each with a different migration status.
Signal, iMessage, and WhatsApp all made post-quantum announcements between 2023 and 2024. Each application addressed a specific cryptographic component. None of them addressed everything. Understanding what changed, what remains classically vulnerable, and why the distinction matters requires looking at the actual protocol mechanics rather than the press releases.
A structured analysis of the public evidence for Harvest Now Decrypt Later campaigns by state-attributed actors, distinguishing documented collection behaviour from defensible inference.
Hybrid PQC runs two independent key exchange algorithms simultaneously so an attacker must break both. This guide covers combiner constructions, TLS standards, and the X-Wing versus Draft00 distinction.
The quantum migration for most SMB data sits with cloud vendors, not with you. This guide explains the real threat, who is responsible, and the four areas where an SMB genuinely has agency.
Google Willow demonstrated below-threshold error correction in December 2024. What that milestone actually means for the timeline to a cryptographically relevant quantum computer, and why it does not compress the migration window.
AWS, Azure, and GCP have deployed PQC on parts of their infrastructure. The shared responsibility model means customer-controlled workloads remain exposed. What providers handle and what they do not.
End-to-end encryption protects against interception today. Quantum computers will break the key exchange that underpins it. Signal's PQXDH shows what the fix looks like in production.
Most enterprise cyberattacks are unaffected by quantum computing. Three categories are not. This analysis maps quantum relevance against the 10 most common attack types so security teams know where to act and what to ignore.