Not Every Organization Needs a CBOM - Here's How to Tell

A Cryptographic Bill of Materials (CBOM) scan is the right quantum-readiness step for organizations with large, distributed cryptographic estates: financial institutions, cloud providers, defense contractors. For protocol-native organizations, cryptography-centric startups, and SaaS-dependent enterprises, it isn't. The right Phase 1 for those organizations is a Quantum Threat Assessment that maps actual risk surface before any tooling is deployed.

The quantum-readiness conversation has settled into a predictable rhythm. Analyst reports say migration is urgent. The National Security Agency's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), issued in October 2022, set hard transition deadlines for national security systems, with most categories requiring migration completion between 2030 and 2033. The Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022, extended similar migration obligations across federal civilian agencies. NIST finalized its first three post-quantum cryptographic standards: FIPS 203, FIPS 204, and FIPS 205 in August 2024, removing the last rationale for waiting.

What those timelines don't tell you is which remediation path fits your architecture. Vendors have filled that gap by positioning CBOM scanners as the universal Phase 1. For some organizations, that's accurate. For others, it wastes budget and produces findings that can't be acted on without the architectural context a prior threat assessment would have provided.

When a CBOM Is the Right Next Step

A cryptographic bill of materials (CBOM) scan makes sense when your organization has a large, distributed IT infrastructure with cryptographic artifacts embedded across many systems, applications, and network layers.

Organization Type: Financial institutions

Why CBOM Fits: Decades-old transaction processing, payment networks, and regulatory reporting systems with cryptographic dependencies scattered across layered infrastructure

------

Organization Type: Cloud and multi-tenant infrastructure providers

Why CBOM Fits: Cryptographic operations span thousands of tenant environments; manual inventory is not operationally feasible

------

Organization Type: Large industrial enterprises

Why CBOM Fits: OT environments, SCADA systems, and connected manufacturing often embed cryptographic libraries in firmware and hardware that require systematic discovery

------

Organization Type: Defense supply chain contractors

Why CBOM Fits: Layered compliance obligations under CMMC 2.0 and CNSA 2.0 across classified and unclassified networks require documented cryptographic inventory

These organizations have cryptographic estates so broad that no human team can map them manually. A scanner adds genuine value by surfacing what’s there. But even here, the scan should be targeted — pointed at the highest-risk areas identified by a prior threat assessment, not run blind across the entire estate.

When a CBOM Doesn't Make Sense

Some organizations don't have the type of infrastructure that benefits from a broad cryptographic inventory. Their quantum exposure concentrates in a specific architectural layer, and the right remediation path is a focused review of that layer — not a scan of everything around it.

Organization Type: Protocol-native organizations (consensus networks, ZK proof systems, verification frameworks)

Where Quantum Risk Actually Lives: Protocol design — consensus algorithms, signature schemes, proof system primitives

Right Remediation Path: Protocol-level architecture review by a cryptographer with quantum threat expertise

------

Organization Type: Cryptography-centric startups (encrypted messaging, digital identity, verifiable credentials)

Where Quantum Risk Actually Lives: A small, well-defined cryptographic surface — specific curves, hash functions, signature schemes

Right Remediation Path: Specialist assessment of those specific primitives against quantum adversarial models

------

Organization Type: SaaS-dependent enterprises

Where Quantum Risk Actually Lives: Vendor cryptographic decisions, not internal infrastructure

Right Remediation Path: Supply chain risk assessment: which vendors are migrating, on what timeline, what's the interim exposure

What to Do Instead

For organizations where a CBOM isn’t the right next step, a Quantum Threat Assessment (QTA) remains the critical starting point. A QTA is not a prerequisite that delays the real work. It's what defines what the real work is.

The QTA maps your actual quantum risk surface, whether that’s a protocol architecture, a concentrated cryptographic dependency, or a vendor supply chain. It recommends the specific remediation path that fits.

For a protocol, that might mean an architecture review of consensus and signature schemes. For a digital identity company, it might mean a focused analysis of the specific curves and hash functions in use. For a SaaS-dependent enterprise, it might mean a supply chain risk assessment.

The point is: there’s no single Phase 1 that applies to everyone. The QTA is what tells you which path is yours.

The Cost of Skipping the Assessment

Organizations that skip the assessment and jump straight to scanning consistently report the same frustrations: too many findings, no prioritization, and no clear path forward. They end up cycling through CBOM tools, looking for one that “works better,” when the problem was never the tool — it was the absence of a threat model to interpret the results.

On the other end, organizations that invest in a CBOM when their risk lives in protocol architecture spend budget on a scan that confirms what a targeted review would have identified faster — while the actual question, how to redesign the protocol for quantum resistance, remains unanswered.

Horizen Labs 10-day Quantum Threat Assessment is designed for exactly this: producing a clear risk picture and a defined remediation direction in a bounded timeframe, without requiring software deployment, infrastructure changes, or commitment to subsequent phases. And the assessment costs a fraction of a full CBOM engagement. It either confirms that a scan is the right next step and tells you where to focus it, or it redirects you to the remediation path that actually fits your architecture. Either way, you come out ahead.

****************************
Assess Your Quantum Exposure

Learn how Horizen Labs approaches quantum-resistant security assessment and migration planning: https://horizenlabs.io/quantum-security

Horizen Labs delivers quantum-resistant security assessments and cryptographic advisory to enterprise, financial services, and government organizations. Our Quantum Threat Assessment is a PhD-led review that maps your cryptographic exposure and defines where to focus.