Free Tool · Quantum Security
HNDL Risk Estimator
Seven questions. An instant estimate of your organisation's Harvest Now, Decrypt Later exposure. No account required. Results appear on this page. No email needed.
- Runs entirely in your browser: nothing is stored or transmitted
- Based on the Mosca inequality framework (University of Waterloo, Institute for Quantum Computing)
- Score range 20-100 across four risk tiers
Your answers are used only to calculate your score. No email address, company name, or IP address is collected as part of this assessment. Anonymised scores are pooled with other responses to produce sector-level benchmarks, for example average scores across financial services organisations. Any PDF report you download is generated in your browser and is not stored on any server. You can choose to download the PDF report after the tool is completed. If you choose to enter your email address, that information is stored separately and only used to send you the updates you asked for.
What this tool collects
This tool collects your assessment answers and calculates a score. All of this happens in your browser. Your answers are not sent to a server for processing.
Anonymised benchmarking
The anonymised score from your assessment may be used to build sector-level benchmarks. For example: organisations in the financial services sector score an average of 54. No personal information, company name, or IP address is attached to this data. You cannot be identified from it.
What is not collected
Your IP address is not collected or stored. Your company name is not collected unless you choose to enter it when downloading a PDF report. Your email address is not collected unless you choose to provide it to receive updates.
PDF reports
If you choose to download a PDF report, it is generated entirely within your browser using your answers. The report is not sent to or stored on any server. Once you download it, the data stays with you.
Email addresses
An email address is only stored if you voluntarily opt in to receive notifications or updates. Providing your email address is never required to use this tool or to view your results. Your email address is not shared with third parties or used for advertising.
Third parties
Your data is not sold to third parties. Your data is not shared with advertising networks. Your data is not used for any purpose other than those described here.
How this tool works
The HNDL Risk Estimator scores your organisation across five weighted factors that determine Harvest Now, Decrypt Later exposure. HNDL is a prospective risk: adversaries collect encrypted data today on the assumption they will be able to decrypt it once sufficiently capable quantum computers exist.
The scoring formula is based on the Mosca inequality: if the time until a cryptographically relevant quantum computer exists is less than the time needed to migrate to quantum-safe cryptography plus the required confidentiality lifetime of your data, you have a quantum security problem today.
Scoring formula: Score = (Lifetime x 0.30 + Sensitivity x 0.25 + Accessibility x 0.20 + Attractiveness x 0.15 + Adversary x 0.10) x 20, plus regulatory uplift
The tool does not audit your cryptographic infrastructure. It provides a directional estimate of HNDL exposure based on what your organisation holds, transmits, and faces as an adversary threat.
What sector does your organisation operate in?
This helps contextualise your result. Different sectors face different regulatory requirements and have different norms for data retention. Select the closest match.
This answer helps tailor your results. Nothing is transmitted from your browser.
How long does your most sensitive data need to stay confidential?
Think about your most important records: contracts, personnel files, health records, financial histories, intellectual property, classified communications. If someone captured encrypted copies of this data today and could read it in 10 years, would that matter? Select the longest confidentiality requirement that applies.
This answer helps tailor your results. Nothing is transmitted from your browser.
How sensitive is the data your organisation handles?
HNDL risk depends not just on whether data is encrypted, but on what it would reveal if decrypted. Consider the most sensitive category your organisation holds, not just your average data. Personal health records, legal advice, classified communications, and financial intelligence all carry higher consequence if exposed.
This answer helps tailor your results. Nothing is transmitted from your browser.
How accessible is your organisation's data to interception?
This is not about whether your encryption is strong. Modern encryption is not practically breakable. It is about whether an adversary has opportunities to capture your encrypted data as it moves across networks. Data that travels only within a tightly controlled private network is much harder to intercept in bulk than data crossing public internet links, cloud provider peering points, or telecommunications backbones.
This answer helps tailor your results. Nothing is transmitted from your browser.
How attractive is your organisation as a bulk data collection target?
Well-resourced adversaries prioritise their collection efforts. They target organisations that hold large volumes of high-value data. Even if your encryption is strong, being a high-value collection target increases the probability that your encrypted data is already being stored. Consider whether your organisation processes or holds data in a way that would make it a priority collection target for a determined state-level adversary.
This answer helps tailor your results. Nothing is transmitted from your browser.
How relevant is a sophisticated state-level adversary to your organisation's threat profile?
HNDL is primarily a nation-state threat. It requires the capability to intercept data at scale, store it for years, and eventually run a cryptographically relevant quantum computer. Not every organisation faces this adversary. A regional business with no government contracts, no defence connections, and no critical infrastructure role faces a much lower HNDL risk than a NATO defence supplier or a central bank.
This answer helps tailor your results. Nothing is transmitted from your browser.
How regulated is your organisation's data handling?
Some organisations face formal legal or regulatory requirements to protect data confidentiality. These requirements create independent obligations beyond the technical risk. Select the description that best reflects the regulatory context your organisation operates in.
This answer helps tailor your results. Nothing is transmitted from your browser.
Your HNDL Risk Estimate
PDF reports are generated in your browser. Nothing is uploaded or stored.