Qtonic Quantum | Post-Quantum Ready, Continuously™ | May 2026
When the regulator asks 'are you post-quantum ready?', what do you point to?
A regulator-aligned readiness brief for banks, payments processors, asset managers, and hedge funds.
Revised for CISO, GC, board risk committee, and treasury discussion | May 2026
Company-reported · not independently audited
Executive Thesis
The exam question is evidentiary, not aspirational
Financial institutions do not need to predict a single CRQC date. They need to demonstrate cryptographic governance under the same supervisory expectations they already meet for encryption controls, third-party risk, and incident disclosure. If customer records, settlement traffic, or counterparty data must remain confidential and integrity-bound past 2030, the institution needs a cryptographic inventory, named owners, and a migration sequence — documented now.
The Problem
Long-retained KYC/AML records, cross-border settlement traffic, and counterparty contracts often outlive the public-key cryptography protecting them.
The Gap
FFIEC encryption-control reviews and SOC 2 attestations grade present configuration. They do not grade future decryptability under a cryptographically relevant quantum computer.
The Move
Begin with QScout on an authorized public domain. Escalate to QStrike or QSolve only where evidence justifies deeper proof or migration governance.
Source: Qtonic Quantum services and QScout public pages | Risk framing for executive review
Why Now
The 2030 deprecation anchor meets the 2025 evidence gap
The standards are finalized. The supervisory backdrop is tightening. The institutions that move first will have dated evidence the next examination cycle can verify. Dates below are planning anchors drawn from public government guidance — not binding legal deadlines, except where regulators have explicitly cited them.
Milestone 1 of 6· select a marker to advance the timeline
Dec 2023
SEC cybersecurity disclosure rules take effect. Item 1.05 of Form 8-K and Regulation S-K Item 106 require registrants to disclose material cybersecurity incidents and to describe risk-management processes. Quantum exposure does not have its own disclosure trigger, but is increasingly relevant to material risk descriptions.
Nov 2023
NYDFS amends 23 NYCRR Part 500. Covered entities now face heightened expectations on encryption-in-transit and at-rest, governance reporting to the board, and incident reporting timelines.
Aug 2024
NIST finalizes the first PQC FIPS standards: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Federal procurement and the largest financial institutions begin formal migration scoping.
2029
A Qtonic Quantum planning assumption for finance migration sequencing — a planning marker, not a prediction and not a NIST date. Institutions that close the evidence gap ahead of the 2030 deprecation anchor carry the least examination risk.
2030
NIST IR 8547 (Initial Public Draft) signals 2030 as the deprecation milestone for quantum-vulnerable public-key algorithms in federal systems. Financial regulators frequently align prudential expectations with NIST direction. (Non-binding planning anchor)
2035
NIST IR 8547 (initial public draft) identifies 2035 as the disallowance horizon for quantum-vulnerable algorithms. Cross-border settlement traffic, customer KYC records, and long-tail counterparty data must be migrated well before this anchor to avoid HNDL exposure on still-confidential material.
The gap between the finalized standards and the prudential evidence record is the window every financial institution must close. The first examination question is rarely “are you done?” — it is “what is your dated plan, and who owns it?”
Sources: NIST FIPS 203/204/205 (Aug 2024), NIST IR 8547 IPD, NYDFS 23 NYCRR Part 500 (2023 amendments), SEC Final Rule 33-11216 (Dec 2023) | Dates are planning anchors, not binding migration deadlines. NIST IR 8547 is an initial public draft; deprecation timing and scope are subject to change in final publication. The 2029 reference is a Qtonic Quantum planning assumption, not a prediction and not a NIST date.
Regulatory Alignment
Six regulators. One consistent expectation: documented cryptographic governance.
No single regulator has issued a binding PQC migration mandate for the private financial sector. Read together, the supervisory record already expects what a credible quantum-readiness program produces: an inventory, an owner, a plan, and dated evidence. The table below summarizes what each authority publishes today — and what the institution should be ready to point to.
| Authority | Public Anchor | What It Expects |
|---|---|---|
| NIST | FIPS 203/204/205; IR 8547 | Adopt ML-KEM, ML-DSA, SLH-DSA. Deprecate quantum-vulnerable public-key algorithms by 2030; disallow by 2035. |
| NYDFS | 23 NYCRR Part 500 (2023 amendments) | Encryption controls in transit and at rest, board-level cybersecurity governance, 72-hour incident reporting, written program reviews. |
| FFIEC | IT Examination Handbook, Information Security booklet | Documented encryption controls, key-management governance, third-party cyber risk oversight, ongoing testing and assurance. |
| OCC | Bulletin 2013-29 and supervisory letters on third-party risk and operational resilience | Effective third-party risk management for cryptographic services, vendor due diligence, and demonstrated cryptographic agility planning. |
| SEC | Final Rule 33-11216 (effective 2023-12); Reg S-K Item 106; Form 8-K Item 1.05 | Disclose material cybersecurity incidents and describe risk-management processes, including governance and oversight of cyber risk. |
| BIS / Basel | Principles for operational resilience and cyber resilience guidance | Identification of critical operations and supporting assets, including cryptographic dependencies, and maintenance of cyber resilience capabilities. |
Qtonic Quantum risk framing — not legal or regulatory advice: This summary is an interpretation of foreseeable supervisory expectation. Specific obligations vary by entity type, charter, and jurisdiction. Institutions should obtain independent counsel on their applicable rules.
Sources: NIST IR 8547 IPD, NYDFS 23 NYCRR Part 500, FFIEC IT Examination Handbook, OCC Bulletin 2013-29, SEC Final Rule 33-11216, BIS cyber resilience principles | Public anchors only
The HNDL Clock
Harvest now, decrypt later changes the breach window for finance
The adversary does not need a quantum computer today to create a confidentiality problem today. Encrypted material captured now may become readable later if it relies on RSA, ECDH, or ECDSA — and must remain confidential beyond the migration horizon. Finance has a longer tail than most sectors. Expand each domain to see where the HNDL window opens.
01KYC and AML RecordsCustomer-identification material · beneficial-ownership records · transaction histories
Customer-identification material, beneficial-ownership records, and transaction histories are retained five to seven years under BSA and FinCEN expectations — well inside the HNDL window.
02Cross-Border SettlementSWIFT · FedWire · RTGS message authentication
SWIFT, FedWire, and RTGS message authentication relies on long-lived asymmetric keys. Captured-now traffic may be replayable or forgeable against future signature-validation gaps.
03Counterparty ContractsISDA agreements · prime-broker margin records · subscription & underwriting files
ISDA agreements, prime-broker margin records, hedge-fund subscription documents, and underwriting files retain commercial sensitivity for a decade or more.
04Market-Data and Order FlowAlgorithmic trading signatures · dark-pool order flow · market-maker hedge data
Algorithmic trading signatures, dark-pool order flow, and market-maker hedge data retain residual signal value far past trade settlement.
Sources: Global Risk Institute Quantum Threat Timeline 2024, BSA/FinCEN retention guidance, SWIFT Customer Security Programme | HNDL framing for buyer discussion
The Closed Loop
Find → Prove → Fix → Credential
Each phase produces a discrete artifact the next phase consumes, usable as input for an FFIEC IT examiner, an NYDFS program review, a third-party-risk reviewer, or a board risk committee. Continuous re-attestation feeds the cycle.
01 · Find — QScout
Authorized public-domain cryptographic posture, mapped to FFIEC encryption, key-management, and third-party-oversight controls. CycloneDX cryptographic bill of materials at the Silver and Gold tiers.
02 · Prove — QStrike
Hardware-backed demonstration and resource-estimate validation against the institution's actual cryptographic surface, bounded to a 2030–2031 quantum-equipped adversary model. No present-day RSA-2048 or ECC-256 break claim. Findings ship cryptographically signed.
03 · Fix — QSolve
Sequenced migration governance with named owners across core, payments, market-data, and identity surfaces, covering ML-KEM, ML-DSA, and SLH-DSA adoption tied to measured exposure.
04 · Credential — the Lab
Independent scoring across published dimensions; ML-DSA-signed report the institution can include in a regulated-diligence package; re-attestation cadence between examination cycles.
Sources: Qtonic Quantum QScout, QStrike, QSolve, and Q-Lab pages | Commercial terms are provided under NDA at scoping. The Lab’s assessment spans 200+ reference implementations (company-reported, not independently audited).
Open complete finance readiness brief
QScout
What QScout proves: external cryptographic posture, mapped to FFIEC controls
QScout converts an authorized public domain into board-grade signal in a week. The deliverable is structured to align with the encryption-control questions an FFIEC IT examiner already asks.
QScout Public Assessment Intake
- One authorized public domain and business email verification
- External TLS, DNS, HTTP, certificate, and surface metadata
- Browser-safe executive snapshot
- Clear recommendation for next step
What It Answers
- What is externally visible to the regulator’s reviewer today?
- Where is HNDL exposure observable on customer-facing surface?
- Which control owner takes the finding next?
Surface / Silver / Gold Progression
- QScout Surface all-approved-public-domain review without credentials
- QScout Silver approved credentialed paths and application evidence
- QScout Gold privileged evidence bundles and CBOM handoff
- Operator-led scope and control-owner review
FFIEC Mapping
Findings are organized to support the FFIEC Information Security booklet’s sections on encryption, key management, and third-party oversight — reducing back-and-forth at examination time.
Sources: Qtonic Quantum QScout page, Legal & Privacy page, FFIEC IT Examination Handbook (Information Security)
QStrike
What QStrike validates: cryptographically signed evidence before migration spend accelerates
QStrike sits between cryptographic discovery and migration commitment. It validates which attack paths against the institution’s actual cryptographic surface are real — before procurement signs a multi-year remediation plan.
Credibility boundary.QStrike provides hardware-backed demonstrations and resource-estimate validation against the institution’s deployed primitives, bounded to a 2030–2031 quantum-equipped adversary model. It does not claim, and should not be interpreted as claiming, present-day capability to break, decrypt, or forge signatures against production RSA-2048, ECDSA, ECDH, or related classical primitives at full parameter sizes. The defensible claim is narrower and more valuable: which current implementation defects, weak protocol choices, and migration gaps are likely to matter first when quantum-capable adversaries arrive.
1
Forward-Threat Validation
Validation runs against the institution's observed cryptographic surface — not generic banking profiles — with provider-aligned workflows and confidence-weighted findings, bounded to a 2030–2031 adversary model.
2
Cryptographically Signed Evidence
Findings ship with cryptographic signatures and an independently verifiable verification path.
3
$2M Challenge — QStrike only
$2M Challenge — Subject to Terms. Qualifying QStrike engagements may be eligible for a $2M payout if zero high or critical cryptographic vulnerabilities are found after independent review. Eligibility is subject to signed challenge terms, defined scope, exclusions, an independent review process, and a program cap. The challenge applies to QStrike only — not to QScout. See qtonicquantum.com for full terms.
Sources: Qtonic Quantum QStrike page and $2M Challenge page | NIST FIPS 204 (ML-DSA). QStrike capability is bounded to a 2030–2031 adversary model; no present-day classical-cryptography break is claimed.
QSolve
What QSolve fixes: vendor crypto-agility and cipher-suite migration roadmaps
Post-quantum readiness in finance fails at the vendor seam. Core processors, KMS providers, identity platforms, message-authentication services, and SaaS dependencies are where the cryptographic agility gap is widest. QSolve converts evidence into governed execution with named owners.
01
Evidence-Led Sequencing
Migration order is driven by measured exposure, validated risk, and implementation dependencies — not vendor convenience.
02
Vendor Crypto-Agility
Cipher-suite migration roadmaps are built against actual vendor capability, not slide-deck PQC claims. Independent attestation paths sit alongside vendor commitments.
03
Buyer-Controlled Structure
Solution choices remain accountable to the institution's own requirements. No single vendor's positioning shapes the migration architecture.
04
Control-Owner Clarity
Decisions, handoffs, and implementation responsibility are explicit at every step — eliminating accountability gaps third-party-risk reviewers will probe.
05
Validation Closure
Post-migration follow-through ties back to the original evidence chain, confirming what was fixed, what remains open, and what the next examination cycle will see.
Decision support covers ML-KEM, ML-DSA, and SLH-DSA adoption tied to measured exposure across core, payments, market-data, and identity surfaces.
Source: Qtonic Quantum QSolve page
Field Exam Walkthrough
A field-exam scenario: what an examiner asks, what you point to
The following walkthrough is an illustrative composite based on public examination expectations from FFIEC and NYDFS. It is not a transcript and does not describe any specific institution.
Examiner
“Walk me through your cryptographic inventory. What encryption protects customer data in transit and at rest, and who owns each control?”
What you point to
QScout public intake dated executive signal plus QScout Silver or Gold cryptographic bill of materials covering TLS, KMS, IAM, message-authentication, and external-facing portals when approved — with named control owners.
Examiner
“How are you preparing for the NIST post-quantum transition? What is your roadmap?”
What you point to
QSolve dated migration sequence aligned to FIPS 203/204/205 adoption windows, with vendor crypto-agility attestations and control-owner sign-offs.
Examiner
“How do you validate vendor cryptographic claims independently?”
What you point to
Q-Lab independent scoring across 10 published dimensions, plus QStrike forward-threat validation reports with cryptographic signatures.
Illustrative only. This walkthrough is a composite of public supervisory expectations. Not a transcript, not a prediction of any specific examination outcome.
Sources: FFIEC IT Examination Handbook, NYDFS 23 NYCRR Part 500 examination practice notes | Composite scenario
Cross-Border Settlement
Cross-border settlement HNDL math: the shelf life is longer than the migration window
Settlement traffic is the pressure point. SWIFT message authentication, FedWire transfer integrity, and RTGS finality controls all depend on signature schemes that are quantum-vulnerable today. The data does not need to stay confidential forever — but its integrity guarantees must survive the migration window.
1
Message Shelf Life
Cross-border message archives, including AML lookbacks and counterparty dispute material, are retained five to seven years and may be reopened during litigation.
2
Migration Time
Inventory, vendor negotiation with SWIFT and intermediary banks, architecture change, testing, and deployment — a multi-year program even for the largest institutions.
3
Time to Exposure
CRQC uncertainty combined with NIST IR 8547 deprecation (2030) and disallowance (2035) anchors sets the outer boundary of tolerable delay.
When the message shelf life exceeds the migration window, delay creates present-day exposure. That is the harvest-now, decrypt-later equation applied to the settlement layer — and the reason the SWIFT Customer Security Programme has been raising the bar on cryptographic posture each annual cycle.
Sources: SWIFT Customer Security Programme controls, FedWire and RTGS public guidance, CFTC swap data repository encryption rules, NIST IR 8547 IPD | Risk model for treasury and operations review
Third-Party Risk
The third-party vendor crypto-attestation gap
OCC Bulletin 2013-29 and subsequent supervisory letters set high expectations for third-party risk management. In the post-quantum context, those expectations now include the institution’s ability to independently validate — not just collect — vendor cryptographic claims. Expand each layer to see where the attestation gap is widest.
01Core Processor LayerConcentration risk across downstream institutions
Regional banks depend on a small number of core processors whose cryptographic roadmaps cascade across hundreds of downstream institutions. Independent validation closes the asymmetry.
02Identity and AccessFederated identity · customer authentication · privileged access
Federated identity, customer authentication, and privileged access management lean heavily on RSA and ECDSA today. Vendor PQC claims need third-party scoring against published methodology.
03Communications FabricDKIM email signing · inter-bank messaging · customer portals
Email signing (DKIM), inter-bank messaging, and customer portals all sit on long-lived asymmetric infrastructure. The third-party-risk evidence must show migration-ready dependencies, not migration-promising ones.
Sources: OCC Bulletin 2013-29, FFIEC IT Examination Handbook (Outsourcing), Qtonic Quantum Lab methodology
Procurement Readiness
What your vendor management team needs from us
Procurement and vendor management teams want a short, factual evidence pack that survives a third-party risk review. The first engagement is structured to produce exactly that.
1
Scope and Authorization
Written authorization for the named domain. Scope of access. Defined escalation criteria. Information-handling commitments.
2
Data Handling
What QScout public intake touches and avoids. Where evidence is stored. Retention windows. Subprocessor list.
3
Operating Posture
Cryptographic posture of Qtonic Quantum Corp. itself, including signing keys, evidence-bundle protection, and personnel access controls.
4
Audit and Insurance
Insurance certificates on request. Engagement letters. Reproduction notes. Chain-of-custody handling for evidence delivered to the institution.
“The next IT exam will ask whether we have a dated cryptographic inventory and a migration sequence. If I cannot point to one, the finding writes itself. I would rather get ahead of that with a one-week QScout signal that shows where I stand than improvise during fieldwork.”
Sources: Qtonic Quantum QScout Legal & Privacy page, OCC Bulletin 2013-29 | Composite role — not a named individual
SEC Disclosure Scope
SEC 8-K Item 1.05 and Reg S-K Item 106 disclosure scope alignment
The SEC’s 2023 cybersecurity disclosure rule does not impose a stand-alone post-quantum mandate. It does require registrants to describe risk-management processes and to disclose material incidents. Quantum-readiness evidence supports both obligations. Expand each provision to see how the evidence maps.
1.05Item 1.05 (Form 8-K)Material cybersecurity incident disclosure
Material cybersecurity incidents must be disclosed within four business days of materiality determination. A documented PQC posture reduces ambiguity in materiality analysis for crypto-related incidents.
106bReg S-K Item 106(b)Risk-management process description
Registrants must describe processes for assessing, identifying, and managing material risks from cybersecurity threats. A dated cryptographic inventory and migration roadmap is the kind of artifact this disclosure invites.
106cReg S-K Item 106(c)Board oversight description
Board oversight of cybersecurity must be described. A QStrike or QSolve engagement produces evidence the audit committee can reference in their oversight narrative.
“When the staff asks about our process, I want to point to a dated assessment, named owners, and a sequenced roadmap — not a policy statement. That is the kind of dated record I can point to when responding to staff.”
Sources: SEC Final Rule 33-11216 (Dec 2023), Reg S-K Item 106, Form 8-K Item 1.05 | Composite role — not a named individual
Mid-Market Readiness Path
Mid-market and regional bank readiness path: QScout public intake first
Mid-market institutions and regional banks rarely have the budget headroom to commission a full QStrike engagement out of the gate. The right entry point is QScout public intake on one authorized public domain — turning a one-week effort into a board-grade signal that justifies (or rules out) further spend.
01 · Day 0 — Authorize
Agree authorized domain, executive sponsor, and escalation criteria. No scanning before written authorization.
02 · Week 1 — QScout public intake
Produce browser-safe executive signal. Assign a named control owner to each finding.
03 · Weeks 2-4 — Scoped Review
Use QScout Surface or Silver only where QScout public intake evidence justifies deeper investigation. Avoid cost creep.
04 · Escalate — QStrike / QSolve
Escalate to QStrike or QSolve only when findings warrant. Do not buy a migration project before discovery tells you what must move first. Between cycles, QScout Pulse provides continuous post-quantum drift intelligence so posture drift is detected before the next exam cycle.
“My interchange encryption stack is a long-tail RSA story. I do not need a vendor pitch. I need an authorized signal I can show my acquirer relationships, my PCI assessor, and my board — in that order.”
Qtonic Quantum | Mid-market sequencing | Composite role — not a named individual
Tier-1 Readiness Path
Tier-1 bank readiness path: full QStrike and QSolve engagement
Tier-1 institutions face supervisory expectations that escalate well past first-step website evidence. The credible engagement covers internal cryptographic surface, validated forward-threat findings, and a governed migration sequence. Treasury, market infrastructure, and prudential resilience are all in scope.
1
Discovery Depth
QScout Silver or Gold against authorized scope across core, market-data, message-authentication, identity, and SaaS dependencies.
2
QStrike Engagement
Up to 120-day QStrike engagement with 6 commercial execution platforms and 4 modalities, covering forward-threat validation against the institution's actual surface, bounded to a 2030–2031 adversary model with no present-day classical-cryptography break claim.
3
QSolve Migration
Sequenced migration governance with named owners across security, infrastructure, engineering, compliance, procurement, and treasury.
4
QScout Pulse
Continuous between-cycle drift intelligence covering external, vendor, and authorized internal surfaces.
“The cross-border settlement timeline risk is what keeps me focused. We cannot let the migration window run out before the message-authentication layer is ready. I want governed, sequenced execution — not a vendor announcement cycle.”
“My counterparties already ask about cryptographic posture in their diligence packs. I would rather present a dated assessment than negotiate language about something I have not yet measured.”
Sources: Qtonic Quantum QStrike, QSolve, QScout Pulse pages | Composite roles — not named individuals
FAQ
Frequently asked questions
QIs there a binding regulatory mandate today?
No single private-sector binding mandate covers PQC migration today. NIST has finalized the algorithms; NYDFS, FFIEC, OCC, SEC, and BIS publish supervisory expectations that increasingly imply documented cryptographic governance. The institutions that move first will have the dated evidence the next supervisory cycle expects.
QWhy start with QScout public intake instead of a full assessment?
QScout public intake produces a browser-safe executive signal in a week, on an authorized website snapshot. It tells you whether deeper review is justified by evidence — rather than committing to a multi-month engagement before you have a baseline.
QDoes the $2M challenge apply to QScout?
No. The $2M challenge applies to QStrike engagements only, and is subject to signed challenge terms, scope conditions, exclusions, an independent review process, and a program cap. QScout findings are not in scope. See qtonicquantum.com for full terms.
QHow does this align with NYDFS 23 NYCRR Part 500?
Part 500 expects encryption controls in transit and at rest, board-level cybersecurity governance, and 72-hour incident reporting. A dated cryptographic inventory plus a sequenced migration roadmap is the artifact those governance and encryption-control sections invite.
QHow does this align with FFIEC IT Examination Handbook?
The Information Security booklet covers encryption, key management, and third-party oversight. QScout findings are organized to map cleanly to those examination sections.
QDoes this trigger SEC 8-K disclosure?
No. Engaging Qtonic Quantum is not a cybersecurity incident. SEC Item 1.05 disclosure is triggered by material cybersecurity incidents. A documented post-quantum readiness program supports the Reg S-K Item 106 process and oversight descriptions.
QHow does this interact with our SWIFT CSP attestation?
SWIFT Customer Security Programme controls increasingly intersect with cryptographic posture. A QScout or QStrike engagement produces evidence relevant to the cryptographic-control objectives, but does not replace SWIFT CSP attestation.
QWill Qtonic Quantum touch any customer data during a QScout approved-scope signal?
No. QScout public intake covers domain and business email verification, public TLS/DNS/HTTP/certificate metadata, and authorization evidence. No client data, internal network access, credentials, or software installation is involved. Deeper levels require explicit scope agreement.
QWhat if the institution already has a third-party PQC roadmap from a core processor?
Independent validation is precisely the supervisory expectation. Q-Lab scoring across 10 published dimensions plus QStrike forward-threat validation give the institution evidence it can defend independently — not just rely on vendor claims.
QIs this legal or regulatory advice?
No. The content on this page is Qtonic Quantum's risk interpretation of public regulatory anchors. It is not legal, tax, or regulatory advice. Institutions should consult qualified counsel on specific obligations.
Qtonic Quantum | Buyer FAQ for finance | Not legal or regulatory advice
Methodology
How QScout produces dated, defensible findings
The methodology page documents how QScout converts an authorized public domain into evidence-grade findings, including scope handling, evidence capture, and chain-of-custody.
Source: Qtonic Quantum QScout methodology page
Reference Material
Field Book and Buyer’s Guide for procurement teams
Two reference documents are written for diligence teams that want to evaluate Qtonic Quantum against published criteria, not slideware.
Field Book →
Operator-grade reference for security and infrastructure teams. Methodology-first, evidence-bound, no marketing language.
QScout Buyer’s Guide →
Procurement-grade questions, scope language, and diligence checklist for evaluating QScout against alternative offerings.
Qtonic Quantum | Reference material for procurement and security teams
Comparable Category
Why Qtonic Quantum, and what category we sit in
Procurement and security teams often ask “who else is in the category?” The closest public reference point is incident-response and proactive-services delivery — applied to cryptographic posture rather than active intrusion. The category-comparison page covers what carries over, what does not, and what is genuinely new.
Qtonic Quantum | Category framing for procurement
Board Decision
Authorize one domain.
Leave with a dated signal.
One authorized domain. One week. One executive-grade number that tells the board and the next examiner where you stand.
The evidence tells you what comes next — not the vendor.
qtonicquantum.com | +1 (866) 4-QTONIC
Related Industries
Legal
Confidentiality, privilege, and matter retention under quantum threat
Read briefBanking
Core banking, payment rails, and correspondent systems under quantum threat
Read briefCruise
Guest and loyalty data, payments at sea, maritime OT, and the PCI/USCG surface
Read briefUtilities
NERC CIP alignment, OT/SCADA, and control-center traffic under quantum threat
Read briefHealthcare
HIPAA Security Rule alignment, PHI retention, medical device firmware
Read briefGovernment & Defense
CMMC, CNSA 2.0, CUI and software-signing cryptographic readiness
Read briefStay updated
Appendix
Sources and References
Public sources used to harden claims and update product positioning. All product claims are based on Qtonic Quantum public pages available during review.
Qtonic Quantum Sources
- Qtonic Quantum homepage and Services page
- QScout product page and Legal & Privacy page
- QScout methodology page
- QScout Buyer’s Guide
- QScout Pulse product page
- QStrike product page and $2M Challenge page
- QSolve product page
- Q-Lab methodology page
- Field Book
Regulatory and Standards Sources
- NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), Aug 2024
- NIST IR 8547 Initial Public Draft (deprecation 2030, disallowance 2035)
- NYDFS 23 NYCRR Part 500 amendments (Nov 2023)
- FFIEC IT Examination Handbook, Information Security booklet
- OCC Bulletin 2013-29 and supervisory letters on third-party risk
- SEC Final Rule 33-11216 (Dec 2023), Form 8-K Item 1.05, Reg S-K Item 106
- BIS / Basel principles for operational resilience and cyber resilience
- SWIFT Customer Security Programme controls
- CFTC swap data repository encryption rules
- Global Risk Institute Quantum Threat Timeline Report 2024
Regulatory and standards content is provided for business discussion purposes only and does not constitute legal, tax, or regulatory advice. Recipients should consult qualified counsel on their specific obligations. Buyer roles cited in this page are composite illustrations and do not refer to any specific named individuals or institutions.
Qtonic Quantum | Post-Quantum Ready, Continuously™ | Reference appendix
Notices & disclaimers
Forward-looking statements. Statements regarding future events, regulatory actions, quantum-computing capabilities, migration timelines, and engagement outcomes are forward-looking and may differ materially. The 2030 deprecation and 2035 disallowance references are NIST IR 8547 initial-public-draft and government-guidance milestones subject to change in final publication; any 2029 reference is a Qtonic Quantum planning assumption, not a prediction and not a NIST date. Cited cryptanalysis resource estimates are resource estimates published in those papers, not demonstrations of capability against production systems.
Company-reported metrics.“100,000+ findings,” “99% HNDL exposure signal,” “PQC readiness average 18/100,” “no OpenSSL-verified false positives observed,” and “200+ implementations evaluated” are company-reported figures from Qtonic Quantum’s own engagement records, not independently audited. Request methodology before relying on them.
QStrike capability scope.QStrike provides hardware-backed demonstrations and resource-estimate validation against the institution’s deployed cryptographic primitives, bounded to a 2030–2031 quantum-equipped adversary model. It does not claim, and should not be interpreted as claiming, present-day capability to break, decrypt, or forge signatures against production RSA-2048, ECDSA, ECDH, or related classical primitives at full parameter sizes.
Standards. NIST IR 8547 is an initial public draft. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) are published standards. Use of ML-DSA for Lab attestations does not by itself imply FIPS 140-3 module validation. NYDFS 23 NYCRR Part 500, FFIEC IT Examination Handbook guidance, OCC Bulletin 2013-29, SEC Final Rule 33-11216 (Reg S-K Item 106; Form 8-K Item 1.05), GLBA Safeguards Rule, BIS / Basel cyber-resilience principles, and the EU Digital Operational Resilience Act (DORA) are public frameworks adopted and supervised with variations by entity type, charter, and jurisdiction; the recipient is solely responsible for its own regulatory compliance.
Composite illustration. Buyer roles, quotes, and scenarios on this page are composite illustrations drawn from public supervisory practice and do not refer to any specific named individuals, organizations, or engagements. Any industry incidents referenced are described solely from public sources (SEC filings, federal court records, state attorney general disclosures, and reputable trade media) and are not Qtonic Quantum clients.
No public commercial terms; no binding offer. This page does not contain public commercial terms. Engagement commercial terms are provided under NDA at scoping. No part of this page constitutes a binding offer, quotation, or commitment. The $2M Challenge applies to QStrike only and is subject to signed challenge terms, defined scope, exclusions, an independent review process, and a program cap.
No legal, regulatory, or investment advice. This page is Qtonic Quantum’s risk interpretation of public regulatory anchors. It does not constitute legal, tax, regulatory, or investment advice. Recipients should obtain independent advice from qualified counsel before acting on it.
No warranty. Deliverables are advisory and reflect point-in-time evaluations under defined scope conditions. Qtonic Quantum makes no warranty, express or implied, that an assessment identifies every vulnerability or that the described posture will be maintained after the assessment date. Deliverables do not guarantee any examination, audit, regulatory, cyber-insurance, or diligence outcome, or prevention of any breach or cryptographic compromise.
Third-party trademarks & sources. All third-party names, marks, and standards referenced are the property of their respective owners; reference is descriptive and does not imply endorsement, affiliation, or partnership. Market statistics are attributable to their respective publishers, not to Qtonic Quantum.
Export control. Products and services may be subject to the EAR and possibly ITAR depending on configuration; classifications are confirmed at scoping.
Governing law.Florida law; disputes per the executed engagement letter. © 2026 Qtonic Quantum Corp.
Qtonic Quantum Corp. | Post-Quantum Ready, Continuously™