Standards are final
The three post-quantum FIPS standards are no longer drafts. Regulators, auditors and customers will increasingly expect a documented migration posture — not an intention to start one.
Veriqa — the PQC Migration Agent
Veriqa for security & CISOs —
the PQC migration agent.
The post-quantum transition is no longer a research topic — it is a compliance clock. Veriqa turns a cryptographic inventory into a phased, NIST-mapped migration plan: every asset scored by shelf life and harvest-now exposure, every memo gated by a mandatory reviewer step before it ships as board-ready. Evidence-first. No vendor pitch.
01 · The compliance clock
The PQC deadline is not a roadmap.
It is a clock that is already running.
NIST finalized FIPS 203 (ML-KEM), 204 (ML-DSA) and 205 (SLH-DSA) in August 2024. "Harvest-now, decrypt-later" is live: adversaries archive encrypted traffic today and decrypt it once a cryptographically relevant quantum computer exists. Any secret with a shelf life beyond roughly 5–10 years is already exposed. Waiting is a risk decision — not a neutral one.
Exposure is retroactive
Traffic captured today can be decrypted later. For long-lived secrets — health records, financial data, state secrets, root keys — the breach window opened before the migration began.
Broken primitives still ship
SHA-1 and MD5 are broken now, not in some quantum future. They surface in legacy systems, embedded firmware and third-party libraries that no one has fully inventoried.
No internal crypto bench
Most security teams lack the in-house cryptography depth to inventory every algorithm, map it to a NIST target, and defend the priority order to a board on a deadline.
Aug 2024NIST finalized FIPS 203 / 204 / 205Source: NIST FIPS 203/204/205 (Aug 2024).
LiveHarvest-now, decrypt-later is an active threat modelSource: NIST PQC program guidance.
5–10 yr+Shelf-life threshold at which secrets are already at riskIllustrative planning threshold; verify against your own data-retention policy.
Standards facts cited from NIST FIPS 203 (ML-KEM), 204 (ML-DSA) and 205 (SLH-DSA), finalized August 2024. The shelf-life threshold is an illustrative planning heuristic, not a regulatory figure. Illustrative
02 · The PQC Migration Agent
From cryptographic inventory to a board-ready, phased plan.
Veriqa takes what your systems actually use today and returns a migration plan mapped to the NIST standards — prioritized by urgency, exportable, and held in draft until a reviewer approves it. The agent does not touch your keys or systems; it reasons over the inventory you provide.
Four steps turn a raw inventory into a defensible decision record. Each step is structured so the output can be audited line by line.
-
1
Inventory
Catalogue every system: its role (key exchange, signature, encryption, hash), its current algorithm, its data shelf life, and any regulatory deadline that applies.
-
2
Map to NIST targets
RSA / ECDH → ML-KEM (FIPS 203). ECDSA / RSA-sig → ML-DSA (FIPS 204). High-assurance and firmware signing → SLH-DSA (FIPS 205). SHA-1 / MD5 → flagged broken, P1.
-
3
Phase by urgency
P1 (now) = broken primitives or long-shelf-life key exchange. P2 (12–36 mo) = standard asymmetric migration. P3 (36+ mo) = symmetric review — confirm AES-256 and SHA-256+ are already in use, extending key or hash lengths only where a non-quantum policy requires it.
-
4
Reviewer gate + memo
The plan compiles into a board-ready Markdown memo. It stays in draft until an internal reviewer approves it — the software enforces the gate; no memo ships as final without that sign-off.
NIST PQC standards (finalized 2024)
- FIPS 203 (ML-KEM / Kyber) — post-quantum key encapsulation for key exchange. Target for RSA, DH and ECDH.
- FIPS 204 (ML-DSA / Dilithium) — post-quantum digital signatures. Target for ECDSA, RSA-PSS and DSA.
- FIPS 205 (SLH-DSA / SPHINCS+) — stateless hash-based signatures for high-assurance and firmware signing.
- Harvest-now, decrypt-later — encrypted traffic captured today can be decrypted later. Any secret with a shelf life beyond 5–10 years is already at risk.
- Your action — inventory first, prioritize long-lived key exchange, and build crypto-agility into the roadmap so the next transition is cheaper.
Decision support, not a product swap. Veriqa produces the plan and the record. Implementation, key handling and independent expert review remain yours — independent cryptographic review is recommended before you act on the plan.
Phase windows are planning guidance, not regulatory deadlines or guarantees; sequence and timing depend on your environment and obligations. Algorithm mappings reflect the NIST FIPS 203/204/205 target families. Illustrative
03 · What you get
A decision record your board, auditors and regulators can read.
Every engagement produces the same structured artifacts — auditable, exportable, and held in draft until the reviewer gate clears.
- Cryptographic inventory — every system, role and current algorithm captured in one structured catalogue, with shelf life and applicable deadlines.
- NIST-mapped target state — each algorithm mapped to its FIPS 203 / 204 / 205 successor, with broken primitives flagged explicitly.
- P1 / P2 / P3 plan — a phased migration ordered by harvest-now exposure and shelf life, so the highest-risk assets move first.
- Crypto-agility roadmap — guidance on building algorithm-swappable infrastructure so the next transition is cheaper than this one.
- Board-ready memo — a Markdown memo generated from the plan, released only after the reviewer gate is cleared.
- Machine-readable export — the full plan as structured data for your GRC, ticketing or asset-management systems.
Reviewer gate is enforced in software. Every PQC plan stays in draft state until an internal reviewer approves it. Veriqa does not claim staffed expert sign-off; independent cryptographic review is recommended before you act on the plan.
04 · Who it's for
Anyone holding secrets with a long shelf life.
If the data you protect today still matters in a decade, harvest-now-decrypt-later already applies to you.
Regulated finance
Banks, insurers and market infrastructure with long-retention records, PKI estates and supervisory expectations that increasingly reference post-quantum readiness.
Healthcare & life sciences
Patient records, genomic data and trial data carry decades-long confidentiality obligations — the definition of a long-lived secret.
Critical infrastructure
Energy, transport, telecoms and industrial control systems with embedded firmware and long device lifecycles that are hard to re-key in the field.
Long-lived secrets, anywhere
Government, defense, legal and any enterprise with root keys, IP or state secrets whose value outlasts the migration timeline.
05 · Questions
What CISOs ask first.
Is this a scanner or a plan?
A plan. Veriqa is not a network scanner or an automated discovery tool — it reasons over the cryptographic inventory you provide and returns a prioritized, NIST-mapped migration plan with a board-ready memo. Discovery tooling can feed the inventory; Veriqa turns that inventory into a defensible decision.
Do you touch our keys or systems?
No. Veriqa operates on the inventory and metadata you supply. It does not connect to your systems, hold your keys, or execute any cryptographic change. Implementation stays entirely within your environment and your control.
Who reviews the output?
Every plan is held in draft until an internal reviewer approves it — a gate the software enforces. We do not claim staffed expert sign-off; we recommend independent cryptographic review before you act on any plan.
How long does it take?
That depends on the size and completeness of your inventory. The agent produces a draft plan quickly once the inventory is structured; the timeline to a reviewed, board-ready memo depends on inventory quality and the reviewer step. Phase windows in the plan are planning guidance, not guarantees.
How does crypto-agility fit in?
The first migration is the expensive one. The roadmap recommends algorithm-swappable infrastructure so that when standards evolve again, you replace algorithms by configuration rather than by re-engineering. Crypto-agility is treated as the durable outcome, not a one-time swap.
Request a PQC scope assessment.
Tell us the size of your estate and the deadlines you face. We respond with a scope and a fixed price — and a plan held in draft until the reviewer gate clears. Forward-looking timelines on this page are guidance, not guarantees.