For years, quantum computing was treated as a science project: interesting, powerful, and distant from today’s security decisions. But waiting for Q Day – the point at which a cryptographically relevant quantum computer can practically break today’s widely used encryptions is old thinking.

Quantum risk is already a present‑day problem, even if large‑scale quantum computers are not yet available. According to Gartner analyst  Tim Zimmerman, by 2030, there is a 75% chance that state actors will have a cryptographically relevant quantum computer, with commercial vendors following two or so years afterward, rendering classical cryptography breakable.

That means that in less than five years, harvest now, decrypt later (HNDL) tactics will be productive. Attackers using HNDL can capture encrypted traffic today and decrypt it when quantum capabilities mature. That means long‑lived data may already be compromised.

In this environment, waiting for full post‑quantum cryptography (PQC) migration before acting is not a strategy; it’s a blind spot. Before Q‑Day, visibility is the first and most important move.

Q‑Day Isn’t a Date, It’s a Window

Q‑Day isn’t a single moment; it’s an emerging risk window. 2026 as an inflection point for planning, with 2030–2035 as the primary migration and validation period, aligning closely with global policy signals, such as the G7 Cyber Expert Group roadmap.

The G7 framing makes one thing clear: preparation must start now. The roadmap explicitly calls out discovery and inventory as early, mandatory steps, not optional warm‑ups. Agencies, departments, and organizations are expected to understand where cryptography is used, how it is negotiated, and what data it protects well before large‑scale migration begins.

Migration Can’t Be the First Step

There is a disconnect between PQC capability and actual cryptographic behavior. Forescout’s Vedere Labs research shows that while PQC adoption is accelerating in managed IT environments, it is uneven and sharply limited across IoT, OT, and medical systems. Large portions of these environments still rely on quantum‑unsafe protocols, often embedded deep in firmware or third‑party software where upgrades are slow or impossible. Here is some key data Forescout is tracking:

  • Unmanaged devices are getting left behind. While more than 40% of IT assets using OpenSSH already run versions supporting PQC, that number decreases to 20% for IoT, 11% for OT and network equipment, and only 2% for IoMT.
  • Industry adoption is uneven. Every industry we track has less than 50% of devices with OpenSSH supporting PQC. Industries that more heavily rely on unmanaged devices, such as manufacturing, oil and gas, and mining have the lowest PQC adoption rates. The highest rate was seen on professional/business services.

PQC readiness cant begin with migration plans. It begins with visibility into where quantum‑unsafe cryptography is in use, and in what context.

Without that visibility, organizations can’t prioritize, mitigate, or even accurately assess quantum risk.

PQC Visibility Means Observed Behavior, Not Assumptions

Point-in-time or static inventory assessments are not enough. An organization’s declared capability often diverges from observed behavior, especially in environments where cryptography is negotiated dynamically or downgraded for compatibility. What matters is not what a device could do, but what it actually does on the network.

Visibility that includes a living cryptographic inventory should be the first step in continuous assurance for PQC:

  • See: Detect real cipher and protocol use across IT, OT, IoT, and IoMT
  • Understand: Build a living cryptographic inventory enriched with risk context
  • Prioritize: Focus on data sensitivity, exposure, and attack paths where algorithms are publicly exposed
  • Act: Reduce exposure during long, multi‑year PQC transitions

Visibility is not a phase, it is an ongoing capability that builds a foundation for cyrpto-agility.

Go deeper: Watch our video on PQC with Forescout Research and strategy leaders on how to overcome today’s hurdles.

Context Turns Cryptography into Risk

Quantum risk is not evenly distributed. Quantum‑unsafe encryption becomes dangerous when it protects:

  • long‑lived or sensitive data
  • communications that traverse untrusted or public networks
  • assets that are operationally critical and hard to upgrade.

Once cryptographic use is visible, organizations can separate low‑impact exposure from disproportionate, long‑term risk. This framing explains why eliminating every instance of quantum‑unsafe encryption is neither realistic nor necessary in the short term. Instead, risk reduction before Q‑Day depends on knowing what matters most.

Acting Before Migration Is Finished

Action does not have to wait for full PQC migration. Short‑term mitigations, like centralized policy enforcement with segmentation and strict access control, can significantly reduce exposure for devices that cannot be upgraded quickly. These controls limit where quantum‑unsafe traffic can go and what it can reach, buying time while long‑term migration proceeds.

This aligns directly with G7 guidance, which emphasizes continuous validation, monitoring, and cryptographic agility, not one‑time upgrades.

The Takeaway: Visibility Is How You Get Ahead of Q‑Day

Before Q‑Day, the most dangerous position is not being quantum‑unsafe, it is being unaware. Organizations that succeed in the post‑quantum transition will not be the ones that waited for standards to settle or migration to finish. They will be the ones that:

  • Made cryptographic risk visible early
  • Understood which exposure mattered when
  • Began reducing risk long before urgency became crisis

Before Q‑Day arrives, visibility isn’t just the first move, it’s the move that makes every other decision possible.

Go deeper: Need a path forward? See how to embrace PQC today in our blog “Post Quantum Cryptography: An Urgent Global Cybersecurity Imperative”