CONCEPT Cited by 1 source

Quantum impact inventory

Definition

A quantum impact inventory is a risk-prioritized assessment of an organization's systems focused on four questions per system:

1. Impact — what would be the consequence if this system or its data is compromised by a quantum-capable adversary?
2. Likelihood — how exposed is this system (internet-facing vs. internal, data sensitivity, adversary motivation)?
3. Mitigation options — what's feasible: drop-in algorithm replacement, software update, compensating control (e.g. tunneling traffic over a bulk PQ connection), or network isolation?
4. Dependency chain — what else must change for each option to work?

Contrast with CBOM

Unlike a CBOM (exhaustive crypto enumeration), a quantum impact inventory starts from business impact and works backward to the cryptographic layer. This produces an actionable migration priority order faster than a bottom-up algorithm inventory.

We think that a quantum impact inventory is a more productive framing. [...] Identifying these informs where to take action first. You can fill in the details of a full CBOM over time. (Source: sources/2026-06-23-cloudflare-post-quantum-eo-milestone)

Operational approach

1. Rank systems by compromise impact (national security, financial, life-safety, reputational).
2. Classify exposure: public-internet-facing (HNDL risk today) vs. internal-only (lower immediate risk).
3. For each high-impact/high-exposure system, identify the shortest path to PQ protection — often a compensating control like tunneling through PQ infrastructure while per-system upgrades are planned.

Seen in

• sources/2026-06-23-cloudflare-post-quantum-eo-milestone — proposed as alternative to exhaustive CBOM for PQC migration prioritization