The CISO's PQC Command Center
Qtonic Quantum Lab evidence-linked intelligence for PQC vendor selection. Independently scored solutions across 10 dimensions with dual-consensus methodology and disclosed review status. Stop evaluating vendor marketing. Start evaluating evidence.
~14 min readLive Lab Intelligence
The Qtonic Quantum Lab independently scores every post-quantum solution against NIST FIPS 203/204/205 standards. No vendor sponsorship. No pay-to-play rankings.
Compliance Timeline
The regulatory clock is running. Every framework below affects your cryptographic posture and migration planning. HNDL attacks mean the risk is already active.
NIST PQC
NIST IR 8547 (initial public draft) describes deprecating quantum-vulnerable algorithms by 2030 and disallowing them by 2035. Federal agencies must migrate to ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205).
CNSA 2.0
NSA algorithm suite requiring staged adoption. Software and firmware signatures by 2025, operating systems by 2027, most categories by 2033, legacy systems by 2035.
NSM-10
National Security Memorandum directing federal agencies to inventory cryptographic systems and begin migration, with the goal of mitigating quantum risk by 2035.
EO 14028
Executive Order on Improving the Nation's Cybersecurity. Requires SBOM for federal software procurement. OMB M-23-02 extends requirements to cryptographic system inventories.
PCI DSS 4.0.1
Requires cryptographic inventory and migration planning for payment card processors. Strong cryptography mandates affect PQC readiness timelines.
Find. Prove. Fix.
Three products. One pipeline. QScout finds quantum-vulnerable cryptography. QStrike supports exploitability review through provider-aligned validation.QSolve fixes it with CISO-led migration advisory.
QScout
QScout public intake quantum vulnerability snapshot with consented public TLS assessment and a Cryptographic Debt score in minutes.
- QScout Surface consented public-surface signal with governed Silver, Gold, and Pulse tiers
- Cryptographic Debt score with probability model
- Severity profile across QScout Surface approved external modules
- TLS configuration grading
QStrike
Forward-threat demonstration using provider-aligned validation workflows across supported platform profiles. A 90-120 day engagement demonstrates exploitability to boards and auditors through governed evidence and scoped validation artifacts.
- Six commercial execution platforms spanning 4 modalities
- Governed forward-threat demonstration
- $2M Challenge terms
- 90-120 day engagement
QSolve
Standards-mapped PQR advisory team led by CISOs. Algorithm selection, migration orchestration, and compliance documentation through implementation.
- CISO-led post-quantum readiness team
- Standards-mapped algorithm selection
- Migration orchestration and testing
- Compliance documentation (NIST, PCI, HIPAA)
Scoring Methodology
Every score is reproducible, auditable, and signed. Two independent agents evaluate each solution — if they disagree beyond threshold, the score is held for manual review. No vendor can influence their ranking.
10-Dimension Scoring
Each PQC solution is evaluated across algorithm compliance, key management, performance overhead, migration readiness, interoperability, documentation quality, security audit history, community health, standards alignment, and deployment maturity. Scores are weighted and normalized to a 0-100 Qtonic Quantum Score.
Dual-Consensus Protocol
Two scoring agents independently evaluate each solution. If their scores diverge beyond a calibrated threshold, the result enters a hold state for manual arbitration. This eliminates single-agent bias and scoring drift.
Published Results With Review Status
Every published score follows a 10-dimension published rubric with expert oversight and full audit trail.
Evidence Hierarchy
Not all evidence is equal. Qtonic Quantum Lab classifies every data point into four tiers, and scoring weights adjust accordingly. Vendor claims without code-level verification receive the lowest confidence.
repo_runtime—Runtime EvidenceVerified through scoped engagement evidence or PQC test vectors. Highest confidence.
repo_static—Static AnalysisSource code inspected for algorithm implementation, key management, and migration readiness.
web_only—Web DocumentationClaims verified through published documentation, changelogs, and API references.
metadata_only—Metadata OnlyVendor claims without verification. Lowest confidence tier.
Cryptographic Bill of Materials
You cannot migrate what you have not inventoried. A CBOM is the foundation of every PQC migration program.
Why CISOs Need a CBOM
- Identify every RSA, ECDSA, and ECDH instance across your infrastructure
- Map cryptographic dependencies to applications and business processes
- Quantify HNDL exposure by data sensitivity and retention period
- Satisfy OMB M-23-02, NIST SP 1800-38B, and PCI DSS 4.0.1 requirements
- Produce board-ready cryptographic risk inventory on demand
QScout CBOM Generation
- CycloneDX-compliant output (industry standard format)
- Automatic discovery of TLS, certificate, and key assets
- Algorithm-level classification with quantum vulnerability flags
- Migration priority scoring based on exposure and compliance impact
- Exportable to GRC platforms, SIEM, and compliance tooling
Integration & Automation
Embed PQC intelligence into your existing security stack. No manual CSV exports. No portal-only dashboards.
RESTful API Access
Full programmatic access with OpenAPI 3.0 documentation. Trigger scans, pull results, and integrate PQC data into existing workflows.
SIEM / SOAR Integration
Push quantum risk findings into Splunk, Sentinel, XSOAR, or any webhook-capable platform. Real-time alerting on cryptographic drift.
Bulk Assessment
Scan entire portfolios of domains and infrastructure. CSV import, batch scheduling, and consolidated reporting across subsidiaries.
Enterprise Identity Planning
Enterprise authentication planning for approved deployments with identity-provider review, role-based access, and support for configured provisioning workflows.
Frequently Asked Questions
How does the Qtonic Quantum Lab score solutions?
The Qtonic Quantum Lab scores every solution across 10 dimensions including algorithm compliance, key management, performance overhead, migration readiness, and interoperability. Two scoring agents evaluate each solution using a dual-consensus protocol. Results follow a published methodology with expert validation. Only solutions that pass strict thresholds across all 10 dimensions earn Certified Tier status. Evidence is classified into four tiers: repo_runtime (highest), repo_static, web_only, and metadata_only (lowest).
What is the NIST PQC migration deadline?
NIST IR 8547 (initial public draft) proposes 2030 as the deprecation date and 2035 as the disallowance date for quantum-vulnerable cryptographic algorithms. Federal agencies must migrate to ML-KEM, ML-DSA, and SLH-DSA as defined in FIPS 203, 204, and 205. The NSA CNSA 2.0 timeline extends from 2025 to 2035, requiring staged adoption across technology categories. NSM-10 sets the goal of mitigating quantum risk across federal systems by 2035. Private sector organizations handling government data or operating in regulated industries (PCI DSS 4.0.1, HIPAA) should align with these timelines.
What is a CBOM and why do I need one?
A Cryptographic Bill of Materials (CBOM) is a comprehensive, machine-readable inventory of every cryptographic asset in your infrastructure — algorithms, key lengths, certificates, protocols, and libraries. CISOs need CBOMs to identify quantum-vulnerable cryptography (RSA, ECDSA, ECDH), prioritize migration to NIST-approved post-quantum algorithms, meet compliance requirements (NIST SP 1800-38B, OMB M-23-02), and provide board-level visibility into cryptographic risk. QScout generates CycloneDX-compliant CBOMs during governed QScout Silver and Gold assessments.
Start Your PQC Assessment
Run a QScout assessment intake in minutes, or schedule a call with our team to scope a full PQC migration program for your organization.