Free Tool · Quantum Security
Answer ten questions about your organisation and receive a personalised, prioritised checklist of post-quantum cryptography actions. Written for security and compliance leads who need a practical starting point, not a generic framework. Results appear on this page. No account required.
This checklist generator uses a rule-based engine: your answers trigger specific actions from a library of 28 items, each with a suggested owner and priority. Items are grouped by type of work: governance, cryptographic visibility, trust infrastructure, vendor management, migration planning, and compliance.
The library reflects the NIST post-quantum cryptography migration guidance (NIST SP 800-208 and the published FIPS 203, 204, and 205 standards), the UK NCSC's quantum-safe migration guidance, and QSECDEF's advisory experience across government, defence, and financial services organisations.
This tool produces a prioritised starting point, not a full engineering audit. For a comprehensive cryptographic inventory and migration roadmap, speak to the QSECDEF team.
Quantum Security and Defence does not collect, associate, or retain your name or your company name when you use these tools. All information is stored only for the duration of the browser session.
We collect only sector, organisation size, and results data. This information is anonymised and cannot be associated with you or your company. Such anonymised data may be used for industry-level reporting, shared with members, incorporated into our research, and provided to government departments to support lobbying activity and the communication of industry readiness.
By using this tool, you consent to the provision of results data on a strictly anonymised basis. No personal name, email address, or company name is stored.
Country is recorded anonymously for industry-level reporting and to tailor regulatory context to your jurisdiction.
Country is recorded anonymously for industry-level reporting only. No email, name, or company details are transmitted or stored.
This helps tailor the checklist to the regulations and risks most relevant to your industry.
The Industry selection is required and recorded anonymously. Your industry may impact your score. Be sure to choose your nearest industry category.
Size affects how many systems you are likely to have, and how complex a cryptographic inventory will be.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Think about the most sensitive data you hold: patient records, contracts, financial histories, proprietary research. How long must that data stay secret?
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This is about the category of information, not just how much there is. Regulated data (medical records, financial data, personal identity data, classified information) is inherently more sensitive than general business data.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Certificate authorities issue the digital credentials that prove websites and services are genuine. Code signing proves that software has not been tampered with. Device trust verifies that hardware is authentic. You may depend on these even if you do not run your own systems, for example if you rely on a supplier who uses code-signed firmware.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
This affects which systems need the most attention and how straightforward a migration is likely to be.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Some sectors have specific legal or contractual requirements to demonstrate quantum security readiness. This helps tailor the checklist to any compliance deadlines that apply to you.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Legacy systems are older systems that are difficult to update or replace: mainframes, hardware security modules purchased before 2020, embedded systems with limited update capability, or bespoke industrial platforms.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
If key parts of your infrastructure are managed by suppliers (cloud providers, hardware vendors, software companies), your migration may depend on those suppliers acting first.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Be honest. There is no wrong answer. The checklist will be most useful if it starts from where you actually are.
Your answer is used to calculate your score. Results data is recorded anonymously for benchmarking. No email, name, or company details are transmitted or stored.
Not recorded. Only used to create your PDF report in the browser session.
Not recorded. Only used to create your PDF report in the browser session.
Name and company are used only within your browser session. They are not stored or transmitted.
Professional Advisory
This tool produces a prioritised action checklist. For a comprehensive cryptographic inventory, migration roadmap, and regulatory exposure review, engage directly with the QSECDEF team.
Discuss your situation