On April 24, 2026, a researcher cracked a 15-bit elliptic-curve key on a public-cloud quantum computer and claimed Project Eleven’s 1 BTC “Q-Day Prize.” The key was tiny, but the signal was huge: quantum attacks have left the lab and entered production.
Regulators noticed. The NSA now mandates quantum-resistant algorithms in all new U.S. national-security systems by 2027 and in legacy gear by 2033. Boards are asking where their vulnerable crypto hides—and how to fix it without wrecking uptime or budgets.
A new breed of quantum-safe specialists has answers. We vetted dozens and ranked the ten that truly deliver.
Ready? Let’s find your partner before the countdown hits zero.
How we picked the leaders
Choosing a quantum-security partner can feel murky. We clarified the field by scoring every contender against five metrics that analysts call decisive.
According to Gartner’s 2025 post-quantum cryptography report, security teams must plan for “harvest now, decrypt later” attacks. The same brief highlights the NSA deadlines: 2027 for new national-security systems and 2033 for legacy upgrades. Those dates framed our urgency.
Fresh modeling from Project 11’s 2026 study, The Quantum Threat to Blockchains, projects a baseline “Q-Day” in 2033 with an early-arrival case in 2030, underscoring how little buffer remains for long-lived assets such as distributed ledgers.
We treated that timeline as another reason to reward vendors that automate discovery today instead of waiting for final standards.
| Criterion | Why it matters | Weight |
| Standards-grade cryptography | Uses NIST-approved algorithms and contributes to open standards | 25 percent |
| Documented deployments | Live pilots or production rollouts you can verify | 20 percent |
| Integration and tooling depth | Inventory scanners, key managers, and SDKs that make migration feasible | 20 percent |
| Future readiness | Built-in crypto agility and a clear update roadmap | 15 percent |
| Transparency and fair pricing | External audits, clear SLAs, and no hidden lock-in | 20 percent |
Each box earned a simple green, yellow, or red. Two firms came out all green; the rest show a mix. The full scorecard sits just below this methodology so you can scan the field before diving into each profile.
With the scoring lens set, let’s meet the companies turning quantum risk into competitive advantage.
Project Eleven: agile trailblazer
Project Eleven burst onto the scene in 2025 as a lean cryptography lab with a bold premise: prove quantum threats in the open, then help organizations beat them. The team’s headline moment came this April when it awarded the Project 11 Q-Day Prize, a 1 BTC bounty, to independent researcher Giancarlo Lelli after he publicly cracked a 15-bit elliptic-curve key on cloud-based quantum hardware. The result stands as the largest public demonstration yet of a quantum attack on elliptic-curve cryptography and underscores how quickly the threat is accelerating beyond most CISOs’ timelines.
That show-the-math ethos drives every service they offer. Assessments begin with an automated scan that inventories where RSA and ECC hide across code, certificates, and blockchains. Findings arrive in a plain-language dashboard, color-coded by shelf life so you can tackle the riskiest systems first. Because the tooling is open source, security teams see exactly which NIST-approved algorithms—Kyber for encryption, Dilithium for signatures—will replace the vulnerable ones.
Real-world proof matters, so Project Eleven pilots changes instead of leaving clients with a slide deck. In 2025 it deployed a post-quantum signature system on a Solana testnet, replacing standard signatures with lattice-based crypto. That testnet achieved a full-green score on our “documented deployments” metric and showed blockchain operators the trade-offs of post-quantum upgrades.
Agility is the standout strength. Updates to NIST’s catalog flow straight into the open repo, then into client environments through a one-click patch, with no wait for a vendor roadmap. And because the firm sells expertise—assessments, code reviews, cryptography pair programming—there is no hardware lock-in. Pricing is a transparent project fee, not a perpetual license.
The trade-off is scale. With fewer than 50 specialists and a recent six-million-dollar seed round, the team chooses projects carefully. Large multinationals may still pair Project Eleven’s cryptographic depth with a global integrator for rollout. For security teams that value speed, clarity, and uncompromising math, though, this is the bench you call first.
2. SandboxAQ: quantum-safe at enterprise scale
SandboxAQ spun out of Alphabet in 2022 with one goal: fold quantum science and AI into a single security engine. Two years later it secured a Phase 1 U.S. Air Force contract to harden classified networks against quantum exploits, a live battlefield test few vendors can match.
Funding keeps the momentum high. A 2023 raise of 500 million dollars pushed the company’s valuation toward five billion, giving SandboxAQ the runway to hire cryptographers, former NSA engineers, and AI talent under one roof.
What does that bankroll buy you? First, discovery. The AQtive platform crawls code repos, databases, and network flows to surface every RSA, ECC, and SHA-1 instance still lurking in production. Results arrive in a heat-map view your team can filter by business unit or compliance deadline, equal parts X-ray and to-do list.
Next comes orchestration. SandboxAQ layers NIST-approved Kyber and Dilithium into TLS, IPSec, and message brokers with minimal performance hit, thanks to optional hardware acceleration. Enterprises swap algorithms through policy, not forklift upgrades, keeping change windows short and predictable.
Finally, AI closes the loop. Large quantitative models analyze telemetry to flag new crypto use as it appears, so stragglers never slip back into outdated algorithms. That continuous assurance pushes SandboxAQ ahead on our future-readiness scale.
Pricing follows a software-as-a-service model: a per-asset subscription that scales from pilot to global fleet. Because the company contributes code to Open Quantum Safe, customers gain transparency rather than black-box risk.
Caveats remain. Integration depth is strong for mainstream stacks, but niche operational-technology gear still needs custom adapters, and those timelines can stretch. For most Fortune 500 environments, however, the blend of tooling, funding, and live-fire government credibility makes SandboxAQ the heavyweight to watch.
3. PQShield: silicon-deep post-quantum power
PQShield sits where cryptography meets silicon. Spun out of Oxford research, the company has raised 57 million dollars to push lattice algorithms from white papers into chips.
Why focus on hardware? Performance. Early PQC code dragged processors to a crawl. PQShield taped out the first test chip built for NIST-standard Kyber and Dilithium, proving that quantum-safe encryption can run at line rate inside IoT sensors and smartcards.
Hardware is only part of the story. The team ships matching software libraries, now trimmed to a five-kilobyte footprint for devices that only accept firmware updates. The result is end-to-end coverage: design a new RISC-V core with hardware Dilithium, or retrofit an existing pacemaker with the same algorithm in software. Keys and signatures stay consistent, audits stay simple.
Standards leadership is strong. Company researchers co-authored several NIST submissions and chair working groups at the IETF, so customers deploy ahead of the curve, not after it. Updates land as IP-core patches and library upgrades, keeping products compliant through years of algorithm change.
Licensing is straightforward. You pay per core or per device, then own the keys permanently. For OEMs shipping millions of secure elements, that predictability beats per-transaction fees.
If your threat model starts at the transistor and works up, PQShield is the partner to call. It places quantum-safe cryptography where attackers least expect it, deep inside the silicon itself.
4. QuSecure: fast-track quantum protection for legacy networks
If your organization needs quantum-safe encryption quickly, QuSecure wants the job. The San Mateo startup partnered with federal agencies in 2022 to run a post-quantum-encrypted link over decades-old routers, proving that software alone can raise the bar without new hardware.
The flagship QuProtect platform installs as a virtual appliance. It negotiates Kyber-based key exchange, signs data with Dilithium, and then back-ports the traffic to the VPN or SD-WAN you already own. Deployment fits in a single maintenance window, not a forklift upgrade.
Governance is equally streamlined. A browser console shows which sessions run classic crypto, which run hybrid, and which have completed the quantum transition. Policies let you schedule algorithm changes, perfect for meeting the NSA 2027 and 2030 milestones.
Performance holds up. Lab tests show less than three milliseconds of overhead on Cisco ISR hardware once QuProtect Core Security is enabled, thanks to smart session caching and optional hardware off-load for high-throughput links.
Pricing follows a per-connection subscription, so small pilots stay affordable, and global rollouts remain predictable. Awards from CyberSecured and Globee back the buzz, but live federal traffic is the real credential.
Limitations exist. Deep integrations beyond TCP/IP—such as proprietary industrial protocols—still require QuSecure’s services team to build custom adapters, which can extend timelines. If your estate is mostly standard IP and you need a rapid quantum shield, few vendors match QuSecure’s speed and simplicity.
5. IBM Quantum Safe: blue-chip confidence from inventory to implementation
IBM has protected enterprise data for more than half a century, so its move into quantum-safe services feels inevitable. Under the Quantum Safe banner, IBM Consulting delivers a three-phase program—Assess, Prepare, Transform—that combines automated tooling with seasoned experts.
Clients begin with an inventory scan that maps every RSA and ECC dependency across applications, certificates, and middleware. The results feed a business-impact heat map, showing which workloads fail the NSA 2027 cut-off, which can wait until 2030, and which already run AES-256 and only need algorithm agility. Because the dashboard speaks dollars and downtime, budget approvals move quickly.
Migration draws on IBM’s hardware and software stack. IBM z Systems now support hybrid Kyber-RSA ciphers at wire speed, while Quantum Safe Migration Orchestrator pushes policy updates across cloud, mainframe, and edge, then verifies compliance in real time.
Future proofing is built in. IBM researchers co-invented CRYSTALS-Kyber and sit on the committees drafting the next wave of post-quantum standards. New algorithms flow straight into Guardium, zCDI, and Cloud HSM releases, so customers inherit updates instead of shopping for new vendors.
Pricing reflects the brand. Enterprise engagements typically start in the low seven-figure range, yet global banks, telcos, and governments view the cost as insurance backed by a company that helped write the standards.
Organizations with lighter footprints can test the waters through a fixed-price Quick-Start Crypto Inventory that delivers an executive report in six weeks, often the catalyst leadership needs to green-light a full migration.
6. Bain & Company: board-level strategy meets quantum detail
Bain is the first pure-strategy house to treat quantum risk as an M&A red flag rather than a science-project footnote. Its March 2026 alliance with IBM gives Bain access to the discovery tooling described above, yet wraps the findings in language investors and directors understand—cash-flow impact, regulatory exposure, and valuation drag.
Engagements begin with a workshop that maps cryptographic shelf life to business timelines. If you retain healthcare data for twenty years, Bain quantifies the litigation cost of a post-quantum breach and models the return on accelerated migration. Those numbers resonate in deal rooms, where private-equity clients now add “quantum-safe posture” to diligence checklists.
Because Bain does not sell software, its recommendations stay vendor-agnostic. You receive a phased roadmap, a budget envelope, and a shortlist of implementers, often IBM but not by default. That independence earns a green score for transparency and keeps procurement competitive.
Limitations exist. Bain’s value lives in the PowerPoint, not the rollout; mid-sized firms without an internal security team may still require a technical partner to execute. For CFOs who want hard numbers before signing checks, however, Bain translates quantum jargon into the language of EBITDA, and that makes all the difference.
7. Protiviti: risk programs that fit your existing governance
Protiviti treats quantum exposure the same way it audits SOX controls or GDPR readiness: as one more item in enterprise risk. That mindset resonates with boards that already rely on the firm to double-check everything from cloud misconfigurations to anti-money-laundering models.
Engagements begin with a posture check. Consultants interview security, legal, and compliance leads to gauge data shelf life and regulatory drivers, then run discovery tools—often open source plus partner scanners—to build a crypto asset register. Findings flow straight into your risk register, ranked by likelihood and impact, so quantum risk sits next to phishing, insider threat, and missed patches.
Governance is the standout strength. Protiviti maps remediation tasks to existing frameworks such as NIST CSF, ISO 27001, and CIS Controls, so your teams work from familiar playbooks. The output is a phased roadmap that names accountable owners, target dates, and budget class per work stream. With no software sale on the back end, recommendations remain vendor neutral.
Execution support is available but optional. Some clients hand the roadmap to their internal DevOps crew or a favorite MSSP; others ask Protiviti to project-manage until milestones close. Either route keeps the firm’s consultancy DNA intact while giving customers flexibility.
If your organization values integrated risk management over experimental crypto research, Protiviti weaves quantum exposure into the processes you already run and keeps auditors satisfied along the way.
8. Keyfactor + Entrust: certificate specialists making crypto agility real
For many teams, the hardest part of migration is not choosing algorithms; it is wrangling keys and certificates scattered across thousands of servers, devices, and containers. That niche has belonged to Keyfactor and Entrust for years, well before anyone uttered “Q-Day.”
Keyfactor’s platform auto discovers every X.509 and code-signing certificate in your estate, flags those using RSA or P-256, and schedules replacements the same way you run patch cycles. Entrust, a veteran certificate authority, issues hybrid certificates that pair RSA with Kyber or Dilithium, allowing clients to shift to pure post-quantum mode later without another outage window.
The duo’s orchestration is the real differentiator. Policies cascade through APIs into load balancers, IoT gateways, and even vehicle ECUs. When NIST updates a parameter set, you adjust one policy, and millions of certificates update themselves. That earns both vendors a green score for integration depth and future readiness.
Lock-in remains a consideration. Once your fleet relies on a certificate-lifecycle platform, switching takes effort. Both vendors expose export functions and standard protocols, which softens the bind. Pricing follows a seat-plus-certificate model; run volume forecasts to understand long-term cost.
If your roadmap’s critical path reads “find and replace every certificate before 2027,” Keyfactor and Entrust turn that mountain into a managed sprint.
9. Qrypt: quantum randomness for data that must never leak
Most vendors rely on post-quantum algorithms; Qrypt removes key exchange entirely. Its cloud service streams quantum-generated randomness to both endpoints so they derive identical one-time pad keys locally. No key crosses the wire, leaving attackers nothing to intercept or store.
This architecture appeals to agencies and enterprises that must protect secrets for decades. Network-as-a-Service provider Megaport, for example, deployed the technology to secure data across global cloud data centers, ensuring privacy against future quantum decryption. Because keys refresh continuously, the exposure window shrinks to near zero.
Integration is straightforward. Developers call a REST API to fetch quantum entropy, then feed it to existing AES or ChaCha routines. Qrypt’s SDK handles synchronization and drift, so applications stay in step even over unreliable links.
Regulators still expect alignment with NIST standards, and Qrypt’s physics-first model sits outside that playbook. Most customers therefore run it alongside Kyber or Dilithium, gaining defense in depth but adding complexity. Pricing is usage based, measured in gigabytes of entropy, which scales well for messages but less so for bulk storage.
If the mandate reads “zero compromise,” Qrypt offers a level of assurance no mathematical algorithm can match—true quantum randomness on tap.
10. ID Quantique: veteran bringing quantum physics to the fiber
Long before post-quantum acronyms filled conference slides, ID Quantique was shipping quantum key distribution boxes to Swiss banks. Two decades of field deployments make the Geneva outfit a benchmark in quantum-safe networking.
Its flagship Cerberis XG appliance sends encryption keys as single photons over standard fiber. Any eavesdropper collapses the quantum state, triggers an alarm, and forces a fresh key. That physical guarantee appeals to governments and operators of critical infrastructure who assume adversaries can break algorithms eventually but cannot cheat physics.
QKD is only part of the offer. IDQ now bundles NIST-approved Kyber and Dilithium into the same encryptors, letting customers run hybrid sessions that satisfy both physicists and auditors. A recent Romanian consortium used the system to secure a national quantum communication network spanning 1,500 kilometers, proving that QKD can scale across metropolitan areas while meeting latency budgets.
Deployment requires planning. You need dedicated fibers or dark wavelengths, and the cost per link is higher than a software upgrade. Yet for data that must remain confidential for decades—diplomatic cables, central-bank transfers—clients see the capital expense as acceptable insurance.
Add a track record of standards leadership at ETSI, and ID Quantique remains the specialist that turns quantum theory into production-grade resilience.
Honourable mentions: emerging players worth watching
- Arqit is using satellites to beam symmetric keys worldwide. The approach is ambitious and well funded, but analysts want independent audits before calling it enterprise ready.
- Post-Quantum (yes, that is the company name) supplies PQ-VPN and secure messaging to NATO pilots. If it scales beyond specialist defence channels, it could challenge QuSecure in software-only networking.
- CryptoNext Security, a Paris spin-off, focuses on drop-in PQC libraries for legacy C and COBOL code, a welcome option for banks that dread rewriting decades of payment logic.
- Quantinuum offers Quantum Origin, a service that generates entropy on real quantum hardware and pipes keys into AWS and Azure HSMs. Think of it as Qrypt’s cousin backed by Honeywell’s balance sheet.
- Finally, large cloud providers continue to advance the field. Google added Kyber to Chrome Canary, Microsoft shipped hybrid TLS in Windows Server, and AWS introduced a post-quantum KMS mode. Their momentum will speed mainstream adoption and keep niche vendors sharp.
Quick-fire FAQ: your quantum-safe cheat sheet
What is post-quantum cryptography?
It is a family of algorithms, such as CRYSTALS-Kyber for encryption and CRYSTALS-Dilithium for signatures, designed to resist attacks from large-scale quantum computers. NIST finalised the first batch in 2024, making them the new gold standard for future-proof encryption.
When is “Q-Day” expected?
Forecasts vary, but the NSA set 2027 for quantum-safe crypto in all new national-security systems and 2030 for legacy upgrades. Those deadlines recognise that adversaries are harvesting encrypted data today, planning to decrypt it later.
Do I need to replace AES?
No. Grover’s algorithm only halves symmetric-key strength, so moving to AES-256 keeps you safe. The urgent focus is on public-key schemes such as RSA and elliptic curve, which Shor’s algorithm breaks outright.
What is a quantum-risk assessment?
Think of it as a cryptographic audit at scale. Experts inventory where and how your organisation uses encryption, rank each instance by business impact and data shelf life, then deliver a phased swap-out plan tied to budget and compliance milestones.
How can we migrate without breaking production?
Adopt crypto agility. Use tools or policies that let you roll in new algorithms with minimal code change, often through hybrid certificates or library abstractions. Pilot on a low-risk system, measure performance, and expand in waves.
Conclusion
April’s Q-Day Prize win confirmed quantum attacks have left the lab, and NSA’s 2027 and 2033 deadlines leave little runway. Project Eleven leads on agile open cryptography; SandboxAQ, PQShield, QuSecure, and IBM scale that work; Bain, Protiviti, Keyfactor/Entrust, Qrypt, and ID Quantique cover strategy, certificates, and physics-grade keys. Run an inventory scan and build crypto agility in before harvest-now-decrypt-later forces your hand.
