Security Teams · Free Tool
Six questions. An instant assessment of which post-quantum cryptography concern is most relevant to your organisation. No account required. Results appear on this page.
The PQC Migration Decision Tree routes your organisation to the post-quantum cryptography concern most relevant to your situation. It is not a risk score. There is no numerical output. The design is intentional: many organisations at the awareness stage need a clear statement of which problem is theirs, not a weighted aggregate they cannot yet interpret.
Questions branch based on your answers. If you indicate no long-lived sensitive data, you will not see the follow-up questions about certificates and devices. The shortest path is three questions; the longest is eight. Most paths complete in under two minutes.
Six outcomes cover the primary PQC concern categories: low immediate relevance, long-lived data exposure, trust infrastructure, regulatory obligation, migration complexity, and broad readiness required. Each outcome maps to the most appropriate next step.
Quantum Security and Defence does not collect, associate, or retain your name or your company name when you use these tools. All information is stored only for the duration of the browser session.
We collect only country, industry, and results data. This information is anonymised and cannot be associated with you or your company. Such anonymised data may be used for industry-level reporting, shared with members, incorporated into our research, and provided to government departments to support lobbying activity and the communication of industry readiness.
By using this tool, you consent to the provision of results data on a strictly anonymised basis. No personal name, email address, or company name is stored.
Country is recorded anonymously for industry-level reporting only.
Required to calculate your score, recorded anonymously.
Industry selection is required and recorded anonymously. It does not affect the outcome routing.
Not recorded. Only used to create your PDF report in the browser session.
Not recorded. Only used to create your PDF report in the browser session.
Name and company are used only within your browser session. They are not stored or transmitted.
Think about your most important records. Contracts, personnel files, health records, financial transaction histories, intellectual property, legal documents, classified information. The key question is: if someone captured encrypted copies of this data today and could read it in 10 years, would that cause material harm?
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This covers TLS certificates for websites and APIs, code signing certificates for software releases, firmware signing for devices, certificate authorities (CA) you operate or rely on, and identity certificates in access management systems. The question is about how central these are to your operations, not just whether they exist.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This includes IoT devices, medical devices, industrial control systems, operational technology (OT), network equipment, and any hardware that uses certificates or cryptographic keys baked in at manufacture and is difficult to update remotely. The concern is about the cryptographic lifetime of the device: a device in service for 10 years will outlast the safety window for current asymmetric algorithms.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This covers financial services regulation (PCI DSS, DORA), healthcare regulation (HIPAA, NHS Digital standards), government and defence standards (NCSC Cyber Essentials Plus, ISO 27001 in regulated contexts, government procurement frameworks), critical infrastructure requirements, and any contracts with quantum-readiness or cryptographic standard clauses. If your organisation is subject to external audit of your cryptographic practices, answer Yes.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This means cloud key management services (AWS KMS, Azure Key Vault, Google Cloud KMS), hardware security modules (HSMs) provided or managed by third parties, SaaS platforms whose encryption capabilities you cannot directly configure, or telecommunications providers whose network encryption you rely on. If your organisation's ability to migrate cryptography depends on decisions made by your vendors, that dependency is relevant here.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This means systems that run outdated operating systems or software, embedded systems with fixed cryptographic libraries, industrial control systems with long refresh cycles, or any critical infrastructure that cannot be updated without significant downtime or capital expenditure. If your organisation is running systems that were deployed 10 or more years ago and are still in production, consider them legacy for this purpose.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Professional Advisory
The Decision Tree identifies your primary concern. The Quantum Threat Exposure Assessment scores your organisation across all risk domains and produces an evidence base for leadership decision-making.
Explore the Quantum Threat Exposure Assessment