Stay Up to Date
Subscribe to our newsletter
The most common mistake in a quantum-security migration isn't choosing the wrong algorithm. It's scanning everything before knowing where to look.
Every CISO who has started thinking seriously about quantum readiness has heard the pitch: run a Cryptographic Bill of Materials scan across your infrastructure, find every instance of vulnerable cryptography, and start migrating. Simple.
Except it isn't. If you've already run a CBOM scanner, you probably know why.
Large enterprises don't have neat, contained cryptographic estates. They have decades of accumulated infrastructure: legacy systems talking to cloud services, third-party integrations, shadow IT, and acquired tech stacks bolted on at odd angles. Point a CBOM scanner at that kind of environment and you get one of two outcomes:
Outcome one: the scanner flags thousands of cryptographic instances across your estate. Your security team now has a spreadsheet with 4,000 line items, little or no prioritization framework, and no reliable way to distinguish a TLS certificate on an internal dev server from an ECDSA signing key protecting customer financial data. The scanner did its job. You still don't know what to do.
Outcome two: the scanner misses things. Not because it's bad. CBOM scanners cannot achieve 100% precision across a fragmented enterprise architecture. They catch what they can see. They can't assess what they can't reach. Without a threat model telling you where the real exposure sits, you don't know what got missed, or whether it matters.
The pattern plays out repeatedly. Organizations invest in a CBOM tool, run it against their infrastructure, and come away feeling like they've done something. They lack the strategic clarity to act on the results.
A Quantum Threat Assessment is the step that comes before the scan. It answers a different question entirely: not "what cryptography do we have?" but "where does quantum risk concentrate in our business, and what should we look at first?"
A QTA examines your architecture, your threat model, and your operational context to produce a prioritized map of quantum exposure. It considers dimensions a scanner cannot.
There is a meaningful difference between a public key that's collectible from your website and one that's only used internally on a secured network. Both might be quantum-vulnerable. Only one is immediately exposed to a harvest-now-decrypt-later adversary. A QTA distinguishes the two.
Not all quantum threats carry the same business consequence. For some organizations, the primary risk is encrypted data being decrypted retroactively. For others, particularly those that rely on digital signatures for trust, verification, or regulatory compliance, the bigger threat is a "trust now, forge later" attack in which a quantum adversary forges signatures. The right priority differs completely depending on which risk dominates.
Some components of your infrastructure may not need a CBOM at all. If your core product is a consensus network or a verification framework, the right next step isn't a cryptographic inventory. It's an architecture review of the protocol itself. A QTA tells you which remediation path applies to which part of your estate.
The organizations getting quantum readiness right follow a phased approach.
Low friction, high signal. You get a prioritized view of where quantum risk sits in your business, which threats matter most in your context, and a preliminary roadmap. This is the phase that tells you where to point the scanner, and whether you need one at all.
Once you know which parts of your infrastructure carry the highest quantum risk, you run the scanner against those areas. The results are manageable. The false positive rate drops because you've narrowed the scope. You also have a threat model to interpret the findings against.
The scanner has flagged instances. A cryptographic specialist reviews the findings, separates real risk from noise, and designs concrete mitigations tailored to your architecture: algorithm migrations, key management changes, protocol upgrades.
Skip Phase 1, and Phases 2 and 3 become far harder and more expensive.
A CBOM scanner is a tool. A Quantum Threat Assessment is a strategy. Running the tool without the strategy is how organizations burn budget and end up no closer to quantum readiness.
If you're evaluating CBOM solutions right now, stop. Get the QTA first. You'll spend less, move faster, and know what you're looking at when the scan results come back.

About Horizen Labs Quantum Security Team
Horizen Labs delivers expert-led quantum security consulting, helping organizations assess and address cryptographic exposure before regulatory and threat timelines force the issue.
Quantum Risk Check

A quantum risk score across three dimensions: cryptographic exposure, harvest risk, and signature Integrity, plus regulatory flags and recommended next steps.
Check NowYour board needs to understand quantum risk. Here's the briefing that gets it on the agenda.

Plain language. Current regulatory deadlines. Five actions they can approve today.
Download Now for FreeBLOG

The academic cryptography community has crossed a threshold: at Eurocrypt 2026, quantum resistance was no longer a topic on the agenda — it was the baseline assumption behind every serious research contribution. Here's what that shift looks like from the inside, and what it means for anyone building cryptographic infrastructure today.

A Cryptographic Bill of Materials (CBOM) scan is the right quantum-readiness step for organizations with large, distributed cryptographic estates: financial institutions, cloud providers, defense contractors. For protocol-native organizations, cryptography-centric startups, and SaaS-dependent enterprises, it isn't. The right Phase 1 is a Quantum Threat Assessment that maps actual risk surface before any tooling is deployed.

Most quantum migration plans address one threat. The correct answer has two, and the gap between them is where most organizations quietly fail.