Migration Intelligence

What CISOs Are Actually Doing About Post-Quantum Cryptography

The data you need to start your PQC migration conversation with your board, today.

Without this, you would be reading 200+ vendor whitepapers, 40+ academic papers, and 17 regulatory documents across 8 industries. We read them. 14 publicly documented migration projects distilled into one navigable page. 115+ verified sources.

14Cases

8Industries

5Cost Data

115+Sources

28Failure Modes

4Network Maps

This is the only cross-industry PQC migration database with verified sources. Vendor whitepapers sell products, not truth. Analyst reports cost $5,000+ and cover one sector. Academic papers assume you read LaTeX. This database covers 14 organizations across 8 industries, every number sourced, failures included. Vendor-neutral.

Four things broken about PQC migration right now

Zero certified HSMs

No FIPS 140-3 PQC hardware security module exists on Earth. Every regulated organization is blocked on production deployment.

Verified April 2026

Zero private-sector cost data

Five cost figures exist globally, all publicly funded. No Fortune 500 company has disclosed what PQC migration costs. Budget conversations are based on guesses.

EU and US disagree

EU mandates hybrid PQC (classical + quantum-safe). US prefers pure PQ. Multinational organizations cannot satisfy both with a single deployment strategy.

No workforce

Of 14 documented cases, only 2 had internal PQC capability (Cloudflare, Signal). The rest relied on vendors or academic partnerships. PQC engineers do not exist at scale.

How to use this page

Pick your industry

Filter by sector below. Each card is a real PQC migration project.

Click any case to expand

Full details: timeline, cost, algorithms, Mosca score, maturity, failure modes, sources.

Compare to your org

Use the patterns and then take the PQC assessment to measure your own readiness across the same 6 dimensions.

The crypto-procrastination problem

Business executives are structurally incentivized to underestimate security risk. When the cost of addressing a risk is visible and immediate, but the cost of the risk materializing is probabilistic and deferred, organizations systematically choose deferral. OPM (20M records), Japan Pension Service (1.25M records), and Fukushima all followed this pattern.

PQC migration has exactly this structure. Of 14 documented cases, 10 are still in progress and 1 is still in planning. Only Signal deployed in months. Every other organization measured timelines in years.

When your board asks "what did we do about quantum risk?", the minimum defensible answer is a cryptographic inventory and a sourced risk assessment. This page gives you the evidence. The PQC assessment gives you the score.

Source: Zenitani, in Takagi et al. (2026), Mathematical Foundations for Post-Quantum Cryptography, Springer, pp. 420-440. Verified April 2026

Mosca's Theorem: X + Y > Z

X = data shelf life (how long your data must stay secret). Y = migration time (years to deploy PQC). Z = threat horizon (years until a cryptographically-relevant quantum computer, estimated ~12 years mid-range per GRI surveys, range 9-20+). If X + Y > Z, you should have started already.

Every case in this database has X+Y > Z. Calculate yours: Calculate your Mosca inequality

14/14

Cases at risk

Case Studies

Click any case to see full details. Filter by industry. Data as of April 2026

All (14)

Finance (4)

Government (3)

Telecom (1)

Energy (1)

Healthcare (1)

Tech (2)

Crypto (1)

Critical Infra (1)

Where the field actually is

Overall PQC maturity scores across all 14 publicly documented cases (1-5 scale). The pattern is the insight.

5 Optimized

4 Measured

3 Structured

2 Ad-hoc

1 None

10 of 14 cases score 3/5 ("Structured"). Only Cloudflare and Signal reach 5/5. The assessment uses these same 6 dimensions to score your organization.

See where you fall on this chart

Build vs buy

The 14 cases split into distinct capability models. Your staffing decision should match.

Internal team

2 cases

Cloudflare and Signal. Both control the full stack. Both deployed in months, not years. Requires deep cryptographic engineering talent already on staff.

Workforce: dedicated crypto engineers. Cloudflare built CIRCL (Go crypto library). Signal designed PQXDH protocol in-house.

Vendor-led

5 cases

USAF (QuSecure), BdF+MAS (CryptoNext), Estonia (Cybernetica), Vodafone (IBM/SandboxAQ), SWIFT (planning). Procurement-driven. Speed depends on vendor maturity.

Workforce: project managers + vendor oversight. PQC expertise outsourced. Risk: single-vendor dependency (Estonia, USAF).

Consortium / R&D

7 cases

BIS Leap, Mastercard, Germany ID, Hydro-Quebec, PQC4MED, Ethereum, PQ-NEXT. Multi-partner, often publicly funded. Slower but builds ecosystem knowledge.

Workforce: mixed academic + industry teams. PQC4MED's consortium model led to Infineon's TEGRION chip (R&D-to-product pipeline).

Crypto-agility is the real requirement

PQC migration is not a one-time algorithm swap. It is a permanent operational capability. ML-KEM (FIPS 203) and ML-DSA (FIPS 204) are the current NIST standards. SLH-DSA (FIPS 205) provides hash-based signature diversity. HQC (FIPS 206, expected 2027) offers a backup KEM if lattice assumptions break. Organizations that build crypto-agility now can swap algorithms without re-architecting.

ML-KEM

FIPS 203

Key encapsulation

ML-DSA

FIPS 204

Digital signatures

SLH-DSA

FIPS 205

Hash-based sigs

HQC

FIPS 206 (2027)

Backup KEM

11 of 14 organizations named specific NIST algorithms. All converged on ML-KEM and ML-DSA. PQC4MED designed for crypto-agility before NIST finalized, which proved correct. Verified April 2026

Cross-Case Patterns

From 14 publicly documented organizations. Last verified April 2026

EU vs US

HSM Gap

Networks

EU mandates hybrid. US prefers pure PQ.

Multinational organizations face a compliance conflict that adds implementation cost.

Authority	Approach	Rationale
BSI (Germany)	Hybrid mandatory	If PQC algorithm fails, classical layer survives
ANSSI (France)	Hybrid mandatory	Joint statement with BSI + 20 EU states
CNSA 2.0 (US NSA)	Pure PQ preferred	Simplicity. Trusts NIST algorithm selection.
NCSC (UK)	Pure PQ preferred	Aligned with US approach

Hybrid satisfies both EU and US requirements but adds implementation complexity. The long-term EU position envisions running two PQC schemes simultaneously. Verified April 2026

Zero FIPS 140-3 PQC HSMs exist

As of April 2026, no hardware security module on Earth has a FIPS 140-3 CMVP certificate listing PQC algorithms. Verified April 2026

Vendor	PQC Status	FIPS 140-3 PQC?
AWS CloudHSM / KMS	ML-KEM in TLS	No
Google Cloud KMS	ML-KEM, ML-DSA, SLH-DSA	No
Thales Luna	PQC outside FIPS boundary	No
Entrust nShield	PQC outside FIPS boundary	No

First certificates expected late 2026 to early 2027. Waiting compresses your implementation timeline into the same window as everyone else.

PQC intelligence flows through institutional networks

Organizations outside these networks are making PQC decisions without the most current intelligence.

BIS Leap Network

European Finance

Connects 5 of 14 cases. BdF carries knowledge in, SWIFT carries findings to 11,000+ institutions.

BdFBISSWIFTMastercardCryptoNext

GSMA Taskforce

Global Telecom

50+ companies, 20+ operators. 7 published documents. Liaison to 3GPP, IETF, ETSI, ITU.

VodafoneIBMSamsungTelefonica

NIST NCCoE

US Government

Top-down: federal law to CNSA 2.0 milestones to Pentagon CIO memo. 47+ collaborators.

QuSecureAWSIBMCisco

EU Horizon Europe

EU Research-to-Production

Vertically integrated supply chain. Infineon: R&D (PQC4MED) to production (TEGRION EAL6).

InfineonCryptoNextThalesG+D

Why the threat is already active

Harvest Now, Decrypt Later (HNDL) is not a theoretical concern. It is an economic decision.

Attacker economics

A state-level adversary captures encrypted traffic now, stores it cheaply, and waits. Cloud storage costs continue to drop. The cost of harvesting is negligible compared to the value of the data. Financial transactions, healthcare records, M&A communications, classified government data, and long-lived authentication credentials are all targets.

The adversary does not need a quantum computer today. They need a storage budget and patience. The decryption payoff is measured in billions. The harvest cost is measured in terabytes.

Data at risk by type

InfiniteBlockchain data (public, permanent)

30+ yearsHealthcare records (HIPAA/GDPR)

25+ yearsMilitary/intelligence comms

10-20 yearsFinancial transaction records

5-10 yearsCorporate IP, M&A communications

The threat is not "quantum computers will break our crypto someday." The threat is "our data is being harvested today and we cannot detect it."

When will quantum computers threaten your cryptographic systems?

Scenario analysis grounded in published hardware benchmarks and resource estimates. Not a prediction. A decision-support tool.

Every CISO planning a PQC migration needs to estimate Z in Mosca's inequality: when will a cryptographically relevant quantum computer arrive? This tool puts the published data in one place so you can see what the researchers and hardware vendors actually report.

Based on published data as of April 2026 Complementary to GRI expert surveys No account required

Data transmitted today is already at risk

Harvest Now, Decrypt Later (HNDL): adversaries capture encrypted traffic today and store it for decryption when quantum capability arrives. The scenario ranges below tell you when the decryption becomes possible.

Schneier, Applied Cryptography. NSA CNSA 2.0 advisory. GRI 2025 survey.

Select your cryptographic systems

Which algorithms does your organization use? Select all that apply. Three common defaults are pre-selected.

Vulnerable to Shor's algorithm (asymmetric cryptography)

RSA-2048

Most TLS certificates, email encryption, VPNs, code signing

RSA-3072

Higher-security TLS, government systems, long-lived certificates

RSA-4096

PGP keys, root CAs, long-term document signing

ECDSA P-256

TLS 1.3, Apple/Google certificates, FIDO2/WebAuthn, IoT

ECDSA P-384

Government high-assurance, CNSA Suite, some financial systems

ECDSA secp256k1

Bitcoin, Ethereum, most blockchain networks

Ed25519

SSH keys, Signal protocol, WireGuard, modern TLS

Affected by Grover's algorithm (symmetric cryptography)

AES-128

Reduced to 64-bit equivalent. Low practical risk at scale. Many legacy systems.

AES-256

128-bit equivalent post-Grover. Quantum-safe. Standard recommendation.

SHA-256

Grover gives quadratic speedup on preimage. Minimal practical impact.

3 systems selected

Published data as of April 2026 Scenario analysis, not prediction Complementary to GRI expert surveys

Your encrypted data from before migration completes is already harvestable

Every scenario below shows when decryption becomes possible. The collection already happened. This line extends into the past.

Breakthrough

Acceleration

Central

Stall

Today (2026)

What expert surveys say (complementary data)

The Global Risk Institute surveys 26-32 quantum experts annually. Their 2025 results:

28-49%

say >50% chance of CRQC within 10 years

69%

say >50% chance within 15 years

92%

say >50% chance within 20 years

The scenario ranges above are grounded in published hardware data and resource estimates. The GRI survey captures expert judgment about factors this tool cannot: classified programs, unpublished breakthroughs, funding shifts. Both are useful inputs to migration planning.

Global Risk Institute, Quantum Threat Timeline Report, 2024-2025. Mosca & Piani.

The declining requirements

Published quantum resource estimates for breaking RSA-2048 have dropped by roughly 200x in seven years. Three papers, not a law.

Year	Paper	Physical Qubits	Key Innovation	Source
2021	Gidney & Ekera	20,000,000	Surface code, 10^-3 error rate	arXiv:1905.09749 (updated 2021)
2025	Gidney (updated)	<1,000,000	Yoked surface codes, magic state cultivation	arXiv:2505.15917
2026	Iceberg (Pinnacle)	<100,000	Quantum LDPC codes debated	arXiv:2602.11457

200x reduction in 7 years across 3 papers from related research programs

Each reduction came from a specific technical advance, not a predictable rate of improvement. Gidney 2025 used yoked surface codes. Iceberg 2026 used quantum LDPC codes (still debated in the community). The next advance may come in one year or in ten. There is no basis for smooth extrapolation.

Aaronson, Preskill, Ezratty: "Fitting a trend line to three data points is curve-fitting, not science."

Other algorithm estimates

Algorithm	Physical Qubits	Source	Date
secp256k1	<500,000	Google, secp256k1 estimate	2026
ECDSA P-256	~4,000,000	Roetteler et al., arXiv:1706.06752	2017
AES-128 (Grover)	~5,000,000	Grassl et al.	2016

ECDSA P-256 and AES-128 estimates have not been updated with modern error correction techniques. When updated, requirements will likely decrease.

Where hardware stands today

Published benchmarks from hardware vendors and academic labs. Achieved milestones weighted higher than roadmap targets.

Superconducting

Trapped-Ion

Photonic

Neutral Atom

Vendor	System	Physical Qubits	Status	Date
IBM	Eagle	127	Achieved	2021
IBM	Osprey	433	Achieved	2022
IBM	Condor	1,121	Achieved	2023
IBM	Heron	156	Achieved (improved fidelity)	2024
IBM	Starling	10,000	Roadmap target	2029
IBM	Blue Jay	2,000 logical	Roadmap target	Post-2029
Google	Sycamore	53	Achieved	2019
Google	Willow	105	Below-threshold demo (Nature)	2024

IBM has delivered every processor on its published roadmap since 2020. Google's Willow demonstrated error correction below threshold for the first time. Heron prioritized fidelity over qubit count (156 vs Condor's 1,121). IBM Quantum Roadmap (ibm.com/quantum/roadmap). Google Quantum AI, Nature 2024.

Vendor	System	Physical Qubits	Status	Date
Quantinuum	H2	56	Achieved	2024
Quantinuum	Helios	98	Achieved (48 logical)	2025
Quantinuum	Apollo	Thousands	Roadmap (hundreds logical)	2029
IonQ	Forte Enterprise	36	Achieved	Current
IonQ	2027 target	10,000	Roadmap (800 logical)	2027
IonQ	2030 target	2,000,000	Roadmap (80,000 logical)	2030

Trapped-ion systems have the highest gate fidelities but lower qubit counts. IonQ's 2030 target of 2M qubits was announced during its SPAC era and has no demonstrated path. Weight accordingly. Quantinuum's Helios is the current logical qubit leader. IonQ public filings. Quantinuum press releases. IONQ 10-K.

Vendor / Lab	System	Photonic Qubits	Status	Date
USTC (Pan/Lu)	Jiuzhang 1.0	76	PRL	2020
USTC (Pan/Lu)	Jiuzhang 2.0	113	PRL	2021
USTC (Pan/Lu)	Jiuzhang 3.0	255	PRL	2023
USTC (Pan/Lu)	Jiuzhang 4.0	3,050	arXiv	2025
Xanadu	Borealis	216	Nature	2022
PsiQuantum	Target	1,000,000+	Roadmap (no date confirmed)	TBD

Photonic systems demonstrate the highest raw qubit counts (USTC Jiuzhang 4.0: 3,050) but are specialized Gaussian Boson Sampling machines, not universal quantum computers. PsiQuantum's million-qubit target has no confirmed date. Pan Jianwei et al., PRL (multiple). Xanadu, Nature 2022.

Vendor / Lab	System	Atoms	Status	Date
QuEra	Aquila	256	Achieved	2023
Atom Computing	—	1,180	Achieved	2023
Pasqal	—	200+	Achieved	2024
USTC (Duan)	2D trapped-ion simulator	512	Nature 2024	2024

Neutral atom arrays offer the highest qubit counts among universal platforms (Atom Computing: 1,180) with native long-range connectivity. Still early in error correction demonstrations. Duan's 2D trapped-ion array (Tsinghua, 512 ions) demonstrates a modular architecture path not represented in Western vendor roadmaps. QuEra, Atom Computing, Pasqal press releases. Duan et al., Nature 2024.

The gap is closing from both directions. Resource estimates are declining (20M → <100K qubits for RSA-2048). Hardware is scaling up (156 → 10,000 target for IBM). But the rates of change are not stable, and there is no physical law that says they will converge on any particular schedule.

What this model includes and what it does not

Data coverage

IBM, Google (superconducting) — published benchmarks and roadmaps

Quantinuum, IonQ (trapped-ion) — published benchmarks and public filings

USTC Pan/Lu, Xanadu (photonic) — peer-reviewed publications

QuEra, Atom Computing, Pasqal (neutral atom) — published milestones

Tsinghua (Duan), USTC (trapped-ion/simulator) — Nature, PRL publications

Origin Quantum, SpinQ, Baidu Quantum — limited English-language benchmarks

Not included

Classified programs from any country (US, China, Russia, others)

Defense-linked research not published in academic venues

Chinese private company capabilities beyond public announcements

Unpublished algorithmic improvements at any lab

Enabling technologies (cryogenics, control electronics, networking)

Classical co-processing requirements for full CRQC pipeline

The actual capability frontier may be ahead of what published data shows. This model captures what is publicly known.

Model assumptions (verify these for yourself)

1No classified CRQC currently exists

2Published roadmaps are weighted by vendor delivery track record

3No discontinuous algorithmic breakthrough occurs (e.g., new factoring approach)

4Error correction improves along published trajectories

5Enabling technologies (cryogenics, control, networking) keep pace with QPU scaling

6Lattice-based PQC standards (ML-KEM, ML-DSA) remain secure

If any assumption is wrong, the scenario ranges shift. This is why this tool presents ranges, not predictions. Assumptions informed by Mosca, Preskill, Aaronson, Schneier, Sutor, Gil, Ezratty review (April 2026).

What could change everything

New error correction code — LDPC codes already reduced estimates by 10-20x. The next such advance could do the same. Accelerates timeline.

New factoring algorithm — A breakthrough in quantum or classical factoring would shift resource requirements discontinuously. Direction unpredictable.

Quantum networking — Connecting small QPUs into larger effective systems could accelerate without any single QPU reaching CRQC scale. Accelerates.

Quantum winter — Investor disillusionment slows hardware funding for years. Delays timeline.

Attack on PQC standards — A mathematical attack on lattice-based cryptography breaks the replacement algorithms. Changes the destination, not the timeline.

The question the monitor does not answer

This tool shows you Z: the range of scenarios for when quantum hardware could reach your cryptographic break thresholds. But Mosca's inequality has three variables.

Your data
shelf life

Your migration
time

Scenario range
(shown above)

The scenario range tells you when. The next question is how long migration will take for your specific infrastructure. Organizations comparable to yours have taken 3-5 years, based on 14 documented PQC migrations.

The PQC Readiness Assessment fills in X and Y with your organization's specific numbers: data shelf life, migration timeline, sector, regulatory obligations. It uses the same framework as the 14 case studies above.

See how your migration timeline compares — 36 questions, 6 dimensions, interactive Mosca calculator with your numbers.

How scenario ranges are constructed

For each cryptographic algorithm, we track: (1) published resource estimates specifying the quantum hardware needed to break it, and (2) published hardware benchmarks showing where current systems stand. The scenario range reflects different assumptions about the pace of improvement on both sides. "Breakthrough" assumes aggressive resource reduction and fast hardware scaling. "Stall" assumes no new improvements for 5+ years.

This is scenario analysis, not statistical inference. We do not compute probabilities. We present the range of outcomes that published data supports under different assumptions.

Sources

Resource estimates: Gidney & Ekera 2021, Gidney 2025, Iceberg 2026, Roetteler et al. 2017, Grassl et al. 2016, Google 2026 (secp256k1). Hardware benchmarks: IBM Quantum Roadmap, Google Quantum AI, Quantinuum press releases, IonQ public filings (IONQ), USTC publications (PRL, Nature), QuEra/Atom Computing/Pasqal press releases, Tsinghua (Duan et al., Nature 2024). Expert surveys: Global Risk Institute 2024-2025 (Mosca & Piani).

Every number on this page traces to a named source. "Unknown" means nobody knows, not that we did not look.

What this tool is not: This is not a prediction engine. It does not forecast when quantum computers will break your encryption. It visualizes published data trends and presents a range of scenarios to support migration planning decisions. It is complementary to expert surveys (such as the GRI survey) and should be used alongside them, not instead of them.

What PQC Migration Actually Costs

Five data points exist globally. All publicly funded. Zero private-sector disclosures. Verified April 2026

Organization	Amount	Scope	Cost/scope
US Air Force	$3.9M	PQC encryption on B-52 fleet	Single platform overlay
PQ-NEXT EU	EUR 6.0M	19-partner, 4-sector PQC pilots	~EUR 316K/partner
Hydro-Quebec	CAD ~2M	PQC for smart grid OT/SCADA	Two-phase R&D
Ethereum	$2.0M	PQC research prizes	Research incentive only
PQC4MED	EUR 690K	Medical device PQC R&D (36 months)	~EUR 19K/month

For full enterprise migration: USD 300-500M over 10+ years for one large telco. Discovery alone: $2-5M involving 120,000+ discrete tasks (PostQuantum.com, based on 10 years of engagements). US federal estimate: $7.1B for civilian agencies, 2025-2035 (OMB/ONCD). None of the five project costs above represent a complete enterprise-wide migration.

Deadlines Already Set

Assumed threat horizon: ~12 years (mid-range GRI estimate). If your migration takes 5+ years, the 2030 deadlines are already tight. Last verified April 2026

2025 (now in force)

EU NIS2 — Essential entities must manage cryptographic risk. PQC is an implied obligation.

EU DORA — Financial entities must address ICT risk including cryptographic resilience.

2027

SWIFT SwiftNet 8.0 — PQC-enabled. 11,000+ institutions across 200+ countries must be ready.

2030

NSA CNSA 2.0 — All software/firmware in National Security Systems must use PQC.

BSI + 20 EU states — Critical infrastructure PQC implementation deadline.

2035

NIST IR 8547 — RSA and ECC deprecated for US federal systems (de facto global standard for organizations following NIST guidance).

Failure Modes

28 documented failure modes across 14 publicly documented cases. Click to expand.

14/14

Vendor dependency

Systemic

Every case depends on vendors shipping PQC-ready products. No organization controls its vendor's PQC roadmap. In telecom (Vodafone), Ericsson/Nokia/Huawei must ship firmware. In payments (Mastercard), HSM vendors must achieve FIPS certification. In energy (Hydro-Quebec), SCADA vendors must add PQC to protocols that lack native encryption.

Affects: all 14 cases. Root cause: cryptographic operations embedded in third-party hardware and software.

11/14

EU-US regulatory divergence

Compliance

Hybrid (EU: BSI + ANSSI + 20 states) vs pure PQ (US: CNSA 2.0). Multinational organizations cannot satisfy both with one deployment. Must run different configurations by jurisdiction or accept regulatory friction.

Affects: all multinational cases. Root cause: divergent cryptographic policy between EU and US regulatory bodies.

8/14

Performance overhead

Architecture

BIS Project Leap: ML-DSA verification 7.5x slower (209.9ms vs 28.1ms RSA). Signatures 13x larger (3,293 vs 256 bytes). Cloudflare: split ClientHello caused 0.34% origin failures. Ethereum: ML-DSA 2,420-4,627 bytes vs ECDSA 65 bytes increases gas costs.

Affects: BIS Leap, Mastercard, Cloudflare, Ethereum, SWIFT, Vodafone, Hydro-Quebec, PQ-NEXT.

6/14

FIPS HSM certification gap

Blocker

Zero FIPS 140-3 PQC HSMs certified as of April 2026. Blocks production deployment for finance, government, and any regulated organization requiring certified hardware crypto. Expected: late 2026 to early 2027.

Affects: Mastercard, SWIFT, BIS Leap, USAF, Germany ID, Hydro-Quebec.

5/14

Legacy protocol gaps

Technical

Protocols designed without PQC cannot be patched: IEC 60870-5-104 (SCADA), ISO 8583 (payments), SS7/Diameter (telecom), hybrid S/MIME (email). Requires protocol redesign or overlay encryption.

Affects: Hydro-Quebec, Mastercard, Vodafone, BdF+MAS, BIS Leap.

3/14

Side-channel attacks on PQC

Security

PQC4MED (DFKI): power analysis/EM attacks on embedded secure elements. Cloudflare (KyberSlash): timing side-channel in CIRCL library (patched). PQC implementations have had less scrutiny than classical algorithms.

Affects: PQC4MED, Cloudflare, Germany ID Card.

Which of these failure modes affect your organization? The PQC assessment evaluates your exposure across all six dimensions, including ecosystem dependencies and technical readiness.

Assess your exposure (5 min)

The hard truth about 2026

Most organizations will not complete PQC migration this year. That is not the goal. The realistic target for 2026 is: inventory + assessment + vendor engagement. Of 14 documented cases, only Signal and Cloudflare achieved full deployment, and both control the entire stack. The other 12 are still working through discovery, testing, and certification. Start with what is achievable: know what you have, know where you stand, and know who you depend on.

Where do I start?

Take the PQC assessment (5 minutes)

24 questions across 6 dimensions. Includes an interactive Mosca calculator, sector benchmarks, and a 30/60/90-day roadmap. No account needed for the quick score. Start now →

Run a cryptographic inventory

Discover which systems use which algorithms, which certificates expire when, which data has long shelf life. Discovery costs $2-5M for large enterprises (PostQuantum.com estimate). Without it, every subsequent decision is a guess.

Check your vendor roadmaps

Vendor dependency is the #1 failure mode (14/14 cases). Ask your HSM vendor, cloud provider, and infrastructure vendors for their PQC timeline and FIPS certification status.

Build crypto-agility, not a one-time swap

Start with ML-KEM (FIPS 203) + ML-DSA (FIPS 204). Plan for SLH-DSA and HQC. PQC4MED's crypto-agile approach proved correct when algorithms changed.

If you only do one thing: take the PQC assessment. It takes 5 minutes, produces an immediate score, and tells you where your gaps are. You can forward the results to your board.

What this page does not tell you

You still need to know

Your cryptographic inventory. We know what 14 organizations use. We don't know what you use. The assessment helps here.
Your vendor's actual roadmap. We track which vendors appear in cases. We don't have your vendor's internal timeline.
Your data classification. Mosca X depends on your data's shelf life, which only you know.
Your budget constraints. Five cost data points exist. None map to your organization size or sector mix.

Limitations of this database

14 cases, not 14,000. These are publicly documented projects. Many organizations are migrating privately and haven't disclosed.
Public-sector bias. All cost data comes from publicly funded projects. Private-sector economics may differ.
Point-in-time data. This database reflects April 2026. HSM certifications, regulatory changes, and vendor roadmaps will evolve.
No China/Russia cases. PQC migration in these countries is documented in Chinese/Russian sources not covered here.

Methodology

Sources

115+ verified entries across 14 publicly documented cases. Primary sources: BIS reports, NIST publications, CORDIS EU database, official press releases, SEC filings, SBIR contracts. Secondary: industry analysis, academic papers (Takagi et al. 2026, Springer). Every claim has a named source with URL and date.

Confidence levels

Verified: Multiple independent sources confirm. Reported: A named organization said it publicly. Estimated: Derived from available data with stated assumptions. "Unknown" means nobody knows, not that we didn't look.

Not the CISO?

If you're a security engineer, architect, or risk manager, forward this page to whoever needs to start the PQC conversation at your organization. The URL is shareable.

Get updates

We add new cases and update existing data as organizations publish. No spam, no sales sequences. Just PQC intelligence.

Ready to measure your PQC readiness?

The assessment uses the same 6 dimensions as these case studies. Quick score in 3 minutes. Full assessment in 15. Sector benchmarks and a 30/60/90 roadmap included.

Take the PQC Assessment Talk to Us

PQC Migration Intelligence Database v1.0 — April 2026. Built by DeployQuantum. Vendor-neutral. Every claim sourced. 14 publicly documented cases.