Quantum Core Institute · Publisher of QCI-QS1
Quantum risk is three exposures, not one.
Data gets read. Identities get forged. Payments lose proof of who sent what. We measure all three against a free, published standard, score the result 0 to 100, and tell you which exposure can wait. Knowing when not to spend is still part of the service.
Identity risk
Signatures get forged.
The asymmetric cryptography quantum computing breaks is the layer that proves who did what: certificate chains, signing keys, customer authentication, and the machine and AI-agent credentials nobody has counted. Longest replacement lead times, thinnest inventories, and the exposure most institutions discover last.
Governed by QRAF Domain D6, Clause 4.5, and the machine identity inventory in QCI-QS1 v2.3.
Payment risk
Transactions lose proof.
A disclosed message has a price tag. A forged signature inside a payment or settlement system does not, because it breaks the thing audits, counterparties, and courts rely on. If your institution signs, settles, or moves money, this is your unbounded scenario.
Governed by the transaction-integrity vendor scope in Clause 7 and the Q-Risk comparability controls.
Data risk
Archives get read.
Harvest now, decrypt later is already running against anything that must stay confidential longer than your migration will take. It gets the headlines because it is happening today. It is also the bounded one.
Governed by data-longevity classification and the QASI risk flags.
Three surfaces, one budget. Data risk is often where waiting is defensible. Identity is where waiting is already late, because certificate authorities and credential re-issuance do not move on your schedule. Telling you which is which is the job.
Most vendors sell urgency. We publish the standard.
Quantum vendors want to sell you solutions you do not need yet. We measure where you actually stand, tell you when to act, and tell you when to wait. Knowing when not to spend is part of the service. Separate real exposure from vendor-driven urgency. Every call is recorded as evidence you can defend later. And because the three surfaces move on different clocks, "wait" on one is fully compatible with "you are late" on another.
A standard regulators and auditors can cite.
QCI-QS1 is the free, citeable standard for quantum risk governance. Published in full. Download it, cite it, adopt it. No form wall and no license fee. Mapped to DORA, NIS2, NCUA, HIPAA, and FFIEC.
Version 2.3, effective June 2026, adds the identity workstream: coordination requirements for concurrent identity programs, a machine identity inventory, and explicit identity weighting in the Q-Risk Score.
Download QCI-QS1 v2.3What a posture review looks like.
Adopt the standard.
Download QCI-QS1 and use it as your governance baseline. It is free, citeable, and built for boards and auditors.
We map your cryptographic footprint.
We review your cryptography inventory against the QASI framework, including the certificate estates and machine credentials most inventories miss. You get a clear list of what is protected and what is exposed.
We score your posture and explain the number.
Your Q-Risk Score is calculated with hard ceiling rules at 60, 65, 70, and 80. You know exactly why the score is what it is and what would move it. The 65 ceiling is new in v2.3: nobody scores past it without a complete identity and trust-chain inventory. Scores live on the QCI Quantum Risk Dashboard at risk.quantumcoreinstitute.com, where your board can see the number, the band, and the movement without asking anyone to export a slide.
You leave with evidence.
You receive a board-ready insert, a prioritized roadmap, and the evidence trail behind every recommendation. Nothing stays in the room.
Harvest now, decrypt later is already happening.
Adversaries collect encrypted data today to decrypt it once quantum capability arrives. Any data that must stay confidential for ten years or more is already exposed. When your board asks, the question is not whether you saw it coming. It is whether you measured it.
Measure your posture.
Get a scored Q-Risk posture and a board-ready report mapped to your regulators.
Book a posture reviewQ-Risk intelligence, no hype.
Governance-grade updates on PQC compliance, vendor readiness, and regulatory movement. The credit union and community bank PQC briefing leads, twice a week.
Stay Updated
Get the latest insights on quantum computing delivered to your inbox