The Invisible Foundation: Why Cryptographic Readiness Matters Today
For nearly half a century, the mathematical foundations of digital trust, algorithms like RSA and ECC, have remained remarkably stable. Because these building blocks were so reliable for so long, the protocols built on top of them (like SSL and later TLS) became the set it and forget it bedrock of the enterprise.
But reliability often breeds complacency. The result is an environment where cryptography is everywhere yet documented nowhere: algorithms buried in third-party libraries, key exchanges negotiated by cloud-managed services, and certificates scattered across environments that no one fully maps. While these stable foundations are now the target of quantum computing, the more immediate risk is the "cryptographic debt" we’ve accumulated, leaving us with a visibility gap that can make the coming migration feel like navigating a storm without a map.
Cryptographic visibility is becoming more important. As timelines for a cryptographically relevant quantum computer (CRQC), or “Q-Day”, shorten, the risk of Harvest Now, Decrypt Later (HNDL) attacks targeting sensitive data is increasing. Simultaneously, legacy debt like SHA-1, 3DES, and TLS 1.1 leave environments vulnerable to classical attacks today.
With recent announcements by Google and Cloudflare around accelerated quantum timelines, the recommended deadline for Post Quantum Cryptography (PQC) readiness has shifted to as early as 2029. The good news? Building out your cryptographic visibility just got a powerful ally.
Introducing Wiz for PQC Readiness
Wiz for PQC Readiness moves organizations from reactive, point-in-time audits to continuous visibility and a data-driven migration strategy. Rather than treating PQC migration as a one-time project, Wiz integrates cryptographic risk into the same continuous risk management teams already rely on for their cloud and AI environments.
At the core of the solution is the PQC Readiness Framework, a structured, priority-ordered roadmap mapped to the actual stages of a cryptographic migration. It sits on top of the cryptographic assets Wiz is able to detect, including algorithms, certificates and keys, cryptographic libraries, and web services, which builds a living, continuous inventory of the cryptographic primitives running across your entire estate.
To make the PQC Readiness Framework even easier for organizations to take action around, Wiz has added in the new Cryptographic Readiness Champion Center and PQC Lens.
Think of this as your PQC Mission Control, providing a high-level, visual overview of your cryptographic posture. The PQC Lens can provide a filtered, focused view to isolate cryptographic risks and help enforce guardrails directly in your CI/CD pipelines.
See everything: a living inventory
You cannot migrate what you cannot see. Wiz automatically discovers and catalogs cryptographic assets across your cloud and code. To ensure this visibility is granular, Wiz now includes PQC support fields at the technology and hosted technology levels, allowing you to track readiness across both managed services and specific software instances.
The living cryptographic inventory includes:
Cloud-Managed Services: configurations for AWS KMS, load balancers, and API gateways
Protocols in Transit: Identify TLS and SSH protocol usage on public endpoints
Cryptographic Artifacts: Visibility into certificates and SSH keys, including their respective algorithms and key lengths
Shadow Cryptography: Find libraries and primitives buried in third-party applications and container images that traditional scanners might miss
Unlike a point-in-time audit, this visibility is continuous. As your environment changes, your inventory stays current, and hidden cryptographic debt stops being a blind spot. This keeps the focus on prioritized cryptographic risk management, but this continuous visibility can help to quickly create a cryptographic bill of materials (CBOM) if necessary for reporting and compliance requirements.
Navigate with the PQC Readiness Framework
Having an inventory is only the starting point. The transition to PQC-resilient cryptography needs an actionable plan to help prioritize migration efforts. The Wiz PQC Readiness Framework categorizes your cryptographic findings into three actionable phases, helping teams move from immediate cleanup to long-term resilience:
Legacy Resiliency (Urgent): Flags cryptographic configurations broken by classical computing, such as weak RSA keys, deprecated algorithms like 3DES and RC4, and insecure TLS and SSH configurations. These are the findings that demand attention now, independent of any quantum timeline.
HNDL Risk (Immediate): Focuses on session negotiation and key exchange. Wiz validates the use of PQC-compliant Key Encapsulation Mechanisms (KEMs) like ML-KEM to neutralize Harvest Now, Decrypt Later (HNDL) risks. This is the most time-sensitive PQC priority.
Identity and Signature Resiliency (Long-Term): Wiz helps inventory asymmetric artifacts, including RSA and ECC, providing foundational visibility for the long-term migration of your core PKI infrastructure, accelerating Q-Day preparedness.
The new PQC Stages Widget provides a clickable, end-to-end view of your transition, allowing you to click directly into the areas that need the most attention.
Bringing Contextual Prioritization to PQC Readiness
A comprehensive cryptographic inventory will inevitably surface thousands of findings. The challenge isn't finding the risk; it's knowing which ones to fix first.
This is where the Wiz Security Graph helps provide clarity. Rather than handing teams a flat list of vulnerable algorithms, Wiz correlates cryptographic findings from the Wiz PQC Security Framework with your broader cloud context to surface "toxic combinations". This allows you to move past decision paralysis by answering critical questions:
Exposure: Are there weak TLS configurations on your public-facing endpoints?
Impact: Do you have legacy ciphers protecting databases with sensitive data, including long-lived PHI or PII?
Reachability: Does a PQC-vulnerable asset sit on a reachable attack path to a high-value asset?
By moving from a list of vulnerabilities to a graph of risks, teams can prioritize the migrations that actually move the needle on security. To help accelerate this further, Wiz’s AI agents can analyze PQC findings to help teams understand the urgency of specific exposure points in language accessible by relevant teams across your organization.
Build cryptographic agility, not just a one-time fix
One of the most persistent challenges in cryptographic migration is "architectural rigidity" with choices baked so deeply into the code that changing an algorithm requires a full rebuild.
Wiz helps you build cryptographic agility by shifting visibility left. By scanning Infrastructure as Code (IaC) templates and host configurations during development, Wiz identifies hard-coded cryptographic dependencies and insecure configurations before they reach production. The goal is to move from disruptive, emergency rewrites to a controlled, repeatable process where your environment is flexible enough to adapt as new standards emerge.
The goal is not just to clear a PQC compliance deadline, but to build an environment that can adapt as standards continue to evolve, without a full re-architecture every time a new weakness emerges. Cryptographic agility is what turns a one-time migration into a durable security posture.
A unified view from code to cloud
Most tools in this space operate on a single layer. Network scanners see TLS handshakes. Certificate management platforms track certificate lifecycles. Code scanners find algorithms in source. None of them give the full picture on their own, and stitching them together is a manual, ongoing effort.
Wiz provides a single, unified view across the full lifecycle: IaC, host configurations, cloud-managed services, and live endpoints. It’s the same agentless platform approach many security teams already use for CSPM, vulnerability management, and container security.
This approach can help build cryptographic agility by shifting visibility to the very beginning of the development lifecycle:
Wiz IDE Extension: Catch and address PQC-vulnerable configurations while the code is being written.
Wiz CLI & CI/CD Guardrails: Use SAST and IaC scanning to prevent non-compliant configurations from ever reaching production.
Runtime Sensors: Augment agentless scans with real-time telemetry to detect PQC-vulnerable traffic as it happens.
Get started
Wiz for PQC Readiness is now generally available for all Wiz customers. The best part? Wiz for PQC Readiness is included in Wiz Cloud, as well as within our FedRAMP High authorized environment, Wiz for Gov. Cryptographic inventory assessments are enhanced through Wiz Code, Wiz Runtime Sensor, and Wiz DSPM.
Log in to your Wiz tenant to explore the Cryptographic Readiness board today, or visit our technical documentation to learn more about the integrated PQC capabilities within Wiz.
Scan your domain using our PQC Tester to see if your server supports PQC key exchanges.
Acknowledgements
Wiz extends its gratitude to Christopher Porter (CSO, Fannie Mae). His early advocacy and deep insight into evolving PQC use cases were instrumental in defining the vision and development of the Wiz for PQC Readiness suite.
