2025 was the International Year of Quantum Science and Technology.
So… did anything change? Remarkably, yes.
Many organizations are no longer debating if they need to prepare for post-quantum cryptography (PQC), but how to begin. Meanwhile, regulators and advisory bodies are making progress on identifying the “end state” we should all be shooting for.
These are huge steps on the journey to PQC maturity.
But like any journey, the best (and only) place to start is where you are. All the maps in the world won’t help if you can’t figure out your starting point. That means getting a realistic picture of your existing cryptographic estate, including any weak points that need to be addressed.
Maturity varies, but knowledge is power
No surprise: cryptographic maturity varies wildly.
Some tech-savvy organizations have already begun building their cryptographic inventories. Others, particularly SMEs, don’t know where to start. And the majority are somewhere in the middle.
Board and CISO awareness is mixed, with many leaders recognizing they have “unknown unknowns” in their cryptographic posture but lacking actionable insight into where they stand.
Frankly, none of this is surprising.
Modern business networks often contain a mix of modern and legacy cryptography. You’ll likely find that while some of your cryptography is fine, you also have deprecated protocols, weak defaults, downgradeable connections, and even 1990s-era algorithms that should have been retired long ago.
So, how do we get to the bottom of what cryptography is in use within our IT environments so we can start taking action? And why don’t we already have this information?
The ITSM letdown
The tools we use to understand our IT infrastructure were never designed to track cryptography.
Cataloging and understanding IT systems is hardly new. CMDBs and asset registers have been around for decades, and more recently, the Software Bill of Materials (SBOM) has become standard for business IT systems.
Unfortunately, all of these fall short when it comes to cryptographic risk. They tell you what systems, assets, and components exist, but not what cryptography is in use.
A Cryptographic Bill of Materials (CBOM) is increasingly available for new IT solutions. But this still doesn’t help us understand the extent of the cryptography in use within our environments.
What we need is a CBOM for our entire IT environments… that updates continuously over time. But we’ll need some new tools to achieve that.
Live traffic analysis is your cryptographic GPS
To get from Point A to Point B, you need to know where you are, where you’re going, and (ideally) how to track your position along the way. Until recently, all three of these were a problem for post-quantum migration.
However, we’re now in a position where the end goal is increasingly clear, and tools exist to track our position through time. Using live traffic analysis, we can observe cryptography “on the wire”, including which protocols, cipher suites, and key exchange mechanisms are in use.
This allows us to:
- Discover, classify, and analyze which encryption technologies are in use
- Uncover outdated and vulnerable cryptography
- Prioritize remediation efforts to reduce real-world risk
This is our cryptographic GPS. It allows us to deal with the reality of our current situation and monitor its improvement as we move toward our defined PQC goal.
Not which cryptography we think we’re using.
Not what we were using at a point in time.
But what we are actually using right now.
Cryptography as a living system
Cryptography is not static.
New vulnerabilities are discovered, standards change, and what is considered “strong” today may be insecure tomorrow. Roberta Faux, US Head of Cryptography and Field CTO at Arqit, argues we should treat cryptography like the evolving system it is:
“Cryptography should be treated as a living, managed system, not a set-and-forget component. In most organisations, it has grown organically over years. A one-off exercise has some value for the initial PQC migration process, but it won’t help organizations stay secure over time. The solution is to have a continuous cryptographic inventory that uncovers weaknesses as they are discovered.”
Naturally, this mindset also requires that we design our cryptographic estate with agility in mind. Swapping algorithms or cipher suites should be a planned activity, not an emergency project.
Again, having ongoing visibility of your estate makes this much easier. Knowing which protocols, cipher suites, and key exchanges are in use allows security teams to prioritize and plan migrations ahead of time… before it becomes a crisis.
Uncovering your Encryption Intelligence
Migration to quantum-safe encryption won’t be an overnight job. It’s going to take time to identify, prioritize, and replace outdated tech.
We built Encryption Intelligence to help your team with this journey, including:
- Discovery: Comprehensive visibility into all encrypted traffic
- Identification: Detection of missing, weak, obsolete, or quantum-vulnerable cryptography
- Prioritisation: Risk-based prioritisation aligned to compliance and business impact
- Migration: Clear roadmaps aligned to regulatory and organisational timelines
- Monitoring: Continuous oversight as environments evolve
The outcome is governance-ready reporting, actionable remediation guidance, and a clear, defensible roadmap to quantum-safe cryptography.
To find out more, visit https://arqitgroup.com/products/encryption-intelligence
5 February 2026
Arqit