HNDL Score Methodology
The complete guide to calculating quantum risk exposure using Qryptonic's 7-factor HNDL Score framework. Understand exactly how each factor contributes to your organization's Harvest Now, Decrypt Later risk rating.
What is HNDL Score?
HNDL Score is a quantitative risk metric (0-100) that measures an organization's vulnerability to Harvest Now, Decrypt Later (HNDL) attacks. Developed by Qryptonic, the methodology evaluates seven weighted factors to produce an actionable risk rating that guides post-quantum cryptography migration priorities.
Unlike generic security assessments, HNDL Score specifically models the time-based nature of quantum threats. It answers the critical question: "Given when quantum computers will break current encryption, how urgent is my organization's need to migrate?"
HNDL Score Formula
HNDL Score = Industry(15) + Horizon(25) + Data(15) + Exposure(15) + Crypto(15) + Breadth(10) + Friction(10)Maximum possible score: 100 points. Higher scores indicate greater HNDL risk exposure.
The 7 Scoring Factors
Each factor is weighted according to its impact on HNDL risk exposure. Confidentiality Horizon carries the highest weight (25%) because it directly determines whether harvested data will still be valuable when quantum decryption becomes available.
1. Industry Sector
15% (15 pts max)Regulatory exposure and data sensitivity norms for your sector
| Value | Points | Description |
|---|---|---|
| Defense | 15 | CMMC, ITAR, classified systems |
| Federal Government | 14 | FedRAMP, FISMA, NIST 800-53 |
| Critical Infrastructure | 13 | Energy, utilities, transportation |
| Healthcare | 12 | HIPAA, ePHI requirements |
| Financial Services | 11 | PCI, SOX, GLBA compliance |
| SaaS / Technology | 8 | Cloud-native, multi-tenant |
| Other | 6 | Manufacturing, retail, education |
2. Confidentiality Horizon
25% (25 pts max)How long your most sensitive data must remain confidential
| Value | Points | Description |
|---|---|---|
| 20+ years | 25 | Trade secrets, national security |
| 10-20 years | 20 | Legal holds, IP protection |
| 5-10 years | 14 | Contracts, financial records |
| 2-5 years | 8 | Standard business records |
| Less than 2 years | 3 | Short-lived sessions, temp data |
3. Data Sensitivity
15% (15 pts max)Types of sensitive data protected by cryptography
| Value | Points | Description |
|---|---|---|
| ePHI (Health Records) | 4 | HIPAA-protected health information |
| PCI (Cardholder Data) | 4 | Payment card industry data |
| Trade Secrets | 4 | Proprietary business information |
| PII (Personal Information) | 3 | Personally identifiable information |
| OT / Industrial Telemetry | 3 | Operational technology data |
| Regulated Logs | 2 | Compliance audit trails |
4. Exposure Surface
15% (15 pts max)Network exposure level where cryptographic assets operate
| Value | Points | Description |
|---|---|---|
| Internet-Facing | 15 | Public services, customer-facing |
| Mixed | 12 | Internal + external exposure |
| Partner-Facing | 8 | B2B integrations, APIs |
| Internal Only | 4 | Limited external exposure |
5. Cryptographic Posture
15% (15 pts max)Current state of cryptographic algorithm deployment
| Value | Points | Description |
|---|---|---|
| Mostly RSA/ECC | 15 | Shor-vulnerable algorithms only |
| Not Sure | 12 | Conservative estimate applied |
| Mixed | 10 | Some symmetric, some asymmetric |
| Piloting PQC/Hybrid | 3 | ML-KEM, ML-DSA, hybrid TLS |
6. Deployment Breadth
10% (10 pts max)How widely cryptography is distributed across systems
| Value | Points | Description |
|---|---|---|
| 6+ locations | 10 | TLS, PKI, VPN, SSH, Identity, Code, Backups, Devices |
| 4-5 locations | 7 | Moderate distribution |
| 2-3 locations | 4 | Limited distribution |
| 1 location | 2 | Concentrated deployment |
7. Change Friction
10% (10 pts max)Ability to change cryptographic implementations
| Value | Points | Description |
|---|---|---|
| Vendor-Dependent | 10 | Dependent on vendor roadmaps |
| Mixed | 7 | Some control, some dependencies |
| Not Sure | 6 | Conservative estimate applied |
| Self-Controlled | 3 | In-house dev, fast iteration |
Risk Bands & Response Timelines
Your HNDL Score maps to one of four risk bands, each with specific response timelines and recommended actions. These bands help translate abstract risk numbers into concrete migration planning decisions.
Long-lived sensitive data with significant exposure. Inventory and sequence changes now.
Medium-lived data or moderate exposure. Start inventory, prioritize dependencies, pilot PQC.
Lower exposure or shorter confidentiality horizon. Build inventory, schedule pilots.
Short confidentiality horizon and low exposure. Maintain inventory, define escalation triggers.
Why Confidentiality Horizon Matters Most
Confidentiality Horizon carries 25% of the total HNDL Score weight—more than any other factor—because it represents the fundamental physics of HNDL attacks: time.
The HNDL exposure window is calculated as:
HNDL Exposure = Confidentiality Horizon − Time Until CRQCIf your data must stay secret for 15 years and CRQC arrives in 8 years, you have a 7-year HNDL exposure window where adversaries can decrypt harvested data.
High Risk Example
Trade secrets with 20+ year value: Even conservative CRQC estimates (2035-2040) create a significant exposure window. Data harvested today remains valuable when decrypted.
Lower Risk Example
Session tokens with 24-hour lifetime: Even if harvested, the data expires long before CRQC availability. The HNDL exposure window is effectively zero.
HNDL Score vs. Other Risk Frameworks
HNDL Score complements existing risk frameworks by adding quantum-specific temporal modeling that traditional assessments lack.
| Framework | Quantum Timeline | HNDL Modeling | Best For |
|---|---|---|---|
| HNDL Score | Yes | Yes | Quantum migration prioritization |
| NIST CSF | No | No | General cybersecurity posture |
| ISO 27001 | No | No | Information security management |
| FAIR | Partial | No | Financial risk quantification |
Frequently Asked Questions
What is an HNDL Score?
An HNDL Score is a 0-100 risk metric measuring vulnerability to Harvest Now, Decrypt Later attacks. Developed by Qryptonic, it uses 7 weighted factors: Industry (15%), Confidentiality Horizon (25%), Data Sensitivity (15%), Exposure Surface (15%), Crypto Posture (15%), Deployment Breadth (10%), and Change Friction (10%). Scores 70+ require immediate action, 50-69 near-term action, 30-49 planned programs, below 30 monitoring.
How is HNDL Score calculated?
HNDL Score sums weighted points across 7 factors: (1) Industry sector regulatory exposure 0-15 points, (2) Confidentiality horizon duration 0-25 points, (3) Data type sensitivity 0-15 points, (4) Network exposure surface 0-15 points, (5) Current cryptographic posture 0-15 points, (6) Crypto deployment breadth 0-10 points, (7) Change friction/vendor dependency 0-10 points. Maximum possible: 100 points.
What HNDL Score indicates high risk?
HNDL Scores 70-100 indicate Immediate Readiness Action required - organizations have long-lived sensitive data with significant exposure. Scores 50-69 require Near-Term Action within 12-18 months. Scores 30-49 call for Planned Programs within 24 months. Scores below 30 require monitoring with defined escalation triggers.
Why is Confidentiality Horizon the largest factor?
Confidentiality Horizon carries 25% weight because it directly determines HNDL exposure window. Data requiring 20+ year confidentiality faces immediate risk - adversaries can harvest it today and wait for quantum computers. Short-lived data (under 2 years) may expire before CRQC becomes available, dramatically reducing HNDL risk.
What industries have highest HNDL Scores?
Defense (15 points), Federal Government (14 points), and Critical Infrastructure (13 points) receive highest industry weights due to national security implications and long data retention requirements. Healthcare (12 points) and Financial Services (11 points) follow due to regulatory requirements. SaaS companies (8 points) typically have shorter data lifecycles.
How do I lower my HNDL Score?
Lower HNDL Score by: (1) Piloting PQC/hybrid cryptography (-12 points vs RSA/ECC), (2) Reducing confidentiality requirements where possible, (3) Limiting internet exposure for sensitive systems, (4) Consolidating crypto implementations to reduce deployment breadth, (5) Gaining control over vendor-dependent cryptography. Use the free Qryptonic HNDL Calculator for personalized recommendations.
Calculate Your HNDL Score
Use our free interactive calculator to assess your organization's quantum risk exposure in 5 minutes. Get a personalized HNDL Score with actionable recommendations.