Understanding Market Transitions and Quantum Technologies
The Sequoia Arc Product-Market Fit(PMF) framework categorises the relationship between products and markets into three archetypes. I use it a lot. It never falters, even after so many years. It’s still my go-to model for PMF when working with clients. It is easy for them to understand where their product “fits” in the market.
- Hair on Fire: A product meets an urgent, high-demand problem, requiring immediate differentiation in a competitive landscape.
- Hard Fact: The product solves a deeply ingrained market problem, becoming the standard. Innovation here requires challenging the status quo.
- Future Vision: A visionary product redefines the market, initially appearing futuristic but with the potential for a significant impact.
Although my favourite PMF stalwart, it doesn’t really lift the lid on category creation, which is where the smart money plays, nor does it shed light on the ideal timing of a market entry.
Let’s queue market transitions.
The Importance of Market Transitions
While the Arc framework is insightful, it underemphasises the importance of recognising market transitions from one state to another.
Those times when products and their categories change state; the shifts between the states of “Hair on Fire,” “Hard Fact,” and “Future Vision”—often present the greatest opportunities for innovation and growth, as well as the most danger for fat and happy incumbents.
But what about new opportunities, like Quantum Technologies—still a distant pipe dream in the perception of many, but in reality, just on the cusp of actualisation?
The most exciting for the PMF nerd in me right now is PQC or post-Quantum Cryptography, but also the impact it will have on CyberSecurity in general.
Why?
Because it is about to go through a change so ravenous in its nature that its big incumbents will become bit players, and new PQC players with real solutions will be spewed into greatness and market prominence like a volcano’s pyroclastic flow covering the dead companies that failed to change and adapt fast enough.
PQC - Today It Is a Hard Fact Market
Quantum security solutions, like quantum cryptography, can redefine industries by replacing outdated methods and strengthening the way that existing cybersecurity is done.
Yet, many cyber experts are still blissfully unaware of the threat of PQC—some still don’t know what it is. Generally, it’s positioned as a far-off future problem.
The hard fact is that what we have now works, no need to panic.
And here comes the change.
The Conundrum
The industry generally accepts that somewhere between 10,000 and 15,000 qubits of quantum processing power will smash through encryption like a knife through butter.
When these quantum computers hit this threshold, the electronic keys that keep your bank account and data communication safe will be cooked.
A quantum computer will be able to break the encryption with existing quantum algorithms, allowing the cybersecurity baddies to hack in, crack the encryption, and harvest the data.
Quantum computers are not a replacement for your PC; you can think of them as a separate processing unit or chip that is incredibly good at certain types of very hard number-crunching applications. (a dramatic simplification)
Except right now, quantum computing is not a chip, at least not yet.
Many quantum computers are like golden, upside-down, two-tonne wedding cakes that require a complex ecosystem of cooling, error correction, storage, and intense fiddling with to get anywhere near accurate results.
But that is changing, and it’s changing faster than expected.
Cracking Existing Encryption
It is likely that at some point in the future, they will be able to crack your standard encryption, the data locks and keys people use in their networks, IT infrastructure, and personal data. Quickly unpicked with a 10K stable QuBit Quantum computer.
Now, this is unlikely to be a spotty kid in his bedroom hacking your network with a quantum computer—not beyond the realms of reality, but unlikely.
It will be malicious “state actors”—the countries full of James Bond-like baddies that will use quantum computers to crack all of the cryptography of the financial system, government, pharmaceutical, communications and defence organisations will be top targets.
Why?
Bad actors don’t want your data to understand your cheese preferences.
They want it to seed it on the dark web, in the hope of destabilising the trust in financial systems and governments, causing chaos in the target country.
Why else?
To steal the IP and give it to their own companies and allies.
So What Do You Need to Do?
Teams like our own at Quantum Security Defence, which provide a forum for knowledge exchange between quantum and cybersecurity professionals, are growing fast as cybersecurity pros scramble to understand the full impact of PQC and try to work out when the promised “QDAY” (the day when a nation-state can crack your encryption) will darken our door (if it’s not actually here already).
So right now, we are at Hard Fact: existing cryptography works, and the risk is in the future.
Except for one thing. It’s not.
When you have all of the resources at your fingertips to conduct nation-state cyber-attacks, you can just steal the data now and decrypt it later.
Steal the data, open it later when you can crack the key.
This type of attack is called Harvest Now Decrypt Later.
Well, without delving into the world of the paranoid android, I can confidently tell you without breaking any trust that HNDL (Harvest Now Decrypt Later) attacks are happening right now.
Of course, you don’t need either quantum or HNDL attacks to steal and disrupt—any decent CISO will confirm that it’s a veritable sh*t show when it comes to data security as it is.
But as a CISO, Q-Day may just be the day to choose another profession.
Open Kimono
Because when the encryption is worthless, it’s going to be “Open Kimono”—a field day for criminals who will be given a “bounty of plenty” posted on the dark web by the state baddies intent on destabilising your country.
With NIST releasing the PQC Algorithm standards and with GCHQ stating that it’s probably prudent to start planning your upgrade, it is time to sit up and listen.
So What Does This Mean in Terms of Product-Market Fit and Transition?
Transition to “Future Vision” - From 2025 to 2026
Quantum cybersecurity training is already booming, but with just a few qualified players, options are limited.
Bringing in specialist consultancies like Cystel, or Qubo to train your people, brief your executives, and start pulling together a plan of action now is also a good idea.
Full disclaimer, I am a director of QSECDEF , but I also have incredibly high regard for Cystel and Qubo and wouldn’t hesitate to recommended them for in person training.
Either way, you need specialists that really understand both Quantum and CyberSecurity to guide you.
The Importance of a Cryptographic Audit
You can’t manage what you can’t measure.
I would say 95% of companies do not have a clue what the state of their cryptographic assets is right now or where they are.
Perhaps they have a spreadsheet or two kicking around, but most will be blissfully unaware that something connected to a legacy core banking app uses RSA encryption, and if you think all biometric encryption is symmetrically encrypted with the latest and greatest, sorry, but that’s just not accurate.
So the MO for Your Baddies**?**
Simply harvest the data, get your friendly nation-state to break it with the quantum computer they don’t have yet, “honest”.
Power up your deep fake engine, and as a cyber-criminal, you are off to the races.
The Rush to the Future Vision
2025 will be an extreme rush for banks, telecoms companies, and government departments to conduct a full cryptographic audit.
The problem is that when it comes to the practicality of an operational environment, there are few PQC audit solutions.
The ones that do exist are incredibly expensive, highly complicated, and often don’t work.
I approach this from an operational environment, and like most operational teams, the thought of external consultants being on-site for years raises alarm bells when it comes to solution validity.
Time and Efficiency Are The Average Ciso’s Hot Buttons
As a CISO or an IT Network or Ops director, you really want two things from a platform:
A) Integrate with your existing infrastructure without $10M of budget blown
B) Provide the ability to deliver a quick, pragmatic, and scored scan of your quantum cryptographic threat so you have a starting point for a fix. Time and efficiency are critical for a CISO; they have a knack for slicing through BS.
The tools I have seen are incredibly complicated.
I don’t want to use the term “over-engineered,” but some are certainly are over-engineered.
Few “quantum engineers” have the first clue about how a CISO or IT operations team go about their daily job.
A threat engine on an LQM / LLM is sexy, but operations teams need to be able to pull a cryptographic topology quickly and get it quickly and firmly integrated into their existing operations environments.
An operations director or CISO wants to consolidate screens, not deploy more.
They want to pipe topology data into the existing RCA or causal analysis tools they are using now; they don’t have six months for a lab test.
They don’t want a two-year, 100-consultant engagement.
With this in mind, I have only seen two solutions that I can see provide a pragmatic solution.
My favourite is undeniably QryptoCyber. It works, and it is quick to deploy, snaps into your existing ops environment, and does the job today. It also has exportability of the topology into existing operational systems.
Qusecure, possibly a little less operationally friendly, also provides a strong, pragmatic solution.
Pragmatically, words like SDK, ToolKit, Lab Mode, LQM engine, and LLM analysis give me the shivers. They correlate with words like “long, complicated, expensive, convoluted, complex” in the minds of operational budget holders.
The priority for companies in 2025 will absolutely be to get a full, rapid, and working solution in place for continuous cryptographic audit.
Hair On Fire - 2026 Onwards
By 2026, the rush to conduct a very urgent cryptography audit will be almost unbearable. Stragglers to the party will be paying top dollar to get it done.
Further innovations and inventions in Quantum Computing, like Quantum Dots from Diraq and many others, will have further improved the quantum computing capability.
Innovations in hybrid quantum and HPC environments, and virtualisation, will have moved forward.
Perhaps we will be at 5,000 stable qubits—it is not outside the realms of reality. 10,000? Pushing it, but still just possible with exceptional innovation.
Those that had the foresight to deploy their cryptographic audit tool in 2025 will now be busy shoring up their existing cryptography; those that didn’t will be in a mad panic to do so.
From 2026, there will be an incredible technology spend in upgrading, changing, deploying, and chasing vendors for updates and improvements to fix existing cryptography that falls outside of the NIST PQC standards.
This is when the large majority of the market activity will happen. Upgrades, cryptographic wrappers, technologies, and general deployment of QRNG, software for pretty much everything that sits outside of standards, will all need upgrading, change management, fixing, and patching up. The Hair on Fire transition will hit 2026.
In Summary
My timelines are dependent on the development of qubit processing capability, which may be 5 years, it may be 10—it’s subjective, and opinions differ.
- 2024: Companies need training and education in PQC now. QSECDEF/Cystel provide consulting and training. HNDL attacks are happening now.
- 2025: Companies need to have a quick, easy, and deployable solution for cryptographic audit in days, not years, so they can start planning the upgrade now. QryptoCyber, QuSecure, Qsysteme may be the early go-to products. HNDL attacks increase.
- 2026: Companies that have complicated, over-engineered solutions for cryptographic audit and analysis, reporting, and AI will benefit in the Hair on Fire stage when there will be more customers than vendors and services capable of delivering solutions.
- 2027: CyberSecurity companies that haven’t got a strong crypto agility position will start to be replaced by those that do, going the way of Blockbuster that didn’t see Netflix coming.
- 2028: Crypto agility will be firmly embedded into your office buzzword bingo.
- 2030: Probably 10,000 stable qubits, your existing RSA encryption is cooked. Companies that failed may fail.
Who Am I My name is Steve. I run WizzWang, a management consultancy that helps investors in AI, Advanced CyberSecurity, and Quantum companies understand their product-market fit, plan effective G-T-M, and optimise their revenue yields.
You can find me buried under 4000 AGI pitch decks that will change the world because they have massive SOMs automating tasks that should never be automated, reading about Quantum.
