Methodology & Proof Points

Our methodology combines automated scanning, quantum hardware testing, and expert analysis to uncover cryptographic vulnerabilities and quantify their business impact.

To date: 2,300+ critical cryptographic vulnerabilities identified across 50+ enterprise engagements, averaging ~47 critical findings per client. No organization has yet achieved a clean bill of health under the $2M Challenge — every assessment to date (50+) has identified critical or high-severity findings.

Platform dashboard showing Ephemeral Key Exposures, Attack Velocity (12-16h RSA-2048 with leaked bits), and Financial Impact (~$32.2M risk exposure). Feeds the Board Number risk decision matrix.

Figure: Quantum Security dashboard highlighting ephemeral key leaks and risk metrics.

1. Board-Level Risk Modeling (“Board Number”)

We provide a probability-weighted exposure model that translates technical findings into a single board-ready risk metric. This model incorporates the likelihood of a cryptographically-induced breach (accounting for emerging quantum capabilities) and the business impact of such a breach. Our assessment engine runs 53 analysis modules (including 12 quantum-specific checks) to compute this risk in financial terms.

How the score works

• Quantum Exposure Window: Time-to-CRQC probability distribution, sourced from Global Risk Institute expert-elicitation data (32 experts, 5-14% probability by 2029, December 2024)
• Loss equation: Expected Loss = Σ (Asset Class_i) × P(CRQC within window) × Exposure_i × Residual Control Factor_i
• Present value: Discounted at customer-configurable rate, with both undiscounted (risk appetite) and discounted (NPV) views provided
• Quantum Exposure Score (0-100): Normalized composite derived from expected loss and confidence bounds

A typical engagement might reveal a 5-14% probability of catastrophic, irreversible data exposure due to quantum-vulnerable encryption — a level of risk that exceeds any reasonable appetite. By quantifying exposure in dollars and probability, boards can act on math, not fear.

All assumptions (asset value, threat timelines, discount rates) and intermediate calculations are documented so the math survives audit scrutiny. Breach cost baseline: $4.88M global average (IBM/Ponemon 2024). Regulatory timeline: NIST IR 8547 deprecation path through 2035; OMB M-23-02 federal mandate. HNDL threat analysis methodology informed by Federal Reserve research (2025) and G7 Cyber Expert Group roadmap.

2. Quantum Hardware Validation

When analysis flags a potential weakness exploitable by a quantum adversary, we go beyond simulation — we execute test attacks on actual quantum computers to validate the threat. Our platform orchestrates live cryptographic tests across multi-cloud quantum resources: IBM Quantum, AWS Braket, Azure Quantum, Google Quantum AI, IonQ, D-Wave, Quantinuum, and Rigetti.

Evidence included in reports

• Provider job artifacts: Backend name, job ID (or hash + verification method), timestamp, qubit count, circuit depth, shot count, result metadata
• Circuit evidence: Diagram screenshots and/or exported OpenQASM format with sensitive labels removed
• Console screenshots: Per-provider showing backend, job ID, and completion status
• Integrity controls: Published hashes of evidence files for post-engagement verification
• Reproducibility: “Run these same circuits” appendix for independent review

Any finding that requires quantum computation to fully evaluate is run on physical quantum processors — not theoretical models. This ensures identified quantum risks are backed by experimental proof, increasing confidence in remediation priorities.

Video: Multi-cloud quantum execution workflow showing circuit submission, real-time job monitoring across 8 platforms, and result aggregation into findings report.

Quantum hardware execution across IBM Quantum, AWS Braket, Azure Quantum, IonQ, and additional platforms.

3. Deliverables & Sample Reports

Qscout26 Pack (7-day assessment)

• Executive summary with Quantum Exposure Score and exposure window
• Full cryptographic vulnerability inventory
• CBOM (Cryptographic Bill of Materials) excerpt
• TLS and certificate findings
• Prioritized remediation roadmap
• Machine-readable exports (JSON, SARIF)
• Board-ready recommendations mapped to compliance frameworks

Qstrike26 Pack (90-120 day testing)

• Executive summary with exploitation narrative
• Proof-of-concept evidence for key vulnerabilities
• Complete CBOM mapping with dependency impact
• Quantum hardware job artifacts and circuit evidence
• Screenshots of sensitive material found (e.g. key fragments in memory)
• Migration guidance handoff notes for Qsolve26
• Re-test validation after remediation

What we do not include in samples: No private keys, no customer traffic, no internal hostnames, no sensitive architecture diagrams.

Request Sample Deliverables

Redacted sample reports available upon request. Includes Board Number calculation, CBOM excerpt, and quantum exploit evidence from sanitized Fortune 1000 engagements.

4. Independent Third-Party Validation

Our methodology is independently reviewed and validated by reputable third parties. We engage external cybersecurity experts to perform an annual methodology audit, ensuring our scanning techniques, quantum testing, and risk models are sound.

Validation structure

• Annual methodology review: Reviewer identity, scope, and limitations documented
• $2M Challenge validation: If zero critical findings, results undergo independent third-party review before any payout (contractually required)
• Financial backing: The $2M challenge is backed by company financial reserves and insurance underwriting
• Revalidation: Methodology reviewed against current NIST PQC standards (FIPS 203, 204, 205) and latest transition guidance annually

Third-party review letters and methodology peer reviews are available upon request for procurement, audit, and risk committees. Customer auditors and CISO teams are invited to observe testing. Our methodology has been reviewed by security researchers at major technology companies — references available under NDA.

5. Comparison with Traditional Scanners

Traditional scanners (Nessus, Qualys, Burp) excel at known CVEs and configuration checks. They don't assess quantum risk, HNDL exposure, or PQC readiness. Here's what Qscout26 finds that others miss:

Finding Type	Nessus	Qualys	Burp	Qscout26
HNDL Risk Score (Harvest Now Decrypt Later timeline)	—	—	—	✓
Post-Quantum Cryptography gaps (ML-KEM, ML-DSA, SLH-DSA)	—	—	—	✓
Hybrid TLS detection (X25519Kyber768, ML-KEM hybrids)	—	—	—	✓
Email infrastructure quantum risk (DKIM RSA-1024, DANE, MTA-STS)	—	—	—	✓
Enterprise crypto inventory (KMS/Vault/HSM audit)	—	—	—	✓
Service mesh crypto posture (mTLS, Istio/Linkerd)	—	—	—	✓
Crypto drift over time (CT log replay, config changes)	—	—	—	✓
Quantum migration deadlines (industry-specific timelines)	—	—	—	✓

Real Example: Same Target, Different Results

Nessus / Qualys Output

TLS 1.2 Enabled ✓

Certificate Valid ✓

No vulnerabilities found

Qscout26 Output

HIGH — HNDL Risk Assessment

Data retention: 10yr, Quantum break: 2030-2035

Action: Begin PQC migration planning NOW

HIGH — Quantum Risk Score: 50/100

RSA-2048 certificates vulnerable to Shor's

ECDHE-P256 vulnerable to quantum attack

MEDIUM — No Hybrid TLS Support

Missing X25519Kyber768 for quantum resistance

The same “secure” site that passes traditional scans has critical quantum exposure that Qscout26 quantifies with actionable deadlines. On average, 30-40% of our critical findings are not present in traditional scanner output (based on 50+ engagements).

Detailed finding-by-finding comparison breakdowns available upon request.

6. Quantum Proof-of-Work Finding

Each engagement includes at least one deep-dive finding demonstrating how a real quantum attack could succeed given a specific vulnerability. We do not claim that today's quantum hardware can trivially break strong crypto like RSA-2048 on its own. Instead, we focus on scenarios where a classical vulnerability (e.g. leaked key material) dramatically reduces problem complexity, and then use quantum computing to finish the attack.

Example: Ephemeral key leak + quantum factorization

Classical analysis discovers partial RSA private key fragments in debug logs (ephemeral key leak)
Leaked bits reduce RSA-2048 factorization from computationally infeasible to achievable within hours
Multiple quantum computers orchestrated to run actual decryption algorithm on reduced-strength instance
Successful factorization achieved at ~99% fidelity compared to theoretical predictions
Report includes quantum circuit details, output evidence, and scaling limitations

What we claim: Classical techniques find the vulnerability. Quantum execution validates its real-world exploitability. This gives clients a concrete proof-of-work for the most critical quantum-relevant weakness in their environment.

Current quantum hardware cannot break production RSA-2048 wholesale. Our testing validates exploit mechanics where classical shortcuts (key leaks, weak entropy, implementation flaws) reduce the problem to quantum-feasible complexity. This distinction is documented explicitly in every report.

7. PQC in Production: Verified Implementations

The public record on PQC migrations is thin but growing. Most organizations treat these projects as competitive intelligence. These verified implementations prove PQC works in production — and reveal the real challenges enterprises face.

Technology

Cloudflare

Hybrid X25519+Kyber on all edge servers (Oct 2022). By March 2025, 38% of HTTPS traffic encrypted with PQC algorithms (Cloudflare Radar). Encountered middlebox failures after Chrome 124 release.

Apple (iMessage PQ3)

PQ3 deployed March 2024. Combines post-quantum initial key establishment with three ongoing ratchets. Formally verified with ETH Zürich's Tamarin tool.

Google Chrome

X25519Kyber768 enabled by default in Chrome 124 (April 2024). Reported 4% TLS handshake slowdown from additional 1.1-1.2kB per direction (Google, 2024).

AWS

ML-KEM for hybrid PQC key agreement deployed across KMS, Secrets Manager, and Certificate Manager in all regions (non-FIPS endpoints).

Financial Services

JPMorgan Chase

Implemented quantum-secured crypto-agile network (Q-CAN) connecting two data centers. Third quantum node established as research platform. Uses both PQC and QKD as layered defense.

HSBC + Quantinuum

Production PQC-VPN tunnel in gold tokenization environment. Observed minimal performance impact irrespective of data size. Demonstrated PQC can protect DLT without re-architecture.

Documented Challenges

• Middlebox failures: Devices that don't correctly implement TLS malfunction when offered PQC options (Cloudflare/Chrome 124)
• Handshake overhead: 4% TLS slowdown from larger key exchanges (Google)
• Hybrid maintenance: 20-40% additional staff time for dual-algorithm management (MDPI research)
• Timeline reality: 5-7 years for small enterprises, 8-12 for medium, 12-15+ for large (baseline estimates)

What remains missing: No enterprise has published a complete end-to-end migration with costs, timelines, and lessons learned. That gap is where Qsolve26 operates — providing the structured advisory, vendor competition, and trained staff that turn proof-of-concepts into production deployments.

8. HNDL Risk Calculator Methodology

The Harvest Now, Decrypt Later (HNDL) Risk Calculator provides organizations with a transparent, input-driven assessment of their quantum risk exposure. This section documents the complete scoring methodology for audit and procurement review.

Assessment Inputs

Input	Options	Purpose
Data Sensitivity	Public, Internal, Confidential, Restricted, Top Secret	Base risk weighting by data classification
Data Retention	1, 3, 5, 7, 10, 15, 20+ years	How long data must remain confidential
Adversary Capability	Low, Medium, High, Nation-State	Expected threat actor sophistication
Timeline Scenario	Early (2027), Planning (2030), Late (2038)	CRQC emergence assumption (user-selected)
Migration Complexity	Agile (2yr), Typical (3yr), Complex (5yr), Regulated (8yr)	Estimated time to complete PQC migration
Buffer Years	0, 1, 2, 3 years	Safety margin for migration delays
Crypto Inventory	RSA, ECDSA, ECDH, AES, SHA, 3DES, MD5, custom	Algorithms in current environment
TLS Findings	TLS version, cipher suites, certificate details	Present-day cryptographic posture

Timeline Scenarios

The calculator does not predict when CRQC will arrive. Instead, users select from three planning scenarios based on their risk tolerance:

Early (2027)

Conservative assumption. Assumes CRQC could emerge within 2-3 years. Appropriate for high-sensitivity data with long retention requirements.

Planning (2030)

Consensus estimate aligned with NIST/NSA guidance. Used by most enterprises for migration planning baseline.

Late (2038)

Optimistic assumption. May be appropriate for organizations with low-sensitivity data and short retention periods.

Risk Factor Weights

The composite risk score combines six weighted factors. Weights are fixed and documented:

Data Sensitivity25%
Future Decrypt Risk20%
Present Crypto Hygiene10%

Timeline Proximity25%
Data Retention Period10%
Adversary Capability10%

Cryptographic Vulnerability Scoring

Algorithms are scored separately for Shor-vulnerability (future quantum threat) and present-day hygiene debt:

Shor-Vulnerable (Future Risk)

RSA-1024100
RSA-204890
RSA-409680
ECDSA P-25685
ECDH P-38475
ML-KEM (PQC)0

Present Hygiene Debt

3DES100
MD5100
SHA-180
TLS 1.0/1.1100
TLS 1.2 (weak cipher)50
TLS 1.30

Migration Deadline Calculation

The “start by” deadline is calculated as:

Deadline = Scenario_Year − Migration_Years − Buffer_Years

Example: Planning scenario (2030) with Complex migration (5yr) and 2yr buffer = Start by 2023. If current year is 2025, the organization is already 2 years behind the recommended start date.

Risk Level Thresholds

Critical

Score ≥ 80

High

Score ≥ 60

Medium

Score ≥ 40

Low

Score < 40

Scope & Limitations

What This Calculator Does NOT Do

• Does not predict CRQC timing. Users select their planning scenario; the calculator does not claim to know when quantum computers will break cryptography.
• Does not replace a full assessment. This is a prioritization tool based on self-reported inputs, not a vulnerability scan or penetration test.
• Does not guarantee accuracy. Output quality depends on input accuracy. Garbage in, garbage out.
• Does not provide compliance certification. Results may inform compliance planning but do not constitute certification under any framework.

External Sources & References

• Timeline Estimates: Global Risk Institute Quantum Threat Timeline Report (December 2024) — 32-expert elicitation, 5-14% probability of CRQC by 2029
• Deprecation Path: NIST IR 8547 — Transition to Post-Quantum Cryptography Standards
• Federal Mandate: CNSA 2.0 — NSA Commercial National Security Algorithm Suite
• CISA Guidance: CISA Post-Quantum Cryptography Initiative — Preparing Critical Infrastructure

All calculator outputs include timestamp, version number, and complete input summary for audit trail purposes. The downloadable evidence summary provides a portable record suitable for internal documentation and compliance planning.

Redacted sample reports, third-party review letters, and scanner comparison data available under NDA.

Request Methodology Briefing View $2M Challenge Terms