The Quantum Timeline Is No Longer Distant
Fault-tolerant quantum computers capable of breaking RSA and ECC encryption are on track to arrive between 2028 and 2030, according to published roadmaps from IonQ, Google, and IBM. When that capability matures, every encrypted connection in production today becomes retroactively vulnerable through a technique known as Harvest Now, Decrypt Later (HNDL) — adversaries capture encrypted traffic today, store it, and decrypt it once quantum hardware arrives. This is not a theoretical risk; intelligence agencies and state-sponsored actors are actively harvesting encrypted traffic today.
NIST finalized the first three post-quantum cryptography (PQC) standards in August 2024: ML-KEM (FIPS 203, formerly Kyber) for key encapsulation, ML-DSA (FIPS 204, formerly Dilithium) for digital signatures, and SLH-DSA (FIPS 205) for stateless hash-based signatures. A fifth algorithm, HQC, was selected in March 2025. RSA and ECC will be deprecated by 2030 and disallowed by 2035 under the NIST timeline.
The regulatory picture reinforces the urgency: the US Government has earmarked $7.1 billion for federal PQC migrations, CNSA 2.0 mandates quantum-safe cryptography for national security systems by 2030, and the EU’s eIDAS 2.0 and NIS2 directives are driving compliance across regulated European sectors.
Timeline Reduction: The Window Is Closing Faster
With recent developments — especially driven by AI and advances in quantum error correction — the timeline is accelerating. The number of qubits required to break modern encryption has dropped dramatically, and what was once thought to require millions of qubits may now be achievable with between just tens of thousands to a few hundred thousand.
As a result, many industry leaders are now projecting that the timeline could move up to as early as late 2028 to 2029, making the urgency of upgrading to post-quantum security critically important for the business.
Qubits reduced significantly | Millions → tens of thousands or hundreds of thousands |
Timeline accelerating | Shift from 2030+ to ~2029 |
The practical consequence is that the window for planning, procuring, and deploying a post-quantum strategy is now measured in months, not years. A migration approach that depends on reconfiguring thousands of applications cannot finish in that window.
A network-layer approach can.
The standard remediation path of upgrading TLS application by application faces structural obstacles that make it effectively impossible within the threat window.
Why Per-Application Migration Cannot Meet the Deadline
The standard remediation path of upgrading TLS application by application faces structural obstacles that make it effectively impossible within the threat window.
The Scale of the Problem
As of December 2025, it is estimated that large enterprises with more than 2,000 applications require 12 to 15 years to complete a per-application PQC TLS migration. Mainframe-heavy institutions in banking and healthcare face timelines of 15 to 20 years.
The gap between the FTQC threat window (2028–2030) and migration completion (2040+) represents years of unprotected exposure.
The Mainframe and COBOL Reality
Across banking, healthcare, insurance, retail, and government, critical workloads still run on COBOL-based systems that predate TLS entirely.
Ninety-two of the top 100 banks run IBM mainframes.
Ninety-five percent of ATM transactions are processed by COBOL.
Medicare claims processing was originally written in the 1970s.
Because these applications contain no native cryptographic code, IBM’s AT-TLS proxy applies encryption transparently at the operating system layer.
However, this model introduces significant barriers to post-quantum migration:
IBM has not yet shipped a PQC-capable AT-TLS Policy Agent.
Even when available, large banks must reconfigure 5,000 to 15,000 individual AT-TLS policy rules, each requiring a new PQC certificate and cipher suite.
The CEX7S crypto card lacks ML-KEM and ML-DSA hardware support, forcing PQC operations into software.
Software-based PQC implementations can increase computational cost by 10× to 50×, running on general CPU resources.
The resulting MIPS consumption alone could cost large institutions millions of dollars per month.
Cost of the Per-Application Path
The global cost of per-application PQC TLS migration is estimated at $300 billion to $1 trillion over 15 years across the Forbes Global 2000.
A single Tier 1 bank faces $400 million to $10 billion in total migration cost.
Government agencies face similar exposure: the US Federal $7.1 billion budget covers priority systems only.
Graphiant’s Approach: PQC at the Network Layer
Graphiant delivers post-quantum encryption as a network service, applied at Layer 3 of the network, below every application.
A standard x86 server in the data center and a commodity edge device at each branch run Graphiant software. All traffic — COBOL core banking, ATM networks, SWIFT connections, cloud workloads, SaaS applications, AI and neo-cloud providers, B2B partner connections — is encrypted with ML-KEM-1024 post-quantum IPsec before it leaves the network.
The COBOL applications see a standard TCP connection. Nothing changes on z/OS. No AT-TLS reconfiguration. No MIPS cost. No IBM dependency. No flag day.
This works today. Deployment is measured in hours, not months. Application teams can then migrate each system to native PQC TLS on their own schedule, risk-ranked and vendor-paced, over the next decade — with the network already quantum-safe from day one.
Key Architectural Differentiators
Controller-driven IKE, not pairwise:
Each Edge authenticates once with the Graphiant controller using PQC.
BGP distributes key material to authorized peers.
Traditional IKE requires N-squared pairwise handshakes; Graphiant requires N.
Stateless MPLS core:
The private backbone holds no session state, no flow cache, and no customer keys.
A compromised core router sees only label-switched traffic.
It cannot read, replay, or redirect.
Zero application changes:
PQC encryption is applied at the network layer.
Legacy applications, mainframe workloads, IoT devices, and SaaS connections are all protected transparently.
Runs alongside existing infrastructure:
Graphiant operates over commodity broadband, 5G, or MPLS underlays, and runs alongside existing SD-WAN, SASE, or multi-cloud architectures.
No rip-and-replace required.
Data assurance:
End-to-end flow-level observability with automated detection of breaches, unwanted relay, and SLA violations across every hop in the fabric.
Economic Comparison
The cost difference between per-application migration and network-layer PQC is measure in orders of magnitude.
Industry | Per-App Migration | Graphiant / yr | Migration Timeline | Savings |
|---|---|---|---|---|
Banking (Tier 1) | $400M–$10B | $3–$10M/yr | 12–15 years | $400M+ saved |
Healthcare | $50M–$2B | $1.5–$5M/yr | 12–15 years | $50M+ saved |
Insurance (Top 10) | $150M–$4.5B | $2–$5M/yr | 12–15 years | $150M+ saved |
Retail (Top 25) | $25M–$1B | $2–$5M/yr | 8–12 years | $25M+ saved |
US Federal Agency | $500M+ | $4–$15M/yr | Unknown | $500M+ saved |
Deployment Model
Graphiant’s deployment follows a three-phase model that delivers immediate protection and positions the enterprise for long-term application-level migration.
Phase 1 — Protect Now (Day 1–90):
Deploy Graphiant software at two data center sites for data replication.
Step 1: Test all aspects of the solution, including throughput up to 100G.
Step 2: Bring up a few branches and test site-to-data-centre PQC.
Step 3: Test scalability.
All traffic is PQC-protected at the network layer.
No application changes required.
B2B partner connections secured.
Full OpenTelemetry observability from day one.
Phase 2 — Assess and Plan (Month 3–12):
Conduct a cryptographic endpoint inventory.
Risk-rank applications by data sensitivity and regulatory deadline.
Deliver a 3–5 year application migration roadmap.
Phase 3 — Migrate and Verify (Year 1–15):
Per-application native PQC TLS migration, managed and risk-ranked.
Certificate lifecycle management with dual-stack PKI.
Vendor coordination across SAP, Oracle, IBM, and ISV ecosystem.
The network remains quantum-safe throughout.
Industries Covered
Graphiant’s network-layer POC addresses the quantum threat across every industry that depends on mainframe, legacy or. IoT infrastructure:
Banking and payments:
COBOL core banking, ATM networks, SWIFT/ACH, credit card processing
$15 trillion or more in annual payment value at risk
Healthcare:
Medicare/Medicaid claims, HL7/FHIR APIs, clinical systems
$8 to $10 trillion in annual healthcare transactions
Insurance:
Policy administration, claims processing, reinsurance settlement chains
$7 to $9 trillion in annual insurance flows
Retail and supply chain:
POS systems, inventory management, EDI supply chain
$6 to $8 trillion in annual retail transactions on mainframe
Government:
Social Security ($1.4 trillion in benefits), IRS ($4.7 trillion in tax collections), DoD logistics
$10 to $15 trillion in annual government transactions
IoT:
Medical devices, SCADA/OT, sensors running constrained MCUs with no native PQC capability
Network-layer encryption is the only viable path.
Conclusion
The quantum threat to enterprise encryption is a 2–4 year problem — and recent progress on qubit efficiency is compressing that window closer to 2–3 years. The standard per-application migration takes 12 to 15 years. The gap cannot be closed from the application layer.
Graphiant closes that gap from the network. A commodity server and a small edge device encrypt all traffic with post-quantum IPsec from day one. No application changes. No mainframe dependency. No flag day. Applications migrate to native PQC TLS on their own schedule, while the network is already quantum-safe.