The Threat
Harvest-Now-Decrypt-Later
Adversaries are collecting your encrypted data today. They cannot read it yet. When quantum hardware arrives, they will decrypt it retroactively. This attack is already in its collection phase.
Read the Assessment →The Mosca’s Theorem Window
If your required confidentiality period plus your migration timeline already exceeds the quantum window estimate, you are inside the risk window. Most organizations are. Most have not run the calculation.
Read the Assessment →Trust and Integrity Exposure
A separate class of quantum attack breaks the digital signature algorithms protecting PKI, code signing, and certificate chains. If your certificate authority’s signature becomes forgeable, the blast radius spans every system that trusts a digital certificate.
Read the Assessment →The main risk is not lack of awareness. The main risk is allowing the transition to remain conceptually important but operationally unstructured.
The Methodology
Cryptographic Inventory Strategy
Where cryptography exists across systems, data flows, and vendor dependencies, classified by Evidence Confidence: Verified, Documented, Inferred, Assumed, or Unknown. Every entry is traceable to the evidence that produced it.
HNDL and Non-HNDL Risk Registers
Long-term confidentiality exposure and trust and integrity exposure, separated and prioritized by business impact. Mosca’s Theorem applied to the actual data longevity profile. The underlying calculation is visible.
Board-Ready Roadmap
A phased, dependency-aware transition sequence that engineering can execute, procurement can use to pressure vendors, and the board can approve with appropriate investment framing.
Who This Is For
Most security leaders who have looked at this already know what they are managing. The question is whether that timeline gets addressed actively or deferred to a successor. The organizations that work with LaMarr Labs have moved past that choice.
HIGHEST TIMELINE PRESSURE
Financial Services
The BIS, G7 Cyber Expert Group, and NCSC have published explicit quantum-readiness roadmaps for this sector. The regulatory case for starting now already exists. The advisory gap is operational.
MAXIMUM HNDL EXPOSURE
Life Sciences
Genomic data, longitudinal health records, proprietary research, and clinical trial data have the longest required confidentiality horizons of any commercial sector. The data longevity math is unforgiving.
VENDOR-CONTROLLED SURFACES
Complex Enterprise
Organizations with managed PKI, cloud KMS, SaaS identity providers, CDNs, and code signing platforms face a version of this problem that internal scanning cannot solve. The real blockers are in vendor roadmaps.
NOT DESIGNED FOR
Organizations seeking compliance checkbox documentation without underlying governance. Early-stage companies whose cryptographic infrastructure will be migrated by vendors. Engagements where the primary goal is implementation rather than transition governance.
The Perspective Behind This Work
Built From Inside the Systems Being Protected
Addie LaMarr spent 8 years as a COMSEC Specialist in the United States Air Force, managing Wing-level cryptographic systems under NSA directives. After the Air Force, she advised the FBI CISO and the Office of Justice Programs CISO at the Department of Justice, and contributed directly to the NIST High Value Asset federal cybersecurity policy framework.
The firms that charge comparable fees send engagement managers who read the same papers. This work comes from eight years of direct operational exposure — managing classified cryptographic systems under NSA directives and seeing where enterprise cryptographic governance breaks down in practice.
FOUR CLIENTS PER QUARTER · EVERY BRIEFING PERSONALLY CONDUCTED
Read the Full Background