PQC READINESS // CHIMERASCOPE
Quantified assessment of your cryptographic infrastructure against quantum computing threats — mapped to CRA, NIS2, and BSI TR-02102-1 compliance obligations.
Recent advances in quantum computing research have significantly reduced the estimated resources required to break widely deployed public-key cryptography. Organizations handling sensitive data — financial records, medical information, intellectual property, trade secrets — face a concrete timeline pressure that regulators are already acting on.
The core threat is straightforward: encrypted network traffic intercepted today can be stored and decrypted once quantum computers reach sufficient capability. This “harvest now, decrypt later” strategy makes post-quantum migration a present-day risk management priority, not a future consideration. Current estimates place the window between interception and decryption capability at three to ten years.
NIST finalized three post-quantum cryptographic standards in August 2024: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for hash-based signatures. Major infrastructure providers have already begun deployment — but the vast majority of organizations have not assessed their own readiness.
Our assessment evaluates cryptographic quantum readiness across every externally observable endpoint of your infrastructure. No access to internal systems is required.
Evaluation of TLS key exchange configurations across standardized post-quantum hybrid and pure algorithms. Determines whether your endpoints negotiate quantum-resistant key exchange or remain vulnerable to interception. Covers primary domains, subdomains, and additional service ports.
Certificate algorithm analysis including signature scheme assessment and migration readiness scoring. Evaluates whether your certificate infrastructure can transition to quantum-safe algorithms without operational disruption — a function of issuing authority, automation level, and pinning constraints.
STARTTLS post-quantum capability verification across your MX infrastructure. Email transport is one of the most overlooked quantum-vulnerable channels — current data indicates fewer than one percent of global mail servers support quantum-safe transport encryption.
Detection of protocol downgrade vulnerabilities that allow attackers to force connections onto older, quantum-vulnerable protocol versions even when newer protections are available. Includes SSH key exchange modernization assessment across all exposed management interfaces.
CDN-aware analysis that distinguishes between quantum protection provided at the network edge and protection native to your origin infrastructure — a critical distinction that no public scoring tool currently makes. Organizations relying on content delivery networks often assume full protection when only the edge layer is quantum-ready.
Our assessments across European industrial, financial, and technology organizations reveal a consistent pattern:
Post-quantum cryptographic readiness is not a theoretical concern — it is an emerging compliance requirement across multiple regulatory frameworks applicable to European organizations.
The CRA requires products with digital elements to implement cryptographic protections reflecting the state of the art. Article 10 mandates that manufacturers ensure confidentiality through “appropriate mechanisms and protocols” — language that increasingly encompasses post-quantum readiness as NIST standards mature. Vulnerability reporting becomes mandatory from September 2026, full compliance by December 2027.
Article 21 requires essential and important entities to implement “state-of-the-art” security measures proportionate to risk. As post-quantum cryptographic standards reach maturity, failure to assess and plan migration creates a demonstrable gap in the risk management measures NIS2 demands. Sector-specific guidance is expected to reference PQC migration timelines explicitly.
The German Federal Office for Information Security (BSI) maintains technical guidelines on recommended cryptographic algorithms. TR-02102-1 classifies ML-KEM and ML-DSA as recommended algorithms, providing concrete guidance for organizations operating in or serving the German market. BSI guidance carries particular weight for public-sector suppliers and regulated industries in the DACH region.
The Commercial National Security Algorithm Suite 2.0 establishes a timeline for deprecating quantum-vulnerable algorithms in national security systems. While US-centric, CNSA 2.0 timelines influence global supply chain requirements — organizations serving defense, aerospace, or dual-use technology sectors face cascading compliance obligations regardless of jurisdiction.
Each assessment produces a quantified readiness score reflecting actual deployment status across all externally observable cryptographic endpoints. The score accounts for transport layer configuration, certificate posture, email security, protocol resilience, and infrastructure architecture.
Post-quantum key exchange deployed across primary endpoints. Certificate infrastructure supports algorithm migration. Email transport includes quantum-safe protections. No significant protocol downgrade paths detected.
Partial post-quantum deployment — typically through CDN edge protection without origin-level implementation, or with gaps in email or SSH transport. Migration path exists but requires targeted action on specific infrastructure layers.
Limited or no post-quantum protections deployed. Certificate infrastructure may support migration but no active transition has begun. Protocol downgrade paths likely present. Recommended: begin migration planning within current budget cycle.
No quantum-safe protections detected. Legacy protocol versions accepted. Certificate management may impede rapid migration. Recommended: prioritize cryptographic inventory and migration roadmap as an immediate operational priority.
Significant cryptographic exposure including deprecated algorithms, absence of forward secrecy, and structural barriers to migration. Immediate assessment and remediation planning warranted.
Now. NIST standards are finalized, major infrastructure providers are deploying, and regulatory frameworks are incorporating post-quantum requirements. Organizations that begin assessment today will have migration roadmaps ready before compliance deadlines arrive.
Partially. Major CDN providers deploy post-quantum key exchange at the edge, but your origin server handles actual data processing. If your origin lacks quantum-safe protections, traffic between CDN and origin remains vulnerable. Our assessment identifies exactly this gap.
No. The assessment evaluates cryptographic configuration through passive observation and standard TLS handshake analysis. No exploitation, no authentication attempts, no service disruption. No authorization is required for the standard assessment scope.
Email transport is assessed separately from web infrastructure. Our assessment verifies whether your MX servers support quantum-safe STARTTLS — a capability that fewer than one percent of global mail servers currently offer.
The PQC readiness assessment is available as a standalone engagement or as an integrated layer within a comprehensive external attack surface assessment. When combined, PQC findings are incorporated into the overall compliance mapping and threat scoring.
NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) for algorithm assessment. CRA Art. 10, NIS2 Art. 21, BSI TR-02102-1, and CNSA 2.0 for compliance mapping. All references are cited in the delivered report.
Submit your organization's primary domain for a post-quantum cryptography readiness evaluation. Assessment delivered within 48 hours as an encrypted PDF.
Provide your organization's primary domain. The assessment covers all externally observable cryptographic endpoints.