Security Teams · Free Tool
Seven questions. An instant directional score for quantum cryptographic risk relevance across your organisation. No account required. Results appear on this page. Nothing is transmitted from your browser.
Quantum cryptographic risk does not affect all organisations equally or on the same timeline. The factors that determine urgency include the sensitivity and longevity of data held, the cryptographic infrastructure an organisation operates, its regulatory environment, and how difficult a transition to quantum-safe standards is likely to be. For most organisations, the question is not whether to act but when action becomes necessary and how much lead time the transition requires.
This assessment scores your organisation across seven factors drawn from NIST post-quantum cryptography migration guidance and NCSC quantum transition frameworks. Industry sector and data confidentiality lifetime together account for 40% of the result, reflecting that these two variables are the strongest combined predictors of quantum risk urgency. Data sensitivity, trust infrastructure dependence, regulatory exposure, migration complexity, and vendor dependency contribute the remaining weight in descending order. Together they produce a score between 20 and 100 and assign your organisation to one of four exposure tiers.
Two points are important for interpreting the output correctly.
First, the score is a directional indicator, not a technical audit. The tool does not inspect your cryptographic infrastructure, inventory your certificate estate, or analyse your network architecture. It produces an exposure estimate based on the type of organisation you are and the characteristics of the data you hold. A high score indicates that the combination of your inputs creates conditions under which quantum cryptographic risk is a material planning concern. It does not confirm a breach or identify specific vulnerable systems.
Second, current encryption remains computationally secure against any adversary operating today. RSA and elliptic curve cryptography are not broken. The risk this tool assesses is prospective and structural: the standards underpinning current public-key cryptography will become vulnerable to a cryptographically relevant quantum computer (CRQC) once one is operational. Planning and migration take time. Organisations that are difficult to migrate need to start earlier, not later.
The scoring formula is: Score = (Sector x 0.20 + Longevity x 0.20 + Sensitivity x 0.20 + Trust x 0.15 + Regulatory x 0.10 + Legacy x 0.10 + Vendor x 0.05) x 20.
Quantum Security and Defence does not collect, associate, or retain your name or your company name when you use these tools. All information is stored only for the duration of the browser session.
We collect only country, industry, and results data. This information is anonymised and cannot be associated with you or your company. Such anonymised data may be used for industry-level reporting, shared with members, incorporated into our research, and provided to government departments to support lobbying activity and the communication of industry readiness.
By using this tool, you consent to the provision of results data on a strictly anonymised basis. No personal name, email address, or company name is stored.
Country is recorded anonymously for industry-level reporting only.
Required to calculate your score, recorded anonymously.
The Industry selection is required and recorded anonymously. Your industry may impact your score. Be sure to choose your nearest industry category.
Not recorded. Only used to create your PDF report in the browser session.
Not recorded. Only used to create your PDF report in the browser session.
Name and company are used only within your browser session. They are not stored or transmitted.
Consider the data your organisation most needs to protect from future exposure. Operational logs, short-lived transaction records, and publicly accessible communications have minimal exposure under long-horizon threat scenarios. The question is: if an adversary captured encrypted copies of your most sensitive records today and could read them in ten to fifteen years, what would be the consequence? Select the longest confidentiality period that applies to any significant data category your organisation holds.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
Assess the most sensitive category in your organisation's data estate, not the average. If your organisation holds data across multiple sensitivity levels, select the highest applicable category. Consider personal records, financial data, health information, confidential contracts, intellectual property, and classified or national security material.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
Certificate authorities issue digital certificates that underpin identity verification across the internet. Code signing confirms that software has not been tampered with between release and installation. Device trust systems verify that hardware is genuine and unmodified. If your organisation operates any of these systems, or if your products include them, select the description that most accurately reflects your level of dependence.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
Some sectors face formal requirements to prepare for quantum cryptographic threats. Finance, critical infrastructure, government, healthcare, and defence face the earliest and most specific obligations. Regulatory exposure determines when formal action is required, independent of technical readiness.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
Modern cloud-native systems can update cryptographic libraries in weeks. Legacy systems, embedded hardware, and bespoke industrial equipment may require physical replacement or multi-year upgrade programmes. The longer your migration will take, the earlier planning needs to begin. This factor captures how constrained your migration timeline is by the systems you currently operate.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
High dependency means your organisation cannot migrate to quantum-safe cryptography without your vendors making changes first. This includes cloud providers, hardware security module vendors, software platforms, and industrial system suppliers. Where your migration is contingent on a vendor's roadmap, understanding that roadmap early is an independent priority alongside your internal programme.
Your answer is used only to calculate your score. Nothing is transmitted from your browser.
Professional Advisory
This tool produces a directional exposure score. For a structured assessment of your organisation's PQC readiness, cryptographic estate inventory, and regulatory obligations, engage directly with our advisory team to identify a local consulting partner for your business.
Discuss your situation