Security Teams · Free Tool
Nine questions across five risk factors produce a sector-adjusted PQC risk score for your organisation. No account required. No data is transmitted. Results appear on this page when the assessment is complete.
Post-quantum cryptography (PQC) migration is not a single event. It is a multi-year engineering and governance programme whose duration depends on the complexity of an organisation's cryptographic estate, the sensitivity and longevity of the data it protects, and the external compliance obligations it operates under. NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024, establishing the first formal standards for quantum-resistant public-key cryptography. Those publications started regulatory clocks across multiple jurisdictions. Organisations that have not yet assessed their exposure are now working against published timelines.
This tool scores your organisation across five factors that together capture the main dimensions of PQC migration risk. Cryptographic exposure measures the breadth of your organisation's dependence on public-key algorithms that a cryptographically relevant quantum computer (CRQC) would break. Data longevity addresses the confidentiality window of your most sensitive data and its intersection with the projected CRQC threat window under the Mosca inequality. Trust dependence captures your reliance on digital signature infrastructure, certificate chains, and firmware integrity mechanisms that are similarly vulnerable to quantum attack. Regulatory pressure reflects the pace at which formal compliance obligations are arriving in your sector. Migration difficulty accounts for the architectural and operational constraints that will determine how long your transition actually takes. Sector selection adjusts the weighting of these five factors to reflect the documented risk distribution for your industry. Three qualifier questions about your current preparedness, supply chain dependencies, and board-level engagement then shape the recommendations without altering the base score.
Two points are essential for interpreting the output correctly.
First, this is a triage instrument, not an audit. The tool does not examine your cryptographic estate directly. It does not enumerate your certificates, inspect your key management infrastructure, or analyse your network architecture. It produces a directional risk estimate from your responses. A high score reflects conditions in which PQC migration risk is likely to be material and time-sensitive. It does not confirm that a specific vulnerability exists.
Second, the score should be read alongside the qualifier context. Two organisations with identical base scores may face very different immediate priorities depending on whether a cryptographic inventory has been completed, whether their supply chain has published PQC roadmaps, and whether their board has mandated a formal programme. The qualifier section surfaces these distinctions in the recommendations.
The scoring model draws on NIST post-quantum cryptography migration guidance (NIST IR 8413, NIST SP 1800-38 series), NSA CNSA 2.0 transition timelines, and NCSC guidance on quantum security migration planning. Sector weight adjustments reflect the risk distributions documented in these guidance materials across defence, financial services, healthcare, government, telecommunications, and industrial environments.
Quantum Security and Defence does not collect, associate, or retain your name or your company name when you use these tools. All information is stored only for the duration of the browser session.
We collect only country, industry, and results data. This information is anonymised and cannot be associated with you or your company. Such anonymised data may be used for industry-level reporting, shared with members, incorporated into our research, and provided to government departments to support lobbying activity and the communication of industry readiness.
By using this tool, you consent to the provision of results data on a strictly anonymised basis. No personal name, email address, or company name is stored.
Country is recorded anonymously for industry-level reporting only.
Required to calculate your score, recorded anonymously.
Industry selection is required and recorded anonymously. It may impact scoring weights directly, choose carefully.
Not recorded. Only used to create your PDF report in the browser session.
Not recorded. Only used to create your PDF report in the browser session.
Name and company are used only within your browser session. They are not stored or transmitted.
This question assesses the breadth of your organisation's direct ownership and management of cryptographic infrastructure using algorithms that a CRQC would break: specifically RSA, elliptic curve cryptography (ECDH, ECDSA), and finite field Diffie-Hellman. Consider your VPN gateways, internal certificate authorities, PKI deployments, code-signing infrastructure, hardware security modules, and any embedded or industrial systems with hardcoded cryptographic controls. Organisations that rely primarily on hyperscaler cloud services for cryptographic functions carry less direct migration burden than those operating substantial internal cryptographic infrastructure.
Your answer is used only to calculate your score locally in your browser.
Consider the category of data in your organisation whose exposure would cause the most severe and lasting harm. The risk concentrates in data that must remain confidential for many years: patient records, legal privilege, defence procurement records, long-term financial data, intellectual property, and classified material. Under the Mosca inequality, data with confidentiality requirements that extend into the anticipated CRQC threat window is at prospective risk today, because an adversary capturing encrypted data now could hold it until decryption becomes feasible. Select the longest period that applies to any material data category your organisation is responsible for protecting.
Your answer is used only to calculate your score locally in your browser.
Migration difficulty is the X variable in the Mosca inequality: the number of years required to complete the transition to quantum-safe cryptography. Organisations that underestimate X when planning their programme often discover that the practical timeline is considerably longer than the notional one. Modern cloud-native systems with managed cryptographic services can typically adopt PQC algorithm support as hyperscalers and library maintainers release it. The challenge concentrates in legacy systems, embedded and industrial environments, air-gapped networks, hardware security modules that cannot be upgraded in firmware, and systems with deeply integrated cryptographic dependencies that would require architectural change rather than algorithm substitution. If your organisation relies on hardware that was not designed with cryptographic agility in mind, assume that the migration timeline for those components will be governed by hardware replacement cycles, not software update schedules.
Your answer is used only to calculate your score locally in your browser.
This question assesses how far your organisation has progressed. An organisation that has completed a cryptographic bill of materials (CBOM) and knows exactly where its quantum-vulnerable assets are requires different guidance from one that has not yet discussed quantum risk at executive level. Preparedness level is the only qualifier that modifies your numeric score: higher preparedness reduces the effective score to reflect that your organisation is ahead of the response curve relative to its exposure level.
Your answer is used only to tailor your recommendations locally in your browser.
PQC migration risk does not stop at your organisation's boundary. If your critical vendors have not published credible PQC roadmaps, your migration timeline is partly dependent on theirs. Organisations that aggregate quantum-vulnerable cryptographic dependencies across multiple suppliers face a coordination challenge in addition to their internal migration work. Consider whether your key technology vendors, managed service providers, or specialist system integrators have published or responded to questions about their PQC migration plans. If they have not, your supply chain contributes to your effective migration difficulty regardless of your own internal progress. This qualifier does not alter your score but shapes the supply chain element of your recommendations.
Your answer is used only to tailor your recommendations locally in your browser.
Board-level engagement determines the speed at which an organisation can act. A risk that has been formally presented to the board and assigned a named owner with budget authority moves into remediation faster than one that sits at technical team level without governance structure. NIS2 Directive Article 20 creates personal liability for management bodies on cybersecurity matters in EU member states, making board engagement a compliance question as well as a governance one. The board awareness qualifier shapes the call-to-action element of your recommendations without affecting your risk score.
Your answer is used only to tailor your recommendations locally in your browser.
Professional Advisory
This tool produces a directional risk score from nine questions. A full assessment of your organisation's PQC readiness, cryptographic estate, regulatory exposure, and migration complexity requires direct engagement. Quantum Security Defence conducts structured PQC readiness assessments for organisations at all stages of the migration planning process.
Discuss your situation