The most common reason organizations delay post-quantum work is also the weakest: "a quantum computer that can break RSA doesn't exist yet." That's true. It's also beside the point. The threat to confidentiality doesn't begin when the machine arrives — it begins the moment someone records your traffic.
Harvest now, decrypt later
Recording encrypted data is cheap and passive. An adversary captures your TLS sessions, your VPN tunnels, your backups today, and stores them. When a cryptographically-relevant quantum computer exists, Shor's algorithm breaks the RSA or elliptic-curve key exchange that protected them, and the plaintext falls out — retroactively. Anything that must stay confidential past that horizon is, in effect, already exposed.
Authentication is different: a forged signature only matters at the moment of forgery, so signatures are a genuinely deferrable migration. Confidentiality is not. That asymmetry is the whole reason key exchange comes first.
A clock you already own
You don't need to predict Q-day to decide what to do. Mosca's inequality makes it concrete: if the number of years your data must stay secret (X) plus the number of years your migration will take (Y) is greater than the years until a capable quantum computer exists (Z), you have a gap. You already know X and Y. You don't need a precise Z to know whether X + Y is large.
The wrong question
"When does the quantum computer arrive?" is uncertain and outside your control. "How long must my data stay secret, and how long will migrating take?" is knowable today — and it's the one that sets your roadmap.
What's already settled
- NIST finalized three standards in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205).
- The recommended near-term target is a hybrid key exchange — X25519MLKEM768 — secure if either the classical or the lattice half holds.
- CNSA 2.0 names these algorithms and sets a late-decade adoption timeline for national-security systems.
So the math is settled and the targets are named. What's left is the work: inventory your cryptography, rank it by confidentiality lifetime, and migrate the longest-lived surfaces to hybrid first. That's what we're here to help you do — and it starts with seeing where you stand.