It's Friday evening. Your CEO is scrolling LinkedIn or the front page of the Journal and sees the headline: the Trump administration just put roughly $2 billion into nine quantum computing companies, anchored by an IBM-led $1 billion U.S. quantum chip foundry. By Sunday night, the CEO has forwarded it to the CFO. By Monday morning, it's on your calendar.
"How exposed are we?"
This is the post for the IT manager, head of security, CISO, or platform lead who needs an answer ready. Not next quarter. Monday. The plan below takes about an hour of focused work and produces three things you can put in front of an executive team: a concrete readiness score, a list of the highest-risk systems, and a phased remediation plan with rough budget envelopes.
Be the person who had the answer ready. The alternative — "we'll get back to you" — is how this conversation ends with a consultant in the room next week instead of you.
Before you write a single slide, run your primary public domain through QVS. You'll get a 0-100 quantum readiness score and a list of every vulnerable algorithm your TLS handshake exposes. Use the score as the headline number in your briefing.
Scan your domain →Before you walk in, know the underlying story so you can speak to it with authority instead of from a single headline. The relevant facts:
Your CEO doesn't need all six bullets. They need the connection: a foundry-scale industrial commitment compresses the timeline to a working quantum computer, which compresses the timeline to migrate the encryption protecting our business.
Don't open with Shor's algorithm. Open with risk and money.
The three sentences to memorize for the meeting:
"Most of our encryption today is built on math that quantum computers will break. The U.S. government just put $2 billion into making those computers happen faster. We have a real but manageable migration path, and I can show you exactly where we stand."
Then pivot to specifics. Three categories of exposure:
Open QVS. Paste your primary public domain. Hit scan. You will get:
Repeat for: your authentication endpoint, your API base URL, your single-sign-on provider's customer-facing endpoint, and three of your highest-value internal applications (run those internally over a corporate-network endpoint if they're not public).
Now you have a sample. You don't need to scan everything — you need enough data to project the shape of the problem. Six to ten scans give you a defensible "X% of our public surface is currently using quantum-vulnerable cryptography" statistic. That's the number that lands in a board meeting.
Executives want a structure that fits on a single slide. Here it is.
| Phase | Timeline | What we do | Approximate budget envelope |
|---|---|---|---|
| Discovery | Q2 2026 — Q3 2026 | Cryptographic bill of materials (CBOM) for all systems | 1-2 FTE-quarters internally; optional vendor scan |
| Hybrid TLS | Q4 2026 — Q1 2027 | Roll out hybrid post-quantum key exchange on edge servers | Config work; ~1 FTE-quarter per major platform |
| Signature pilots | Q2 2027 — Q4 2027 | ML-DSA for code signing, internal CAs, JWT auth | ~2 FTE-quarters; HSM firmware updates |
| External migration | 2028 — 2029 | ML-DSA certificates externally when public CAs broadly issue them | Vendor-coordinated; budget alongside normal cert renewal cycle |
| Deadline | 2030 | No new RSA/ECDH/ECDSA in any system we control | — |
You're not asking for a multi-million-dollar program in this first meeting. You're asking for:
"Are we behind?" Most organizations are. Cloudflare, Apple, Google, Signal, OpenSSH, and large AWS-fronted services have started; the long tail is nowhere. The honest answer is usually "we're roughly in the middle — not behind, not ahead — and the announcement is the trigger to move forward."
"Why now? Quantum computers don't exist yet." Because of harvest-now-decrypt-later. Encrypted traffic captured today can be decrypted later. Anything with a confidentiality lifetime past 2030 is at risk now, not in the future.
"What does this cost?" The discovery phase is small — engineering time and possibly a vendor scan. Hybrid TLS is a configuration change, not a software purchase. The expensive parts (HSM firmware, certificate authority migration, signing-pipeline changes) ride alongside normal hardware refresh and certificate renewal cycles if you start in the next two quarters. The cost of not starting is unbounded — a forced migration in 2029 under regulatory pressure costs an order of magnitude more.
You don't know exactly when a cryptographically relevant quantum computer arrives. Nobody does. The expert consensus has shifted from "mid-2030s" to "2030-2032, possibly earlier" over the last two years, and a $2B-plus federal acceleration shifts it again — but it's still a probability distribution, not a calendar date.
Frame it as risk management, not prediction. "There is enough probability mass in the 2028-2032 window that we cannot responsibly ignore it. The migration takes three to four years. The math says we start now."
Open with the connection between the news and the business: most of our encryption today is built on math that quantum computers will break, and the federal government just put $2B into making those computers happen faster. Then pivot to specifics: what is exposed, what regulations apply, and a phased plan to migrate.
A baseline scan of every system that uses cryptography, classifying each finding as quantum-vulnerable (RSA, ECDSA, DH) or quantum-resistant (AES-256, ML-KEM, ML-DSA). The output is typically a score, an inventory of cryptographic primitives in use (a CBOM), and a phased remediation plan aligned to the NIST IR 8547 timeline.
Realistically three to four years for a mid-sized organization. Discovery takes one to two quarters, hybrid TLS rollout takes two to three quarters, signature pilots run twelve to eighteen months, and full external signature migration depends on public CA support (expected broadly 2027-2028). Starting in 2026 puts you on the NIST 2030 deadline.
The CEO question coming Monday is not really about quantum computing. It's about whether you're paying attention to the threat landscape, whether you have a plan, and whether you can articulate it in language that doesn't require a cryptography PhD. The Trump announcement gave you a free conversation-opener with the executive team about a project you've probably wanted to start anyway.
Walk in with a number, a list, and a plan. The number comes from a 10-second scan. The list is a sample of your highest-value endpoints. The plan is the five-row table above, tailored to your organization's scale. That's the briefing.
Scan your primary domain right now. You'll have a readiness score, a vulnerability list, and a downloadable PDF you can drop straight into a board pack — all in under a minute. No signup required.
Run a scan now →Related reading: Trump Just Invested $2 Billion in Quantum Computing — Is Your Encryption Ready? · The $2 Billion Quantum Arms Race: Why 2030 Might Come Sooner · NIST's 2030 Post-Quantum Deadline