PHASE 04 — HYBRID ROLLOUT
Classical + PQC in parallel for each protocol. Measure compat, perf, and interop with partners on their schedule.
YOU CANNOT CUT OVER
Your partners aren't on your schedule. Your firmware can't be redeployed overnight. You can't trust a brand-new algorithm with no incidents and no deprecation signal. Hybrid is how you migrate without breaking — and how you keep a fallback.
PROTOCOL BY PROTOCOL
- 01
TLS
Hybrid key exchange (X25519 + ML-KEM) for external and internal endpoints. Measured against latency and error budgets.
- 02
Code signing
Dual signatures — classical for backwards compat, PQC for longevity. Verifier upgrades ahead of signers.
- 03
VPN / IPsec
Hybrid IKEv2 where supported; gradual vendor migration elsewhere.
- 04
PKI
Hybrid certificate issuance and chain validation. CAs updated first, then subscribers.
- 05
Messaging / storage
Encryption at rest and in transit upgraded protocol-by-protocol with data-class priority.
START A Q-DAY BRIEFING
A 60-minute executive briefing tailored to your sector, crypto inventory, and regulatory exposure.
Begin intake