Post-Quantum Cryptography Migration

Thesis

Largest mandated cryptographic refresh cycle since Y2K.
NIST finalized the first three PQC standards (FIPS 203, 204, 205) in August 2024. NSA CNSA 2.0 requires quantum-safe algorithms for new national-security systems by Jan 2027, full application migration by 2030, and complete infrastructure migration by 2035. NIST historically estimates 10–20 years for a cryptographic transition of this scale.
"Harvest now, decrypt later" pulls demand forward of CRQC arrival.
Adversaries are already capturing encrypted traffic and archived data at scale, betting that a cryptographically relevant quantum computer will eventually decrypt it. Protection requires migrating today, not when a CRQC arrives — making the spend cycle independent of when quantum advantage is actually demonstrated.
Spend is non-discretionary for regulated entities.
Federal agencies, defense contractors and the Defense Industrial Base, financial institutions, healthcare, and critical infrastructure all face cascading compliance requirements. The EU's coordinated PQC roadmap targets critical-infrastructure protection by end of 2030, mirroring the US framework.
Market scale is large and already visible.
Industry analysts size the PQC market at $15B+ by 2030. Organizations are expected to budget 2–5% of annual IT-security spend over a roughly 4-year migration window. Cloudflare already protects over 65% of human-initiated TLS traffic on its network with hybrid post-quantum key agreement (Apr 2026) and is targeting full-stack PQC by 2029 — a concrete demand-pull signal across the broader internet stack.
Private-market validation is well ahead of public-equity flows.
SandboxAQ raised $450M+ in its April 2025 Series E at a $5.75B valuation (investors include Google, NVIDIA, BNP Paribas, Ray Dalio) and won a 5-year Department of War CIO contract in Dec 2025 to deploy AQtive Guard for cryptographic discovery and PQC migration. PQShield (Oxford-based, $65M+ raised) and QuSecure are similarly funded. The capital is recognizing the theme; public markets have not yet repriced incumbents for it.

Catalysts to Watch

First major breach attributed to harvest-now-decrypt-later.
Would compress timelines, surface board-level urgency, and likely trigger an SEC disclosure thread for affected enterprises.
CRQC milestone announcement — verified Shor's algorithm at scale.
Would shift this theme from tailwind-only to a mixed picture: explicitly creates a Quantum Disruption of Encryption headwind theme for incumbents slow to migrate, while accelerating the tailwind for vendors and integrators.
CNSA 2.0 enforcement event — a contract disqualification or compliance audit failure.
Would validate the integrator sub-theme thesis. Treat 2027 as the practical hard deadline for DIB organizations, not 2035 — contract officers will increasingly use CNSA 2.0 as an evaluation criterion.
Pure-play PQC IPO — PQShield, SandboxAQ, or QuSecure.
Would justify carving out a third sub-theme (PQC Pure-Plays) and create the first clean public-equity proxy for the theme. Watch SandboxAQ in particular given valuation and DoW contract pipeline.
Quantum-safe SKU adoption metrics from major incumbents.
Cloudflare and Apple have already shipped PQC to consumers; the next read is whether IBM, Cisco, Microsoft, and Oracle start disclosing PQC-attributable bookings in earnings calls. First disclosure that breaks PQC out as a line item is the inflection point.

Market Dynamic, Direction, Horizon & Conviction

Not a material market factor today; the future trend is largely unanticipated by public-equity flows as of May 2026. This would be a Tailwind and is currently expected to play out over a 3–5 year horizon, with deadlines bracketing 2027–2035. Theme conviction is High — the spend is deadline-driven, not speculation-driven. Federal, DIB, financial, and critical-infrastructure migration is mandated regardless of when quantum advantage is actually demonstrated, which is what separates this from a threat-volume-driven cyber theme.

Key Leaders to Watch

Public Incumbents

IBM IBM — co-developer of the NIST-winning ML-KEM and ML-DSA algorithms, with the deepest enterprise PQC pipeline. Cloudflare NET — the largest live PQC deployment, with over 65% of human TLS traffic protected. CrowdStrike CRWD, Palo Alto PANW, and Fortinet FTNT have PQC roadmaps building, mostly customer-pull rather than mandate-driven.

Public Integrators

Booz Allen BAH, Leidos LDOS, and CACI CACI — large DIB footprints with direct CNSA 2.0 migration mandates. Accenture ACN for enterprise PQC consulting.

Important Private Companies to Monitor

SandboxAQ (Alphabet spinout, $5.75B valuation, 5-year DoW CIO contract, FedRAMP Ready) is the most material private name. PQShield (Oxford, $65M+, hardware-and-software PQC IP, automotive and IoT focus) and QuSecure (San Mateo, crypto-agility platform) round out the leadership group. ID Quantique, Qrypt, and CryptoNext Security operate in adjacent quantum-safe networking niches.

Not exhaustive — see Neo4j for the full edge list.

Sub-Theme Structure

Sub-theme	Driver	Initial public-equity surface
Identity and Encryption Incumbents	Vendors whose existing products embed quantum-vulnerable cryptography and must ship PQC upgrades to retain customer base and federal eligibility.	Modest — mostly multi-theme names where PQC is an additive driver, not the primary one.
Compliance and Migration Services	Defense IT integrators and consultancies executing federal, DIB, and critical-infrastructure migration contracts.	Cleaner — federal integrators have direct PQC contract pipelines forming.

Theme Database Structure

Topic

Quantum — tagged via TAGGED_AS to the umbrella QUANTUM Topic node.

Theme level

Level 1 (parent), with 2 Level 2 sub-themes.

Status

Active

Conviction

High — deadline-driven, not speculation-driven.

Time horizon

3–5 years; deadlines bracket 2027 / 2030 / 2035.

Companies

9 Tailwind EXPOSED_TO edges aggregated via children: 5 Identity and Encryption Incumbents, 4 Compliance and Migration Services.

Relates to

Cybersecurity Tailwind (via RELATES_TO, kind "overlapping-but-distinct"); Quantum Computing Beneficiaries (inverse-risk linkage via the shared QUANTUM Topic).

Why separate from Cybersecurity Tailwind

Deadline-driven (2027 / 2030 / 2035), not threat-driven — spend happens regardless of attack frequency. Touches identity, encryption, PKI, code signing, VPN, HSM, and embedded cryptography — broader than the firewall/EDR core of Cybersecurity Tailwind. Drives defense-IT-integrator revenue the cyber-pure-play theme misses. Linked via RELATES_TO, not CHILD_OF — the two themes overlap on some names (PANW, CRWD, NET, FTNT) but the economic driver is different.

Caveats & Discipline Notes

Most candidate names are multi-theme. Layering PQC edges on top of existing Cybersecurity Tailwind edges is additive, not duplicative, but inflates apparent overlap in slicing queries — keep this in mind when running cross-theme analytics.
The theme is currently best expressed via incumbents adding PQC SKUs, not via standalone PQC vendors. Pure-play PQC public-equity coverage will improve as IPOs land.
Theme membership will grow over time. Initial edge count is intentionally modest; the value of recognizing the theme today is having a place to wire new names as the market structure clarifies (pure-play IPOs, M&A consolidation, defense-prime PQC contract awards).
Mechanism on every edge must specify whether the company sells PQC capability or is buying it — the former is the tailwind; the latter is an offsetting capex line.