Frequently Asked Questions
What is ACDI in cybersecurity?
Automated Cryptographic Discovery and Inventory (ACDI) is the process of using automated tools to systematically identify, catalogue, and assess every cryptographic asset within an organisation's IT estate. This includes encryption algorithms, digital certificates, cryptographic keys, TLS/SSL configurations, and key exchange protocols across networks, applications, cloud services, and third‑party integrations.
Traditional approaches to cryptographic inventory rely on manual audits — a process that is time‑consuming, error‑prone, and typically limited in scope. ACDI replaces this with continuous, automated scanning that delivers a complete and accurate picture of an organisation's cryptographic posture.
In the context of post‑quantum cryptography (PQC) migration, ACDI is recognised as an essential first step. Organisations cannot plan a migration to quantum‑safe algorithms without first understanding what cryptographic assets they have, where they are deployed, and which are vulnerable to quantum attack. ACDI provides this foundational visibility.
What is a CBOM?
A Cryptographic Bill of Materials (CBOM) is a comprehensive, structured inventory of every cryptographic component used within an organisation's systems and applications. It functions similarly to a Software Bill of Materials (SBOM) but is focused specifically on cryptographic assets — including algorithms, key lengths, certificate chains, protocol versions, and their dependencies.
The CBOM concept has gained significant importance in the context of NIST's Post‑Quantum Cryptography standardisation effort. As organisations prepare to transition from classical cryptographic algorithms (such as RSA and ECC) to quantum‑resistant alternatives (such as ML‑KEM and ML‑DSA), a CBOM provides the evidence base needed to plan, prioritise, and execute that migration.
For financial services organisations subject to regulations like DORA and NIS2, a CBOM also serves as a compliance artefact — demonstrating to auditors and regulators that the organisation has a clear understanding of its cryptographic dependencies and a documented plan for addressing quantum vulnerabilities.
What is Q‑Day?
Q‑Day refers to the hypothetical future date on which a cryptographically relevant quantum computer (CRQC) becomes operational — meaning it is capable of breaking the public‑key cryptographic algorithms that currently secure the vast majority of digital communications, financial transactions, and data storage.
Specifically, a CRQC would be able to execute Shor's algorithm at sufficient scale to break RSA, ECC (Elliptic Curve Cryptography), and Diffie‑Hellman key exchange — the foundations of modern internet security. This would compromise TLS/SSL connections, digital signatures, PKI trust chains, and encrypted data stores.
The most immediate concern is the 'Harvest Now, Decrypt Later' (HNDL) threat: adversaries — including state‑level actors — are already intercepting and storing encrypted data today, with the intention of decrypting it once quantum computing capability becomes available. For financial services organisations, where data sensitivity can extend 20 years or more, this means that data encrypted today with quantum‑vulnerable algorithms is effectively already at risk.
Leading intelligence agencies and industry analysts place Q‑Day within the next 5 to 15 years, making it imperative for organisations to begin their transition to post‑quantum cryptography now.
.webp?width=300&name=arqit_new_brand_general-(8).webp)
