Tiago Deretti.
deretti.net / writing / pqc-not-a-quantum-problem Resilience & Infrastructure · May 2026
Resilience & Infrastructure Essay · Post-Quantum Cryptography

PQC is not a quantum problem.

It's a cryptographic debt, inventory, procurement, and governance problem — and three independent industry surveys say enterprises have not started fixing it. A note on disciplined urgency, the gap between the edge and the interior, and what an operator-grade post-quantum plan looks like when you accept the honest data.

PublishedMay 2026
Venuederetti.net
CategoryResilience & Infrastructure
Read13 minutes
URL/writing/pqc-not-a-quantum-problem

The frame

There is no shortage of post-quantum cryptography content in 2026. The standards are finalized. The procurement guidance is published. The federal timelines are set. The hyperscalers are moving. The conferences are scheduled. Reasonable observers might conclude that the field is loud.

It is not loud. It is heavily covered at one end of the market and almost silent at the other, and the data on operator action is the same on both ends: enterprises are not moving.

Three independent industry surveys published between April and December 2025 reach the same conclusion through different methodologies and different respondent populations.

ISACA's Quantum Computing Pulse Poll, based on more than 2,600 professionals in digital trust, cybersecurity, IT audit, governance, and risk, found that 95% of organizations lack a defined quantum computing strategy. Beneath that headline: 37% have not discussed quantum computing at all, 41% have no current plans to address the quantum threat, and 44% have never heard of the NIST post-quantum standards that have been in development for more than a decade.

The Trusted Computing Group's State of PQC Readiness report, published in December 2025 and based on a survey of 1,500 security professionals across the US, UK, and Europe, found that 91% of security professionals have no formal post-quantum cryptography roadmap, and 81% believe their current crypto libraries and hardware security modules are not ready for migration.

Keyfactor's Quantum Readiness Edition, conducted with 450 cybersecurity professionals at the director level or above in companies of 1,000+ employees, found that 48% of organizations are not prepared for quantum cybersecurity challenges, with mid-sized organizations particularly vulnerable at 56% unprepared.

Three surveys. Three methodologies. Three respondent populations. One consistent picture: the awareness exists, the planning does not, and the gap is widest in the middle of the market.

This is not a quiet field. It is a noisy field where the noise has not produced action.

That is a different problem, and it requires a different response.

The perception problem

The gap between awareness and action is not a literacy gap. It is a salience gap.

Post-quantum cryptography does not look like ransomware. It has no screenshots. It has no active exploit chain a SOC can detect today. There is no quantum-breach dashboard, no incident-response runbook with timestamps, no Mandiant report attributing a campaign. The threat lives in architecture, procurement, PKI, firmware, TLS, identity, certificates, signing chains, HSMs, vendor roadmaps, backups, retention policies, and long-lived data — all of which are real, none of which are visible in the way a phishing campaign or a credential-stuffing attempt is visible.

For an operator triaging the queue on any given Monday, that combination makes PQC easy to mentally park under important, but later. The math is sound, the deadlines are years out, the work is large, and nothing is on fire today. Defer.

The error in that reasoning is the Harvest Now, Decrypt Later threat model. Adversaries with the patience and storage capacity to capture encrypted traffic today are not waiting for a public quantum announcement to begin. Any data with a confidentiality lifetime of five years or more — client work-product, M&A materials, health records, financial archives, contractual obligations, intellectual property, certain categories of personal data — is at risk today, not at some unspecified future moment when a cryptographically relevant quantum computer is announced. Later is not a free option. It is the option being exercised against the data right now, with the bill arriving when the decryption capability does.

This is the central point survey respondents are underweighting, and it is also the point that standards-body and vendor literature has not yet succeeded in communicating. The literature emphasizes the deadline. The threat is the harvesting, which is happening today.

The edge has moved. The interior has not.

There is one place in the public internet where post-quantum cryptography has clearly moved beyond planning. Cloudflare reports that the majority of human-initiated traffic across its network was already using post-quantum encryption by late 2025, with hybrid ML-KEM TLS enabled by default at the edge. AWS rolled hybrid PQC TLS into KMS in 2024 and expanded into ACM and Secrets Manager in early 2026. Google has committed to a 2029 internal deadline. Meta published its migration playbook in April 2026.

These are the operators of public infrastructure. They have moved because they could — large engineering organizations, dedicated cryptography research functions, direct ownership of the protocols, and material consequences for being late.

Below that layer, the picture inverts. The same surveys that show 91% of organizations without a roadmap also show that those organizations are running the systems that consume the edge's services — connecting to those TLS terminators, signing artifacts with those certificate authorities, federating identity through those providers. The cryptographic posture of the average enterprise interior is, in effect, the posture inherited from the slowest vendor in its stack, not the fastest hyperscaler at its edge.

That gap — between an edge that is approaching post-quantum coverage and an interior that is not even inventoried — is the operational reality the surveys describe. It is also the gap most public PQC discourse fails to address, because the discourse is mostly being written by the people closest to the edge.

The thesis

Post-quantum cryptography will not fail because the math is unavailable. The math is in three finalized NIST standards. It will fail because organizations do not know where their cryptography lives, which vendors they depend on, which data has long-term exposure, and which systems will break when algorithms, certificates, signatures, and key exchange patterns change.

PQC is not a quantum problem. It is a cryptographic debt problem, an inventory problem, a procurement problem, and a governance problem.

The quantum element is the deadline. Everything else is the work that should already have been done in any organization with a working cryptographic hygiene program, and in most organizations it has not been.

This reframing matters because it determines what gets staffed and how it gets funded. A quantum problem is research; cryptographic debt is operations. A quantum problem belongs to the cryptography team that most mid-market firms do not have; cryptographic debt belongs to the same people who already own certificate lifecycles, vendor renewals, and patch management. A quantum problem is a 2035 deadline; cryptographic debt is a backlog you can start closing this quarter.

The work does not become easy. It becomes legible.

The mid-market reality

If you are a security or operations lead in the middle of the market — a 600-endpoint AmLaw 200 firm, a regional bank, a mid-market eDiscovery house, an MSP, a critical-infrastructure operator below the federal contractor tier — three structural realities shape your PQC plan in ways that the hyperscaler playbooks do not address.

No crypto team
You do not have a cryptography team. You have one engineer who also runs the firewalls, manages the certificate inventory, owns the SIEM, and is currently three weeks behind on patch tickets. Whatever you build must be executable by people whose calendars are already full.
No platform budget
You cannot buy your way out of the inventory problem. The commercial PQC migration platforms — ISARA, SandboxAQ, Keyfactor, Fortanix, QSE, the IBM/Keyfactor consulting partnership — are priced for enterprises with seven-figure security budgets. Your discovery tooling is going to be a spreadsheet, OpenSSL s_client, and the vendor portal of every product you currently license.
No vendor leverage
You cannot move your vendors. Your stack is mostly downstream of decisions made by Microsoft, Cisco, Fortinet, your eDiscovery platform, your case management vendor, your VPN provider, and a half-dozen SaaS dependencies already contracted through 2027 and beyond. Your PQC posture, for most of what you operate, is going to be the posture your vendors give you on the schedule they give it to you. Your job is to know what that posture is, to ask for it in writing where it is missing, and to sequence your internal work around what the vendors deliver — not to invent cryptographic implementations of your own.

The honest implication is that the mid-market PQC plan is mostly an inventory, sequencing, and vendor-pressure plan. It is not a cryptographic implementation plan. That is a different shape of work than what the hyperscaler playbooks describe, and it deserves a different document.

Disciplined urgency

Between we have not discussed it and we are panicking there is a working posture: disciplined urgency. The standards are real. The procurement guidance is real. The federal and critical-infrastructure timelines are real. The hyperscaler movement is real. The surveys showing operator inaction are real. And the HNDL exposure window is real and running.

The correct response to that combination is not hype, because hype produces budget cycles that buy tools and skip the inventory. The correct response is also not deferral, because deferral compounds the exposure with each year that passes. The correct response is a small, repeatable, defensible discipline executed continuously over the next several years.

The IR 2.0 framework I've been developing — Sense, Decide, Act, Learn — was built for a faster problem. Quantum migration is the same loop running on a multi-year clock, which makes the discipline more important, not less. The temptation in slow-motion problems is to substitute planning for execution. The Calm Loop is the antidote: each stage produces a deliverable the next stage consumes.

  1. Stage 01 · Sense
    A cryptographic inventory at the level you can actually maintain.
    Not a 50,000-entry cryptographic bill of materials. A working register of TLS termination points, VPN endpoints, code-signing pipelines, certificate authorities you depend on, and the dozen-or-so vendor products that handle cryptography on your behalf. For most mid-market operators this is a forty-row spreadsheet, not a database. Eight columns: system, owner, cryptographic function, current algorithm, data longevity, external exposure, trust role, vendor PQC status. Stop adding. A forty-row register that is reviewed quarterly outperforms a four-thousand-row CBOM that is reviewed never.
  2. Stage 02 · Decide
    Three priority tiers, not five.
    Most surveys, including the TCG report, find that respondents understand the threat but cannot translate it into prioritization. The translation is not complex. P1 is internet-facing systems handling long-lived data with high trust roles — the VPN, the code-signing pipeline, the CA your endpoints trust, the TLS terminators in front of anything containing client work-product. P2 is internet-facing systems with shorter retention or lower trust. P3 is everything internal-only with short data lifespans. Most operators in this lane will land somewhere between five and fifteen P1 items, full stop. That is the list. It is a manageable list.
  3. Stage 03 · Act
    Pressure vendors before you change anything internal.
    For roughly 80% of your remediation, the work is procurement and patching, not engineering. The most leveraged artifact you can build is a vendor evaluation rubric used at every renewal between now and the CNSA 2.0 January 2027 inflection point: documented commitments on FIPS 203 and 204 implementation, hybrid TLS support, configurable algorithm policy, certificate-chain readiness, and observable cipher-suite negotiation logging. The rubric converts your single point of pressure — the renewal — into a structured, evidence-based ask. Where you do touch your own systems: hybrid-first, classical-only with documented compensating controls where the stack does not yet support PQC, and rollback procedures tested before any change reaches production.
  4. Stage 04 · Learn
    Quarterly review tied to specific external triggers.
    Set the review small enough to actually happen. Four triggers should drive an update to your register: a CISA product-category list change, an NSA CNSA 2.0 deadline revision or FAQ update, a NIST IR 8547 milestone, and any major vendor in your top ten announcing general availability for a PQC capability you were tracking. Each trigger maps to specific rows in your register that need re-scoring. Most quarters, three or four rows will move. Some quarters, none will. Both are signal.

What to do this quarter

If you are a security or operations lead in this lane, the work for the next ninety days is small enough to be done by one person without rearranging the rest of your year.

Build the forty-row register.

Use a spreadsheet. Eight columns. Do not buy tooling.

Ask your top three vendors, in writing.

Pick the top three vendors in your stack and ask them, in writing, for their PQC roadmap — specific algorithms, specific dates, hybrid support status, observability for cipher-suite negotiation, and a documented rollback path. Save the responses. The responses themselves are the artifact; they will be useful in your next contract negotiation regardless of what they say.

Run one tabletop session.

Focus on a single scenario: your perimeter receives a vendor patch enabling hybrid TLS, and forty percent of sessions silently negotiate classical-only because an upstream load balancer doesn't support ML-KEM. Walk through detection, response, and rollback. The exercise costs an afternoon. The single sentence it produces — PQC-enabled is not the same as PQC-protected — is the most operationally important takeaway in this entire field, and it is more durably learned by walking through it than by reading it.

Three deliverables. None require external spend. All of them outperform a planning document nobody reads.

The deeper thread

Post-quantum cryptography is not a separate program. It is a cryptographic hygiene program operating on a multi-year clock, in a domain where the standards are stable and the operational variables are not. The same loop applies — Sense, Decide, Act, Learn — and the same discipline of producing small, current, defensible artifacts at each stage applies as well. If your incident response readiness program is working, your PQC program is most of the way built; you have not put a label on it yet.

The deeper continuity is this: the security work that holds up over time is the work that is calm, sequenced, and documented. Quantum migration rewards exactly the same operating habits as breach response, just on a slower clock. Operators who already practice those habits do not need a different framework. They need a translation of the wave that is breaking elsewhere into the shape of their own lane.

That translation is what I'm building toward. The structured analysis of the underlying exposure class — sources, evidence base, enterprise impact categories, IR 2.0 mapping, and the open research questions being tracked — lives at Deretti Cyber Labs as an active research note on post-quantum cryptographic exposure. This piece is the personal frame; that one is the working reference.

The posture is the discipline. The discipline is the work.

Operating mantra
Sense → Decide → Act → Learn. Disciplined urgency. Resilient systems. Defensible decisions. Practical response.
Further reading
Deretti Cyber Labs active research: Post-Quantum Cryptographic Exposure — A Living Exposure Class ↗. For the IR 2.0 framework referenced throughout this piece, see the original publication in GRC Outlook ↗.
A note on this piece
This is the personal-byline frame of an argument I'll be developing across multiple pieces. The structured-reference version lives at Deretti Cyber Labs. Forthcoming companion pieces will cover operational pitfalls in hybrid PQC deployment, and the sector application to eDiscovery and legal-tech infrastructure specifically.