Enterprises are moving toward post-quantum security at uneven speeds, and the gap between organizations that have built crypto-agility into their infrastructure and those that have adopted the label without the underlying capability is widening.
Dr. Tan Teik Guan, CEO of Singapore-based cybersecurity company pQCee, draws a sharp line between the two. Crypto-agility, in his view, requires more than support for multiple algorithms or protocol-level negotiation. It demands the ability to respond with appropriate cryptographic defenses in a cost-effective, timely, and non-disruptive way. That means intelligence, governance, and mitigation working together across a layered defense architecture to maintain a quantum-safe state.
pQCee this week announced a crypto-agile Cryptographic Next Generation (CNG) provider for Microsoft Windows. The company says it is the first CNG solution to support both NIST FIPS 204 ML-DSA and FIPS 205 SLH-DSA certificates. The provider allows organizations to integrate post-quantum algorithms, hybrid classical and post-quantum combinations, country-specific standards such as Malaysia’s MySEAL and South Korea’s KpqC, and hardware integrations with smartcards, USB tokens, HSMs, and trusted execution environments.
pQCee is demonstrating the product at the RSAC 2026 Conference (booth S-1945), where the company is also announcing partnerships with PQShield and Feitian Technologies to integrate their cryptographic modules into the framework.
Who is most exposed to harvest-now-decrypt-later
The threat driving urgency in the market is harvest-now-decrypt-later (HNDL), an attack method in which adversaries collect encrypted data now with the intention of decrypting it once quantum computing capability reaches a sufficient level. The attack exploits the vulnerability of public key cryptosystems, such as RSA and ECC, to quantum computers.
Dr. Tan identifies financial institutions, healthcare providers, and government and defense organizations as carrying the most significant exposure, with differences in the nature of the risk. For financial institutions, breached transaction data creates privacy and reputational harm. For healthcare, the exposure of patient medical histories and treatment records carries more serious privacy implications. For government and defense, the breach of classified documents or emails carries consequences for economic stability and public trust.
Public utilities fall into a different category. Dr. Tan argues that most utility operational data does not travel over the internet, making it harder for adversaries to harvest in the first place, and most of the data is relevant only in the present rather than over a multi-year horizon.
That said, HNDL is in his view the first of many quantum threats that will define the cybersecurity landscape over the coming decades. Organizations that begin addressing it now also build the processes, governance structures, procurement practices, and training programs they will need for subsequent quantum challenges.
Why a complete cryptographic inventory may not be the right starting point
A common recommendation in post-quantum guidance is to build a complete, accurate inventory of where cryptography lives across an enterprise environment. Dr. Tan pushes back on that as a first priority.
Enterprises outsource roughly 80 percent of their technology requirements, according to Dr. Tan, covering everything from network routers and cloud infrastructure to operating systems and storage. In a connected and continuously changing environment, completing a comprehensive inventory means it is already out of date by the time zero-day patches have been applied.
The approach pQCee recommends is to identify high-risk systems and internet-facing data first, then apply layered defenses such as end-to-end post-quantum encryption and post-quantum TLS 1.3 to make HNDL difficult to execute. The inventory work can follow.
Pressure-testing the supply chain
Supply chain exposure presents a separate and persistent problem. An organization can secure its own systems and still be exposed through vendors that have not made post-quantum progress.
Dr. Tan’s recommended approach involves three steps. Organizations should request the vendor’s post-quantum product roadmap. They should require vendors to supply a cryptographic bill of materials (CBOM) alongside any solution or service delivery. They should also ask vendors to walk through their post-quantum migration strategy. These steps let organizations assess whether a vendor is on a track compatible with their own timelines, or whether vendor replacement needs to enter the planning process.
Cloud providers cover part of the picture
Cloud providers including AWS and Azure have been expanding their quantum-safe offerings, and organizations looking to simplify their post-quantum strategy sometimes lean on those offerings as a primary answer.
Dr. Tan points to pQCee’s Crypto-Agile Defence-in-Depth framework as a reference for understanding the limits of that approach. Cloud providers’ quantum-safe offerings address protection of data in motion and data at rest. Other layers of the defense sit outside the scope of what cloud providers offer, and organizations that rely solely on cloud-level protection leave gaps in their overall security posture.
