DuoKey logotype

Quantify Your Cryptographic Exposure to Post-Quantum Risk

A structured assessment of domain readiness for post-quantum migration.

Request an assessmentSee the methodology
Quantum Risk Score sample report

QRS

A deterministic score against an auditable methodology

The Quantum Risk Score (QRS) evaluates the cryptographic posture of an organisation's observable domain surface against post-quantum migration standards. The composite index — scored 0 to 100 — is derived from four signals with explicit, published weightings. No proprietary components; the methodology is fully reproducible by any qualified cryptographer. The assessment operates exclusively on publicly observable signals and does not require access to internal systems.

Regulatory timeline

Migration timelines are fixed. Preparation is not.

2027

CNSA 2.0 mandateNSA-mandated PQC for all new national-security systems by January. In scope organisations that miss this deadline face non-compliance with US federal security requirements.

2030

NIST IR 8547RSA-2048 and ECDSA P-256 officially deprecated. Continued use after this date will fail FIPS compliance validation.

<1Mphysical qubits · ~1,700 logical

Current research estimatesPhysical-qubit estimates to factor RSA-2048 have decreased from 20M (Gidney & Ekerå 2019) to under 1M (Gidney 2025). The logical-qubit count now stands at approximately 1,700 (Chevignard, Fouque, Schrottenloher 2024).

Methodology

Four signals. Explicit weightings. No proprietary components.

QRS_FORMULA

QRS = ( Algorithm Resilience × 0.40 )

+ ( Crypto Agility × 0.30 )

+ ( Harvest Exposure × 0.20 )

+ ( Migration Posture × 0.10 )

Algorithm Resilience

Asymmetric primitives and symmetric cipher suites in production, measured against FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). RSA-2048 and ECDSA P-256 score zero on this signal under NIST IR 8547 criteria.

Crypto Agility

Capacity to transition algorithms without redeployment. Assessed across six sub-components: TLS 1.3 adoption rate, hybrid cipher suite support, certificate rotation cadence, algorithm diversity, CAA record configuration, and DNSSEC algorithm. HSTS is excluded — it is classical TLS hygiene, not quantum-era agility.

Harvest Exposure

Current data at risk under harvest-now-decrypt-later threat models. Weighted by data lifespan, forward-secrecy posture, and the classification of endpoints transmitting long-retention data.

Migration Posture

Public evidence of an active quantum-readiness programme: published Cryptographic Bill of Materials (CBOM), hybrid endpoint testing, and vendor quantum-readiness disclosures.

Score interpretation

Four readiness levels.

0 — 39

Low readinessHigh HNDL exposure

RSA-2048 and ECDSA dominant throughout. No hybrid cipher support detected. Long-retention data exposed to harvest-now-decrypt-later. Non-compliant with CNSA 2.0 for US NSS-adjacent deployments.

40 — 69

Early readinessModerate HNDL exposure

Modern TLS in use, but exclusively classical algorithms. No migration plan identified from public signals. Representative of most enterprise deployments observed in 2025.

70 — 89

Developing readiness

Classical and PQC cipher suites operating in parallel. Crypto-agile architecture demonstrable. CBOM published. Migration path documented against at least one regulatory timeline.

90 — 100

Advanced readiness

PQC-native by architecture. Crypto-agility validated. Continuous CBOM monitoring in place. Organisation is tracking NIST IR 8547 and CNSA 2.0 deprecation schedules operationally.

Deliverables

A comprehensive, actionable report.

  • 01Executive summary

    A single board-ready page. Composite score, readiness band, and top-three findings. No reformatting required for governance reporting.

  • 02Cryptographic inventory

    Full enumeration of observed endpoints, certificates, signature algorithms, and DNSSEC configuration across the assessed domain.

  • 03PQ Migration Priority Matrix

    Quantum-vulnerable assets ordered by migration urgency. A CVSS-style ranking adapted to cryptographic obsolescence rather than exploitability.

  • 04Regulatory timeline mapping

    Assessed posture mapped against NIST IR 8547, CNSA 2.0, NCSC, ANSSI, and BSI migration deadlines. Includes gap analysis by jurisdiction.

  • 0536-month migration sequence

    Three-phase plan: inventory and classification, structural algorithm transitions, full PQC retirement of legacy primitives. Projected QRS uplift per phase.

  • 0630-minute review session

    A structured walkthrough of findings with the cryptographer who conducted the assessment and signed the report.

Quantum Risk Score sample report

RSA-2048

75%

ECDSA P-256

25%

PQC adoption

0%

Forward secrecy

100%

AEAD layer

AES-128

DNSSEC

Off

A migration from RSA to ML-KEM is a necessary correction. An architecture capable of absorbing the next transition is a strategic investment.

DuoKey delivers the algorithmic uplift required by your compliance programme and the structural agility to remain current through successive NIST deprecation cycles.

Certification

ISO/IEC 27001:2022 Recertified 2024

Deployments

30+ enterprises Automotive · Swiss banks · EU telcos

Recognition

InCyber Forum 2024 Growth Startup Award

Standards

CycloneDX · SPDX OWASP-aligned

Engagement

Request a Quantum Risk Assessment

Scope is limited to publicly observable signals. No access to internal systems is required. Includes a full report and a 30-minute review session.

Start a free assessment