Post-Quantum
Cryptography.
A practitioner's guide for operators below hyperscaler scale.
The standards are stable. The migration is not. The discipline is what carries you across. Deretti Cyber Labs publishes /quantum/ as the educational and operator-tooling layer for post-quantum cryptography, alongside the structured research note on Post-Quantum Cryptographic Exposure. This section is for the security and operations leads who need to translate the wave that is breaking elsewhere into the shape of their own lane.
Two streams, one library.
/quantum/ is the educational hub for post-quantum cryptography. The Active Research note is the structured exposure-class analysis. The deretti.net opener is the personal editorial frame. Three cross-referenced surfaces, one body of work.
The educational layer translates the standards, the timelines, and the operator-grade procedures into material that survives a reading from a CIO, a network admin, a privacy officer, and a security architect — five distinct readers, one underlying analysis. The research layer freezes the structural exposure into a citable note. The deretti.net opener frames why a cryptography problem is fundamentally an inventory and discipline problem.
PQC is not a quantum problem.
For most operators below hyperscaler scale, the work is inventory, sequencing, and vendor pressure — not cryptographic implementation. The math is finished. The migration is the discipline.
The central thesis: by the time a Cryptographically Relevant Quantum Computer arrives, the engineering decisions that determine whether your organization survives that day will already have been made — quietly, over years, in procurement contracts, library updates, and the rate at which you keep a cryptographic inventory current. The right work is unromantic. Read the full opener at deretti.net →
Five readers. One framework.
Most PQC content is written for one audience and read by the wrong one. The /quantum/ briefings are designed for five distinct readers — each gets the same underlying analysis translated into their vocabulary, concerns, and decision authority.
General staff get the plain-language version of the threat and the response, no standards detail required. Executives get the business-impact framing, the compliance landscape, and the strategic posture. IT technicians get inventory, vendor questioning, and hybrid deployment at operator grade. Privacy and legal professionals get the HNDL legal-time dimension, retention obligations, and breach posture. Security architects get the standards, hybrid construction, and structural pitfalls. Pick your briefing →
Sense → Decide → Act → Learn.
The Calm Loop from the IR 2.0 framework applies to cryptographic transitions on a multi-year clock. Sense your cryptographic estate. Decide what moves first. Act through hybrid before native. Learn from each migration cohort.
The PQC migration is not separate from the rest of resilient operations — it is the same operating model applied to a different time horizon. The IR 2.0 four-step loop is what carries a small team across a multi-year transition: every quarter, sense what changed in your estate or in the vendor landscape, decide which priority tier moves next, act through the standard playbook of inventory → pilot → hybrid → native, and learn from the inevitable MTU, PKI, and downgrade-attack surprises before they compound. See the framework →
Active section. Version stamped.
/quantum/ is published as v0.2.0 in 2026-Q2 and is reviewed on a quarterly cadence. The Standards & Timelines page is the most volatile and reviewed monthly. Revision triggers are listed inside each page.
The standards layer (FIPS 203/204/205) is stable — algorithm specifications will not change. The guidance layer (CNSA 2.0 deadlines, CISA procurement lists, NIST IR 8547 transition timelines) is updated periodically. The /quantum/ pages carry version stamps and a "last reviewed" date. Where ambiguity exists between a /quantum/ page and the Active Research note, the Active Research note is authoritative.
Five surfaces. One body of work.
Start Here for orientation, Briefings to find your audience, Foundation for depth, Tools for operator artifacts (Phase 2), and the Active Research note for the structured analysis.
Five-minute orientation to PQC. What the standards are, why they matter to you in 2026, where to go next based on your role.
Same material, five conversations. General staff, executives, IT technicians, privacy & legal, security architects.
Whitepaper, glossary, standards reference. Reference content for readers who need depth.
Inventory worksheet, vendor RFP rubric, interactive maturity self-assessment, tabletop scenario, executive one-pager. HTML + downloadable XLSX/PDF.
The Living Exposure Class analysis of Harvest Now, Decrypt Later. The canonical structured reference.