THE QUANTUM ALMANAC

Inside the book

20 chapters organized around action, inventory, and migration timing

Each chapter stands on its own. The book is designed for two reading paths: one for boards and investors, one for CISOs and architects.

The Quantum Almanac 2026-2027 contains 20 chapters organized into five sections: The Threat Model (chapters 1-5), Composite Scenarios, Operational Chapters (chapters 6-13), Sector Playbooks for finance, healthcare, industrial, and government (chapters 14-17), and Governance and Action (chapters 18-20). The book covers harvest now decrypt later, what breaks first, timing uncertainty, PKI and machine trust, data at rest, third-party risk, zero trust during transition, and a 12-month action plan. Two reading paths are provided: one for boards and investors, one for CISOs and architects.

Chapter summaries

What each chapter covers and why it matters.

Ch 1. Why This Is a Security Book, Not a Quantum Book

Reframes quantum risk as a trust, identity, and migration problem rather than a physics prediction contest. Establishes the evidence hierarchy used throughout the book.

Ch 2. Quantum Computing for Security Leaders

Explains quantum computing concepts at the level security leaders need: what qubits, gates, and error correction mean for the threat timeline, without requiring physics background.

Ch 3. The Threat Model That Matters: Harvest Now, Decrypt Later

Builds the HNDL threat model from first principles. Shows why data with long confidentiality requirements is already at risk, regardless of when a CRQC arrives.

Ch 4. What Breaks, What Does Not, and What Changes First

Maps which cryptographic primitives are vulnerable (RSA, ECC, DH) versus resistant (AES, SHA-3). Identifies the systems that break first: PKI, code signing, and key exchange.

Ch 5. Timing Uncertainty Is Not a Strategy

Argues that timeline uncertainty about Q-Day is not a reason to delay. The migration timeline, not the threat timeline, is the binding constraint for most organizations.

What Happens When You Are Late: Three Composite Scenarios

Three realistic composite scenarios showing what happens to a financial services firm, a healthcare system, and a critical infrastructure operator that start migration too late.

Ch 6. 2025 Through February 2026: The Year the Topic Became Operational

Chronicles the inflection points that moved quantum risk from theoretical discussion to operational planning: NIST standards, G7 guidance, platform defaults, and procurement language.

Ch 7. The Default Stack Is Moving Under Your Feet

Tracks how Apple, Google, Microsoft, and Cloudflare are already deploying post-quantum cryptography in production. Shows that the transition is not waiting for enterprise readiness.

Ch 8. Digital Assets, Disclosure, and Capital Markets Governance

Covers quantum risk implications for digital assets, securities disclosure obligations, and capital markets governance. Addresses regulatory expectations and fiduciary duties.

Ch 9. Discovery: You Cannot Migrate What You Cannot See

The operational chapter on cryptographic inventory. Covers discovery tools, scanning approaches, and how to map the cryptographic surface area across an enterprise.

Ch 10. PKI, Identity, and Machine Trust

Addresses the largest migration surface: machine identities, certificates, and PKI infrastructure. Covers certificate lifecycle, key management, and trust chain migration.

Ch 11. Data at Rest, Archives, Backups, and Keys

Focuses on long-lived data protection: archives, backups, key escrow, and data-at-rest encryption. These systems have the longest exposure window to HNDL attacks.

Ch 12. Third-Party Risk, Procurement, and Contracts

Practical guidance on managing quantum risk through the supply chain. Includes vendor questionnaires, contract language, and procurement evaluation criteria.

Ch 13. Zero Trust, Incident Response, and Resilience During Transition

Addresses security operations during the migration period. Covers how zero trust architectures interact with cryptographic transitions and incident response implications.

Ch 14. Finance and Market Infrastructure

Sector-specific playbook for financial services. Covers SWIFT, payment networks, trading infrastructure, regulatory expectations, and the G7 Cyber Expert Group roadmap.

Ch 15. Healthcare, Life Sciences, and Regulated Privacy

Sector playbook for healthcare and life sciences. Addresses HIPAA implications, clinical trial data, medical device security, and long-lived patient data protection.

Ch 16. Industrial, Cloud, and Critical Infrastructure

Covers operational technology, cloud infrastructure, and critical systems. Addresses the unique challenges of migrating embedded systems and long-lifecycle industrial controls.

Ch 17. Government and National Security Posture

Covers federal mandates (CNSA 2.0, OMB M-23-02), defense requirements, and national security implications. Maps the government migration timeline and procurement requirements.

Ch 18. Governance, Capital Allocation, and Board Communication

Translates quantum risk into board-level language. Covers capital allocation frameworks, governance structures, and how to communicate migration progress to leadership.

Ch 19. The Devil’s Advocate

Steelmans the strongest arguments against urgency: timeline uncertainty, cost, competing priorities, and immature standards. Then systematically addresses each objection with evidence.

Ch 20. The 12-Month Action Plan

A concrete, month-by-month action plan for starting post-quantum migration. Covers quick wins, governance setup, vendor engagement, inventory, and pilot deployments.

Sections

How chapters are organized.

The Threat Model

  • Ch 1. Why This Is a Security Book, Not a Quantum Book
  • Ch 2. Quantum Computing for Security Leaders
  • Ch 3. The Threat Model That Matters: Harvest Now, Decrypt Later
  • Ch 4. What Breaks, What Does Not, and What Changes First
  • Ch 5. Timing Uncertainty Is Not a Strategy

Composite Scenarios

  • What Happens When You Are Late: Three Composite Scenarios

Operational Chapters

  • Ch 6. 2025 Through February 2026: The Year the Topic Became Operational
  • Ch 7. The Default Stack Is Moving Under Your Feet
  • Ch 8. Digital Assets, Disclosure, and Capital Markets Governance
  • Ch 9. Discovery: You Cannot Migrate What You Cannot See
  • Ch 10. PKI, Identity, and Machine Trust
  • Ch 11. Data at Rest, Archives, Backups, and Keys
  • Ch 12. Third-Party Risk, Procurement, and Contracts
  • Ch 13. Zero Trust, Incident Response, and Resilience During Transition

Sector Playbooks

  • Ch 14. Finance and Market Infrastructure
  • Ch 15. Healthcare, Life Sciences, and Regulated Privacy
  • Ch 16. Industrial, Cloud, and Critical Infrastructure
  • Ch 17. Government and National Security Posture

Governance and Action

  • Ch 18. Governance, Capital Allocation, and Board Communication
  • Ch 19. The Devil’s Advocate
  • Ch 20. The 12-Month Action Plan

Reading paths

Choose the path that matches your role.

Board and investor track

Preface, Executive Summary, Changes from 2025-2026 Edition, Chapters 1, 6, 8, 18, 19, and 20, then Appendix B.

A compact path for governance, disclosure, capital allocation, and oversight.

CISO and architect track

Executive Summary, Changes from 2025-2026 Edition, Chapters 2, 4, 7, 9 through 13, 15 through 17, Appendix C, and Appendix J.

Designed to move quickly from threat model to inventory, trust, supplier pressure, and implementation.

Get the full book

Full chapter content available in the hardcover and Kindle editions.

Buy on AmazonView glossary