Operator note · Foresight

Post-quantum is becoming a diligence line item.

Crypto-agility is moving from a research topic to a question investors should ask at diligence, not discover after close.


For most of the last decade, post-quantum cryptography lived in research papers and standards committees, comfortably outside the diligence checklist. That is changing. Standards bodies have published the first post-quantum algorithms, large enterprises have begun inventory and migration programs, and "harvest now, decrypt later" has turned long-lived encrypted data into a present-tense concern. For investors in cyber and identity, it is becoming a question worth asking before close rather than a surprise found after.

Why it shows up in a deal

Two reasons. For a target that sells security, post-quantum readiness is becoming part of what its customers ask for, which makes it a roadmap and competitive-positioning question that affects future revenue. For any target that holds sensitive long-lived data, the migration ahead is a cost and a risk that belongs in the model. Either way, it is no longer purely academic.

What to ask, without overreacting

This is not a reason to panic-price every deal. It is a reason to understand where a company sits. Does the product or the business know what cryptography it depends on, and where? Is the architecture crypto-agile, meaning algorithms can be swapped without a ground-up rebuild, or is it hard-wired? For a security vendor, is post-quantum on the roadmap in a way customers can see, or is it absent in a category where buyers are starting to ask? The answers separate a manageable item from a real liability.

An operator and a forward view

Reading this well takes both sector operating experience and a view of where the market is heading. It is the kind of question that sits squarely in our wheelhouse, given our work on quantum-resilient security and board-level readiness alongside the hands-on cyber and identity operating background. Bring it into diligence early and it becomes a point of leverage rather than a post-close discovery.

← Back to Insights

Considering a cyber investment?

Get an operator's read before the LOI.