Post-quantum cryptography assessment
Quantum-capable adversaries threaten asymmetric schemes that underpin TLS, code signing, identity, and long-lived data protection. A post-quantum cryptography (PQC) assessment gives leadership a factual baseline: where classical crypto lives, how long secrets must remain confidential, and what must change first.
Ontlia delivers vendor-neutral assessments grounded in recognized guidance on cryptographic transitions. We map your estate, quantify exposure in business terms, and produce an actionable roadmap—so engineering, security, and compliance teams share one prioritized plan.
Scope & methodology
Cryptographic & protocol inventory
We catalog algorithms and key lengths in use across applications, APIs, messaging, databases, backups, and infrastructure—TLS versions and cipher suites, VPNs, SSH, JWT/JWE/JWS stacks, disk and field-level encryption, HSM/KMS integrations, and legacy protocols that often hide in integrations.
Data sensitivity & shelf life
Not every asset faces the same quantum timeline. We align cryptographic choices with confidentiality periods (regulated data, IP, logs, archival tapes) so remediation budgets focus where ‘harvest now, decrypt later’ risk is material.
Supply chain & dependency mapping
Modern risk sits in libraries, SaaS, appliances, and CI/CD artifact signing. We trace dependencies and third-party obligations so upgrades are coordinated—not blocked—by vendors and internal release trains.
Standards & regulatory alignment
We relate findings to evolving expectations around quantum readiness (sector norms, procurement questionnaires, and internal policies). Outputs are structured for audit dialogue without over-claiming certification outcomes.
Deliverables
Executive summary & risk heat map
Board-ready narrative: critical systems, business impact clusters, and recommended investment horizons—paired with a technical heat map teams can drill into.
Detailed findings register
Structured issue list with severity, affected components, algorithm/protocol specifics, ownership hints, and remediation categories (configuration, upgrade, architectural change).
Target architecture options
High-level patterns for hybrid classical/post-quantum deployments where appropriate, PKI renewal considerations, and sequencing guidance aligned to your uptime and change-management constraints.
Roadmap & dependency-backed milestones
Phased plan with prerequisites (test harnesses, observability for crypto negotiation failures, rollback triggers) sized for your delivery capacity—not a theoretical checklist.
Engagement model
Kickoff & access boundaries
Short alignment workshop on scope, regulatory context, crown-jewel systems, and interview schedule. We work within your least-privilege access model and evidence-handling rules.
Evidence gathering
Combination of automated scans where permitted, configuration reviews, architecture workshops, and selective deep dives on high-impact flows—balanced to minimize operational disruption.
Read-out & handoff
Stakeholder sessions for security, infrastructure, applications, and procurement; workshop materials suited for retention as internal policy attachments where applicable.
Assessment is deliberately distinct from migration execution: it establishes shared facts and sequencing so subsequent engineering effort is directed, measurable, and defensible.