Back to Glossary

Post-Quantum Cryptography (PQC)

What is Post-Quantum Cryptography (PQC)?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to remain secure against attacks from quantum computers — which can break widely deployed public-key cryptography systems (RSA, ECC, Diffie-Hellman) using Shor's algorithm far faster than classical computers. In 2024, NIST finalized the first three post-quantum cryptographic standards: ML-KEM (CRYSTALS-Kyber), ML-DSA (CRYSTALS-Dilithium), and SLH-DSA (SPHINCS+), launching the migration from current encryption standards to quantum-resistant algorithms. While cryptographically relevant quantum computers do not yet exist, the threat is real and imminent for long-lived secrets because of 'harvest now, decrypt later' attacks.

Description

The urgency of PQC migration is driven by 'harvest now, decrypt later' (HNDL) attacks — a strategy where adversaries, particularly nation-state threat actors, collect and store encrypted communications or data today with the intention of decrypting them once sufficiently powerful quantum computers are available. For data that must remain confidential for 10-20 years — classified government information, long-term financial records, intellectual property, medical data — the threat is actionable now. U.S. federal agencies are required to inventory cryptographic dependencies and begin PQC migration planning under NSM-10. Financial regulators, including those under DORA in the EU, are incorporating quantum risk into operational resilience requirements. PQC migration is a significant engineering undertaking: organizations must inventory all cryptographic usage (SSL/TLS, code signing, VPN, SSH, data-at-rest encryption), identify which systems use vulnerable algorithms, and plan phased migration to NIST-approved PQC standards. Cryptographic agility — designing systems to swap encryption algorithms without full re-architecture — is a key principle for future-proofing security investments. The AI security intersection is emerging: AI Bills of Materials (AI BOMs) are beginning to include Cryptographic BOMs to track cryptographic algorithm usage alongside software component inventories, connecting PQC migration tracking to the broader software bill of materials practice.

Usage and Examples

A financial services organization begins a PQC readiness assessment. The first step — cryptographic inventory — reveals that TLS 1.2 with RSA-2048 key exchange is used on 847 internal and external endpoints; SSH with RSA-2048 is used for server administration across 300 systems; and customer data at rest is encrypted with AES-256 (quantum-resistant) but the key management infrastructure uses RSA for key wrapping (quantum-vulnerable). The assessment prioritizes the key management infrastructure as the highest-risk item — a quantum computer does not need to break all 847 TLS connections if it can break the key management system that protects the master keys. Migration planning begins with hybrid key exchange (classical + post-quantum) for new deployments while existing systems are inventoried for priority migration scheduling. Organizations with compliance obligations should also review vendor cryptographic practices as part of their third-party risk management programs.

How Does This Relate to Penetration Testing?

Cryptographic security assessment is a component of comprehensive security engagements. During application penetration testing and network assessments, Evolve Security testers evaluate SSL/TLS configurations, cipher suite selection, certificate key lengths, and SSH algorithm configurations — identifying cryptographic weaknesses that represent current risk (weak ciphers, expired certificates, downgrade attack vulnerability) and flagging quantum-vulnerable configurations for PQC migration planning. Advisory engagements support organizations developing PQC migration roadmaps, helping translate NIST standards and regulatory guidance into actionable technical migration plans. Evolve Security's Advisory services help organizations assess cryptographic exposure and develop PQC migration roadmaps aligned with NIST standards and regulatory requirements.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Privilege Escalation

Prompt Injection

Proxy server

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.