Most security teams have heard that post-quantum cryptography (PQC) is coming. Fewer have started their PQC migration, mostly because the topic feels abstract, the standards feel unsettled, and the effort required to find out seems daunting. Axiad has built a free, web-based PQC Readiness Tester to help. Organizations can test any internet-facing domain in seconds, with no installation, no registration, and no prior cryptography expertise required.
This article explains what the tool does, what the results mean, why the timing matters, and what the scan can and can't tell you about the broader work ahead.
Why Does Quantum Cryptography Readiness Matter Right Now?
The cryptographic algorithms that secure virtually all internet communications today - RSA, elliptic curve cryptography (ECC), and related schemes - rely on mathematical problems that classical computers cannot feasibly solve. Quantum computers operate on different principles, and at sufficient scale, they would be capable of breaking these algorithms. Gartner's research projects that quantum computing will render conventional asymmetric cryptography unsafe by approximately 2029 and fully breakable by 2034.
That window may feel comfortable, but two factors make it urgent today.
The first is migration complexity. Unlike a software patch, replacing foundational cryptography across an enterprise takes years. The algorithms are embedded in TLS connections, certificates, VPNs, SSH keys, code signing, identity systems, and countless applications. Coordinating upgrades across infrastructure, vendors, and legacy systems is a multi-year program. Organizations that start now have a realistic runway. Those that wait until 2027 or 2028 will find themselves attempting the same amount of work in a fraction of the time.
The second factor is the "harvest now, decrypt later" threat. Adversaries are already collecting encrypted data today with the intention of decrypting it once quantum capabilities become available. This means the quantum risk isn't waiting for 2029 to arrive—it's already affecting data with long-term confidentiality requirements: financial records, healthcare information, intellectual property, government communications. The encryption protecting that data has an expiration date, and the clock is running.
Regulatory bodies have taken note. NIST finalized its post-quantum cryptography standards in 2024 (FIPS 203/ML-KEM, FIPS 204/ML-DSA, and FIPS 205/SLH-DSA). CISA issued a strategy document in September 2024 requiring federal agencies to begin adopting automated cryptographic discovery and inventory tools. NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) establishes adoption timelines for quantum-resistant algorithms across national security systems. The policy environment is moving from guidance to mandate.
What Does the Free Axiad PQC Readiness Tester Actually Do?
The tool performs a real-time TLS handshake analysis against any publicly accessible domain. When your browser connects to a secure website, it negotiates a TLS handshake - a process in which the client and server agree on which cryptographic algorithms to use for the session. The PQC Readiness Tester performs this handshake and examines what the server can negotiate, with specific attention to whether post-quantum key exchange algorithms are among the options.
The results report out as a clear compliance status (PQC Compliant or Not PQC Compliant), the supported algorithms, the TLS version negotiated, and certificate details including the issuer, validity period, and signature algorithm. The whole process takes seconds.
What Does a "PQC Compliant" Result Actually Mean?
A compliant result means the domain supports TLS 1.3 and at least one post-quantum key exchange algorithm. In practical terms, this means that connections to that domain can be secured using cryptographic methods that are resistant to quantum attack—not just classical attacks. For organizations working toward CNSA 2.0 compliance or responding to customer questions about quantum readiness, this is a meaningful and demonstrable signal.
A non-compliant result, which is the more common outcome today, means the domain either doesn't support TLS 1.3, or it supports TLS 1.3 but only with classical key exchange algorithms that are quantum vulnerable. This isn't cause for alarm in isolation, but it does indicate where upgrades are needed.
The best configuration is the hybrid approach which is a domain supporting both PQC and classical TLS 1.3 key exchange groups. This hybrid posture provides quantum safety for connections with clients that support PQC algorithms, while maintaining backward compatibility with clients that don't yet. It's the approach recommended during the transition period because it doesn't break anything while meaningfully improving the security posture.
Who Should Be Running These Scans, and How Often?
Security and infrastructure teams can use it to audit which of their public-facing domains have already been upgraded to support PQC by their hosting or CDN providers, versus which ones require active work. Testing subdomains matters here - api.yourcompany.com and auth.yourcompany.com may have very different configurations than the main website.
Compliance officers can use the results to document current state against emerging PQC mandates, generate evidence for audits or board-level risk reporting, and monitor third-party vendors whose services their organization depends on. Testing a vendor's publicly accessible domain takes seconds and gives useful signal about their quantum-readiness posture.
DevOps and platform engineers can use it as a validation tool - running a scan after deploying a TLS configuration change to confirm that PQC key exchange is now being negotiated as expected.
CISOs and business leaders can use aggregate results from a domain portfolio scan to communicate organizational risk posture to boards, customers, or regulators. A concrete, objective measurement is more useful in those conversations than a general statement about "working on quantum readiness."
On frequency: an initial assessment of all critical domains is the logical starting point. After that, scanning after infrastructure changes, during quarterly security reviews, and as part of vendor due diligence processes makes sense. The tool is free and returns results in seconds, so there's no cost to testing regularly.
Where Do Internet-Facing Assets Fit in the PQC Risk Posture?
In risk-based PQC prioritization frameworks, internet-facing assets occupy the first tier of the migration sequence - but for reasons worth unpacking carefully.
The underlying risk formula is: Risk = Vulnerability × Exposure × Blast Radius, with PQC priority then weighted by cost to fix and the quantum timeline. Internet-facing assets score high on the exposure dimension almost by definition. They're reachable by any adversary from anywhere, which maximizes attack surface. This is why structured migration roadmaps consistently sequence "high-risk external identities" as the first phase, ahead of critical internal systems and well ahead of legacy long-tail systems.
There's also a harvest-now-decrypt-later dimension specific to external TLS. These connections are the ones most easily intercepted and recorded at scale by sophisticated adversaries passively monitoring internet traffic. An attacker doesn't need to be inside your network to collect TLS sessions from your public APIs, customer portals, and partner integrations - they can sit upstream and harvest that traffic today for future decryption.
That said, exposure is only one factor in the full equation, and this is where the analysis gets more nuanced. For security teams building a PQC program, external-facing TLS represents a genuine opportunity to achieve a meaningful, demonstrable milestone early in the migration journey. Because major CDN and cloud providers have already deployed PQC support at the TLS layer, many organizations can move a high-exposure, high-risk category of their cryptographic surface into compliance relatively quickly. The Axiad PQC readiness tester makes it easy to establish a baseline and then verify the win once upgrades are in place.
The high-risk cryptographic assets that are hard to fix are not the external-facing ones. They tend to be long-lived machine identity credentials such as SSH keys, code signing certificates, and service account credentials. These identity credentials are internal, poorly inventoried, and carry extended replacement timelines. They protect internal data requiring long-term confidentiality that is often a primary harvest target for attackers. Legacy systems with no vendor PQC upgrade path carry both high exposure duration and high cost-to-fix scores.
What Are the Limitations of a TLS-Layer Scan?
The Axiad PQC Readiness Tester tests publicly accessible, internet-facing domains. It cannot test internal corporate networks, intranet sites, or systems behind firewalls without public access. This is an inherent constraint of any external scanning approach.
More importantly, TLS key exchange is one layer of an organization's cryptographic surface. The scan tells you whether a domain negotiates quantum-safe key exchange during the connection setup, but it doesn't assess the algorithms used in the certificates themselves - certificate signature algorithms like RSA are still widely used even on domains that support PQC key exchange, because the certificate ecosystem is on a separate transition timeline. It also doesn't cover internal PKI infrastructure, machine identity credentials like API keys and SSH keys, application-layer cryptography, or cryptographic methods embedded in vendor software.
A clean "PQC Compliant" result for your external domains is genuinely good news because getting your external posture sorted is the right first step. But it's the beginning of the readiness picture, not the end. Organizations doing serious PQC migration planning will need a comprehensive cryptographic inventory that surfaces what external scanning cannot see, particularly the internal and machine identity cryptographic estate where the hardest remediation work typically lives.
What Does a More Complete Cryptographic Inventory Look Like?
For organizations that have worked through their public-facing TLS posture and need to go deeper, the challenge is that cryptographic implementations are distributed throughout enterprise environments in ways that aren't visible from outside. Certificates live in PKI systems, cloud key management services, HSMs, and endpoints. Machine identities such as service accounts, API keys, SSH keys, and code signing certificates vastly outnumber human identities in most large organizations and are often poorly tracked. Application code embeds cryptographic libraries that aren't inventoried anywhere.
Platforms, like Axiad Mesh, designed specifically for cryptographic visibility address this by automating discovery across the full identity and credential landscape. They correlate certificates and cryptographic credentials with the identities and assets they secure, flagging quantum-vulnerable algorithms, and providing the risk-scored inventory that migration planning requires. Axiad Mesh is built for this kind of work: it functions as an Identity Visibility and Intelligence Platform that spans human identities, machine identities, and cryptographic assets, giving security teams a unified view of their quantum-vulnerable crypto assets and the context needed to prioritize remediation intelligently. For organizations moving from initial awareness into active migration planning, that kind of comprehensive visibility is what makes a multi-year program manageable.
Where Should You Start?
The honest answer is to start by knowing what you have. The PQC Readiness Tester provides a fast, concrete, technically accurate picture of where your public-facing infrastructure stands today. For many organizations, running the scan on a handful of critical domains is the first time they've had a specific, objective data point on their quantum readiness rather than a general sense that "this is something we need to address."
That first data point matters for internal prioritization and for the broader organizational conversation about PQC migration. The compliance status, algorithm details, and certificate information the scan returns are directly relevant to regulatory frameworks and standards (NIST, CNSA 2.0, CISA) guidance that are shaping enterprise security requirements right now.
The tool requires no registration, no credit card, and no software installation. You can test as many domains as needed, including competitor or vendor domains for benchmarking purposes.
Run your free PQC Readiness scan at https://quantum.axiad.io/.