Post-quantum cryptography: a practical 12-month playbook for audit, risk, and security teams.Learn more →

Resources

Post-quantum cryptography, SBOM, and CBOM

Summary of themes we are working through internally: quantum risk, NIST post-quantum standards, CycloneDX bills of materials, and a prototype pipeline that scans repositories and turns BOM data into migration-oriented signals. This page will grow as we publish fuller articles and product updates.

Why post-quantum readiness shows up now

  • Asymmetric schemes such as RSA and ECC are the priority migration targets under quantum threat models; symmetric and hash choices have different urgency profiles.
  • "Harvest now, decrypt later" makes today's ciphertext relevant to future breaks, so planning starts before hardware catches up.
  • NIST has published PQC standards (for example FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, FIPS 206 FN-DSA). Timelines for large estates are measured in years, not quarters.

Official background: NIST PQC project, NIST PQC standards hub.

SBOM and CBOM (CycloneDX)

A Software Bill of Materials inventories components, versions, licenses, and known weaknesses. A Cryptographic Bill of Materials extends that idea to algorithms, keys, certificates, protocols, and related metadata so teams can reason about quantum-vulnerable crypto and migration work, not only CVEs.

Guides: CycloneDX SBOM, CycloneDX CBOM.

What we are building (engineering snapshot)

Our SBOM/CBOM presentation describes a Spring Boot service (“CryptoGuard” working name) that calls the open-source cdxgen server to produce CycloneDX JSON from GitHub repositories, enriches results when native crypto asset fields are sparse (keyword and library heuristics today), and layers analysis plus HTML reporting for security review. The design treats cdxgen as a sidecar over HTTP, consistent with cdxgen documentation.

Near-term roadmap themes from that work: tighter alignment with real cryptoAsset output as tools mature, more sources beyond a single Git host, richer UI, and clearer handoff into compliance and PQC programme tracking.

CertPing direction

We are exploring how a cryptographic analyzer fits the CertPing world: repository scans, CBOM history per release, AI-assisted quantum-risk summaries, and signals that complement certificate and domain monitoring. Nothing here is a commitment on GA dates; it is the product narrative we are iterating with design and engineering.

CertPing

Migration CBOM vs inventory CBOM

Inventory-oriented BOMs answer what is deployed and whether it meets today’s policy. Migration-oriented BOMs add what must change, who owns the change, vendor and protocol dependencies, and what blocks turning on quantum-safe modes. That distinction matters for programme management, not only audits.

Michael Osborne: A PQC migration CBOM is not an inventory CBOM (LinkedIn)

Talk to us

If you want a walkthrough of this roadmap or to share how your team tracks PQC migration, use Contact or Schedule a consultation.