# Decision Memo: Quantum risk monitor

Full report: https://ideanavigatorai.com/ideas/quantum-risk-monitor/
Recorded: Not recorded

## Decision
- Team verdict: Park
- Validation verdict: Research (50/100)
- Confidence: 58%
- Recommendation: Keep this parked until the team has evidence for the next validation step: Run free, scoped read-only crypto-discovery scans for 8-12 design-partner enterprises in regulated sectors; measure whether they (a) act surprised by the volume of undiscovered quantum-vulnerable assets, (b) lack a current CBOM, and (c) will sign a paid pilot or LOI tied to their 2030 migration plan — target at least 3 paid pilots from 10 scans.

## Team rationale
No team rationale recorded yet.

## Reviewers
- No named reviewers recorded.

## Source anchors
- Buyer: CISO, head of cryptography/PKI, or GRC lead at banks, insurers, healthcare, telecom, defense contractors, and federal agencies subject to PQC migration mandates
- Market: Enterprise cybersecurity / GRC tooling — specifically post-quantum cryptography (PQC) readiness and crypto-agility management for large regulated organizations and government contractors
- Problem: Enterprises run thousands of systems that depend on quantum-vulnerable RSA and elliptic-curve cryptography, but most have no accurate, continuously updated inventory of where those algorithms are used (in certificates, TLS endpoints, libraries, SSH keys, code, and firmware). Without that visibility they cannot prioritize migration, prove regulatory compliance, or quantify their 'harvest-now-decrypt-later' exposure for long-lived sensitive data.
- Thesis: Quantum risk monitor should be tested as a narrow first-win workflow for CISO, head of cryptography/PKI, or GRC lead at banks, insurers, healthcare, telecom, defense contractors, and federal agencies subject to PQC migration mandates.
- Source: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
- Source: https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/
- Source: https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later
- Source: https://www.cisa.gov/resources-tools/resources/quantum-readiness-migration-post-quantum-cryptography
- Source: https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Standardization

## Validation rubric
Rubric version: INAV-VALIDATION-2026-06-04

### Demand signal - 6/10 (24% weight)
Demand looks thin because the report has 4 source-backed signal(s), an editorial confidence of 58/100, and a defined buyer in Enterprise cybersecurity / GRC tooling — specifically post-quantum cryptography (PQC) readiness and crypto-agility management for large regulated organizations and government contractors.

- On Aug 13 2024 NIST released the first three finalized post-quantum encryption standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), giving enterprises concrete migration targets.
- Target buyer: CISO, head of cryptography/PKI, or GRC lead at banks, insurers, healthcare, telecom, defense contractors, and federal agencies subject to PQC migration mandates

### Problem severity - 6.3/10 (22% weight)
Problem severity is thin when the buyer pain, customer value, and dream-outcome scores are combined.

- Enterprises run thousands of systems that depend on quantum-vulnerable RSA and elliptic-curve cryptography, but most have no accurate, continuously updated inventory of where those algorithms are used (in certificates, TLS endpoints, libraries, SSH keys, code, and firmware). Without that visibility they cannot prioritize migration, prove regulatory compliance, or quantify their 'harvest-now-decrypt-later' exposure for long-lived sensitive data.
- On Aug 13 2024 NIST released the first three finalized post-quantum encryption standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), giving enterprises concrete migration targets.

### Willingness to pay - 5/10 (20% weight)
Willingness to pay is weak; the model has a monetization hypothesis, but it must still be proven through paid pilots or explicit pricing objections.

- Annual SaaS subscription priced per scanned asset / endpoint tier, with premium modules for continuous monitoring, CBOM compliance reporting, and managed migration advisory services
- Run free, scoped read-only crypto-discovery scans for 8-12 design-partner enterprises in regulated sectors; measure whether they (a) act surprised by the volume of undiscovered quantum-vulnerable assets, (b) lack a current CBOM, and (c) will sign a paid pilot or LOI tied to their 2030 migration plan — target at least 3 paid pilots from 10 scans.

### Competitive saturation - 3.1/10 (18% weight)
Competitive room is reduced by 3 recorded alternative(s); the wedge must stay narrow and differentiated.

- Recorded alternative: SandboxAQ AQtive Guard
- Competitive score rewards a narrow wedge, not absence of research.

### Feasibility - 4/10 (16% weight)
Feasibility is weak for a high build if the MVP is limited to the first measurable workflow.

- Run free, scoped read-only crypto-discovery scans for 8-12 design-partner enterprises in regulated sectors; measure whether they (a) act surprised by the volume of undiscovered quantum-vulnerable assets, (b) lack a current CBOM, and (c) will sign a paid pilot or LOI tied to their 2030 migration plan — target at least 3 paid pilots from 10 scans.
- Well-funded incumbents already ship this: SandboxAQ (AQtive Guard), QuSecure (QuProtect), and Keyfactor (after acquiring InfoSec Global's AgileSec) cover discovery, CBOM, and remediation, so a new entrant must differentiate sharply.

## Market gap
Underserved segments:
- CISO, head of cryptography/PKI, or GRC lead at banks, insurers, healthcare, telecom, defense contractors, and federal agencies subject to PQC migration mandates who still run the workflow in spreadsheets, generic docs, email, or chat threads.
- Small teams in Enterprise cybersecurity / GRC tooling — specifically post-quantum cryptography (PQC) readiness and crypto-agility management for large regulated organizations and government contractors that feel the pain weekly but are too narrow for broad incumbents.
- New adopters who need guided proof before committing to a larger platform.

Feature gaps:
- A narrow workflow that reaches value without configuration-heavy onboarding.
- A buyer-facing proof artifact that shows time saved, risk reduced, or communication improved.
- A handoff path from manual concierge service to repeatable software.

Differentiation levers:
- Use specificity as the wedge: one buyer, one workflow, one measurable result.
- Show proof earlier than broad competitors with before-and-after examples and small pilot data.
- Keep implementation lighter than incumbent suites or generic AI assistants.

## Roast and risks
Promising enough to test, not strong enough to build broadly.

Blind spots:
- Well-funded incumbents already ship this: SandboxAQ (AQtive Guard), QuSecure (QuProtect), and Keyfactor (after acquiring InfoSec Global's AgileSec) cover discovery, CBOM, and remediation, so a new entrant must differentiate sharply.
- A broad AI assistant can flatten differentiation unless the wedge is painfully specific.
- The first release can become a generic dashboard if the job is not named tightly.

Hard questions:
- Who wakes up already trying to solve this?
- What do they stop paying for or stop doing when this works?
- What proof would make a skeptical buyer trust it in one screen?
- What is the smallest paid version of this idea?

## Kill criteria
- Fewer than five qualified buyers agree to discuss the workflow after targeted outreach.
- No buyer can name a current cost in time, money, risk, or reputation.
- The first demo does not produce a clear next step, paid pilot, or specific objection.

## Offer ladder
- **Lead magnet (Free)**: Quantum Risk Monitor checklist Goal: Capture qualified leads and learn the buyer's exact language. Value: Helps CISO, head of cryptography/PKI, or GRC lead at banks, insurers, healthcare, telecom, defense contractors, and federal agencies subject to PQC migration mandates audit the painful workflow before buying software.
- **Frontend offer ($19-$99)**: Concierge review or paid template Goal: Validate urgency, workflow fit, and willingness to pay. Value: Delivers the first useful output manually before automation is trusted.
- **Core offer ($49-$499/month)**: Quantum risk monitor focused SaaS Goal: Create the recurring revenue product after the narrow wedge survives tests. Value: Turns the recurring manual workflow into a repeatable product loop.
- **Continuity ($99-$1,000/year add-on)**: Monitoring, benchmarks, and monthly reporting Goal: Increase retention and make the product part of a routine. Value: Keeps the buyer engaged with ongoing proof, saved time, or reduced risk.
- **Backend offer (Custom)**: Done-with-you setup, agency, or team rollout Goal: Capture higher-value accounts once the productized wedge is proven. Value: Adds implementation help, integrations, and workflow migration.
