B2B product · Pilot

Quantum Exposure Snapshot Cryptographic exposure assessment · Prospective visibility

Forensic inventory of your organisation's cryptographic surface and prospective visibility of the impact that the most recent quantum computing resource estimates (Google Quantum AI, Caltech/Oratomic) and the migration deadlines set by NIST would have on your assets.

Not a security audit. Not a penetration test. Not a certification. A technical snapshot that documents what is currently exposed, how it benchmarks against the most recent academic resource estimates, and which concrete steps would be reasonable to plan before the NIST 2030 / 2035 deadlines.

DOC · CLW-QES-001 · REV 2026.04 · Based on April 2026 literature

Request the snapshot See methodology

What it is

A scoped technical assessment of your current cryptographic exposure against the most recent academic projections on cryptographically relevant quantum computing (CRQC).

The product delivers a forensic inventory across three dimensions (blockchain, TLS/PKI, operational inventory), an exposure map specific to your organisation, and a prioritised migration roadmap based on official NIST timelines and on the trajectories published by the leading quantum research groups.

It is intended for organisations that need to document their posture against regulatory deadlines in a sober, verifiable way, without resorting to alarmist language or to products that promise protection that does not yet exist.

What it evaluates

Three weighted dimensions. Aggregate scoring is adjusted to your organisation's profile (pure custodian vs operating exchange vs fund vs law firm).

Dimension A · 50%

Blockchain Exposure

Inventory of wallets under the organisation's control and classification of their exposure surface to a future CRQC: P2PK Bitcoin, address reuse, BLS validator keys, multisig keys, on-chain governance keys. Mapping of which public keys are already exposed on-chain.

Dimension B · 25%

TLS / PKI

Assessment of TLS certificates for public and private endpoints: current signature algorithm (RSA-2048 / ECDSA / etc.), length, renewal date, presence or absence of hybrid PQC, alignment with the NIST 2035 deadline and with the roadmap stated by Cloudflare.

Dimension C · 25%

Inventory and rotation

Operational cryptographic inventory: document signing, encrypted backups, long-life archives, key rotation policy, documented PQC posture. Identification of "harvest now, decrypt later" surfaces.

What it is not

To align expectations from the start, four explicit boundaries of the product.

It is not a penetration test. We do not attempt to break anything. There is no exploitation. We do not access internal systems without specific formal authorisation.

It is not a legal or regulatory audit. We do not issue certification or formal opinion before regulators. It is technical documentation for internal use or as a supporting input to a subsequent formal process.

It does not promise post-quantum protection. It is a snapshot of the current state against academic projections. No operational CRQC exists today and this product does not claim otherwise.

It does not access your private keys at any point. The whole analysis is performed on public keys and exposed configuration. Private keys never leave your perimeter.

Methodology and sources

Exposure projections are based exclusively on verifiable academic literature and on published regulatory deadlines. The references are as follows.

Google Quantum AI — arXiv:2603.28846 (April 2026). Resource estimates to break ECDLP-256 (the curve used by Bitcoin, Ethereum, TRON): fewer than 1,200 logical qubits, fewer than 500,000 physical qubits with surface code, runtime in minutes for a fast-clock CRQC. Approximately 20× reduction over prior estimates.

Oratomic / Caltech — arXiv:2603.28627 (April 2026). Shor's algorithm with approximately 10,000 physical qubits in a neutral-atom architecture with qLDPC (not surface code). Trajectory conditional on engineering challenges that remain unresolved at the date of this document.

NIST — FIPS 203 / 204 / 205 (August 2024). Definitive post-quantum standards: ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+).

NIST — NIST IR 8547. Official 2035 deprecation deadline for vulnerable classical algorithms in federal systems. High-risk systems are expected to migrate earlier.

Cloudflare — Stated PQC migration roadmap with internal 2029 target for full coverage across its infrastructure.

No operational CRQC exists today. The projections are conditional on engineering challenges that remain unresolved. The detailed methodology is documented specifically for each engagement, under mutual confidentiality.

Who it is for

The product is sized for organisations with substantial cryptographic exposure and documentation obligations toward internal or external stakeholders.

01Exchanges providing custody of digital assets

02Institutional custodians and qualified custody providers

03Crypto funds and family offices with substantial digital exposure

04Law firms with active crypto-litigation portfolios

05Compliance teams that need to document PQC posture for regulators

Deliverable

The product is delivered as a closed package with predefined scope. Any extension is a separate engagement.

PDF · 15-25 pages

Structured report

Scoring broken down by the three dimensions, organisation-specific exposure map, technical observations.

Roadmap

Prioritised migration plan

Quick wins (1-3 months), mid phases (3-12 months) and long-range planning up to NIST 2035.

Briefing · 30 min

Technical session with your team

Walk-through of the report, Q&A and discussion of implementation priorities.

SLA

7-14 business days

From admission and engagement signature. Specific timing confirmed once scope is agreed.

Regulatory disclaimer

Important. This assessment is based on academic projections and resource estimates published as of April 2026. It does not constitute an operational prediction of when a CRQC will exist nor a guarantee of protection against one. NIST maintains 2035 as the official deadline to deprecate vulnerable classical cryptography. Any more concrete claim about timing goes beyond the verifiable state of the art and is therefore not part of this product. CyberLeakWatch is a forensic intelligence provider; it is not a law firm and does not issue legal advice.

Request the snapshot

The product is allocated by controlled B2B inquiry. No public pricing during pilot. After the initial form, you will receive a scope and fee proposal within 24-72 business hours.

Start inquiry