QFM professional guide
Which companies are building post-quantum security?
The post-quantum security market includes cryptographic software vendors, hardware intellectual-property providers, quantum-key-distribution suppliers, random-number specialists and large cybersecurity groups. The immediate commercial task is not simply replacing one algorithm, but discovering cryptographic dependencies and managing a multi-year migration.
Short answer
The post-quantum security market includes cryptographic software vendors, hardware intellectual-property providers, quantum-key-distribution suppliers, random-number specialists and large cybersecurity groups. The immediate commercial task is not simply replacing one algorithm, but discovering cryptographic dependencies and managing a multi-year migration.PQC and QKD solve different problems
Post-quantum cryptography uses classical computers and new mathematical algorithms, while quantum key distribution uses quantum states to detect interception. Organisations may use one or both, depending on risk, infrastructure and regulatory requirements.
Crypto-agility is the operating discipline
Enterprises need inventories of algorithms, certificates, protocols, libraries and embedded devices before migration can be governed. Product value therefore sits in discovery, orchestration, testing and lifecycle management as well as in the algorithms themselves.
Standards create a commercial timetable
NIST standards provide a common technical foundation, but implementation, interoperability and sector-specific migration obligations determine actual demand. QFM tracks the companies positioned along this transition.
QFM analytical framework
The migration market created by cryptographic dependency
Post-quantum cryptography is an immediate systems-management challenge, not a product that begins only when a large quantum computer exists. NIST approved FIPS 203, 204 and 205 in 2024, establishing standards for key encapsulation and digital signatures designed to resist future quantum attacks. Organisations still have to discover where vulnerable algorithms are used, select replacement profiles, test interoperability and manage migration across software, hardware, certificates, protocols and long-lived data.
This creates several commercial layers. Algorithm implementers provide validated libraries and hardware intellectual property. Discovery platforms build cryptographic inventories and dependency maps. Orchestration tools help change algorithms without replacing entire applications. Device and semiconductor vendors integrate new primitives into products with long support cycles. Consulting and managed-service providers coordinate migration across complex estates. The durable capability is crypto-agility: the ability to identify and replace cryptography as standards and threats change.
PQC should not be confused with quantum key distribution. PQC runs on conventional infrastructure and addresses broad migration needs through new mathematical schemes. QKD uses quantum states to establish or distribute keys and can be relevant to selected high-security links, but it requires specialised physical infrastructure and has a different threat model. Companies may participate in one or both markets; their products and deployment economics should be evaluated separately.
Vendor claims need implementation evidence. Conformance with an algorithm name is not enough: side-channel resistance, key management, certificate integration, performance, update mechanisms and independent validation determine real security. Migration programmes also need governance because a rushed replacement can introduce new weaknesses. QFM therefore follows standards, public-sector guidance and company execution together, with particular attention to products that convert inventories into controlled, auditable change.
The addressable market is shaped by data lifetime and replacement difficulty. Organisations that hold sensitive information for many years face the risk that encrypted data can be collected now and decrypted later. Embedded devices, industrial systems and public-key infrastructures may also take years to inventory, test and replace. This makes migration timing an asset-management question: critical cryptographic dependencies need owners, risk classifications, target profiles and funded remediation plans.
Regulation and procurement can accelerate adoption, but compliance language must be interpreted precisely. A product may support a NIST-selected algorithm without having validated implementation, secure key handling or operational integration. Buyers should request evidence about libraries, hardware paths, certificates, side-channel protections, update mechanisms and interoperability. Vendors that can produce an auditable chain from inventory to controlled migration are positioned differently from those selling an isolated cryptographic primitive.
Companies to examine
Explore the relevant company universe.
Sources and further research
