Evidence signature
Public signals bind to governed proof.
No customer data.
QScout proof sequence. Evidence Handshake. public-to-private proof path. No customer data.
Qtonic Quantum Lab-verified intelligence for PQC vendor selection. Independently scored solutions across 10 dimensions with dual-consensus methodology and disclosed review status. Stop evaluating vendor marketing. Start evaluating evidence.
~14 min readThe Qtonic Quantum Lab independently scores every post-quantum solution against NIST FIPS 203/204/205 standards. No vendor sponsorship. No pay-to-play rankings.
The regulatory clock is running. Every framework below affects your cryptographic posture and migration planning. HNDL attacks mean the risk is already active.
NIST IR 8547 (initial public draft) describes deprecating quantum-vulnerable algorithms by 2030 and disallowing them by 2035. Federal agencies must migrate to ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205).
NSA algorithm suite requiring staged adoption. Software and firmware signatures by 2025, operating systems by 2027, most categories by 2033, legacy systems by 2035.
National Security Memorandum directing federal agencies to inventory cryptographic systems and begin migration, with the goal of mitigating quantum risk by 2035.
Executive Order on Improving the Nation's Cybersecurity. Requires SBOM for federal software procurement. OMB M-23-02 extends requirements to cryptographic system inventories.
Requires cryptographic inventory and migration planning for payment card processors. Strong cryptography mandates affect PQC readiness timelines.
Three products. One pipeline. QScout finds quantum-vulnerable cryptography. QStrike supports exploitability review through provider-aligned validation.QSolve fixes it with CISO-led migration advisory.
QScout Free quantum vulnerability snapshot with consented public TLS assessment and a Cryptographic Debt score in minutes.
Forward-threat demonstration using provider-aligned validation workflows across supported platform profiles. A 90-120 day engagement demonstrates exploitability to boards and auditors through governed evidence and scoped validation artifacts.
Standards-mapped PQR advisory team led by CISOs. Algorithm selection, migration orchestration, and compliance documentation through implementation.
Every score is reproducible, auditable, and signed. Two independent agents evaluate each solution — if they disagree beyond threshold, the score is held for manual review. No vendor can influence their ranking.
Each PQC solution is evaluated across algorithm compliance, key management, performance overhead, migration readiness, interoperability, documentation quality, security audit history, community health, standards alignment, and deployment maturity. Scores are weighted and normalized to a 0-100 Qtonic Quantum Score.
Two scoring agents independently evaluate each solution. If their scores diverge beyond a calibrated threshold, the result enters a hold state for manual arbitration. This eliminates single-agent bias and scoring drift.
Every published score follows a 10-dimension published rubric with expert oversight and full audit trail.
Not all evidence is equal. Qtonic Quantum Lab classifies every data point into four tiers, and scoring weights adjust accordingly. Vendor claims without code-level verification receive the lowest confidence.
repo_runtime—Runtime EvidenceVerified through scoped engagement evidence or PQC test vectors. Highest confidence.
repo_static—Static AnalysisSource code inspected for algorithm implementation, key management, and migration readiness.
web_only—Web DocumentationClaims verified through published documentation, changelogs, and API references.
metadata_only—Metadata OnlyVendor claims without verification. Lowest confidence tier.
You cannot migrate what you have not inventoried. A CBOM is the foundation of every PQC migration program.
Embed PQC intelligence into your existing security stack. No manual CSV exports. No portal-only dashboards.
Full programmatic access with OpenAPI 3.0 documentation. Trigger scans, pull results, and integrate PQC data into existing workflows.
Push quantum risk findings into Splunk, Sentinel, XSOAR, or any webhook-capable platform. Real-time alerting on cryptographic drift.
Scan entire portfolios of domains and infrastructure. CSV import, batch scheduling, and consolidated reporting across subsidiaries.
Enterprise authentication planning for approved deployments with identity-provider review, role-based access, and support for configured provisioning workflows.
The Qtonic Quantum Lab scores every solution across 10 dimensions including algorithm compliance, key management, performance overhead, migration readiness, and interoperability. Two scoring agents evaluate each solution using a dual-consensus protocol. Results follow a published methodology with expert validation. Only solutions that pass strict thresholds across all 10 dimensions earn Certified Tier status. Evidence is classified into four tiers: repo_runtime (highest), repo_static, web_only, and metadata_only (lowest).
NIST IR 8547 (initial public draft) proposes 2030 as the deprecation date and 2035 as the disallowance date for quantum-vulnerable cryptographic algorithms. Federal agencies must migrate to ML-KEM, ML-DSA, and SLH-DSA as defined in FIPS 203, 204, and 205. The NSA CNSA 2.0 timeline extends from 2025 to 2035, requiring staged adoption across technology categories. NSM-10 sets the goal of mitigating quantum risk across federal systems by 2035. Private sector organizations handling government data or operating in regulated industries (PCI DSS 4.0.1, HIPAA) should align with these timelines.
A Cryptographic Bill of Materials (CBOM) is a comprehensive, machine-readable inventory of every cryptographic asset in your infrastructure — algorithms, key lengths, certificates, protocols, and libraries. CISOs need CBOMs to identify quantum-vulnerable cryptography (RSA, ECDSA, ECDH), prioritize migration to NIST-approved post-quantum algorithms, meet compliance requirements (NIST SP 1800-38B, OMB M-23-02), and provide board-level visibility into cryptographic risk. QScout generates CycloneDX-compliant CBOMs during governed QScout Silver and Gold assessments.
Run a QScout Free discovery in minutes, or schedule a call with our team to scope a full PQC migration program for your organization.
Qtonic Quantum Lab scores are independent research opinions based on a published quantitative rubric and automated evaluation of publicly available evidence. Domain-expert review controls are independent of the automated evaluation system, and provenance labels disclose when evidence is verified, contested, inferred, or degraded. No vendor pays for inclusion, ranking, or evaluation. Scores do not constitute endorsement, certification, or legal advice. Methodology is uniformly applied and publicly disclosed. All product names and trademarks are the property of their respective owners. Solution maintainers may request a methodology retest at any time. Full research disclaimer.