Free Tool · Quantum Security
PQC Decision Tree
Six questions. An instant assessment of which post-quantum cryptography concern is most relevant to your organisation. No account required. Results appear on this page.
- Runs entirely in your browser: nothing is stored or transmitted
- Branching questions: only the questions relevant to your situation are shown
- Routes to one of six outcome categories with a specific recommended next step
Your answers are used only to determine your outcome. No email address, company name, or IP address is collected as part of this assessment. Any PDF report you download is generated in your browser and is not stored on any server. If you choose to enter your email address in the newsletter form, that information is stored separately and only used to send you the updates you asked for.
What this tool collects
This tool collects your assessment answers and evaluates them against the outcome rules. All of this happens in your browser. Your answers are not sent to a server for processing.
What is not collected
Your IP address is not collected or stored. Your company name is not collected unless you choose to enter it when downloading a PDF report. Your email address is not collected unless you choose to provide it to receive updates.
PDF reports
If you choose to download a PDF report, it is generated entirely within your browser using your answers. The report is not sent to or stored on any server. Once you download it, the data stays with you.
Third parties
Your data is not sold to third parties. Your data is not shared with advertising networks. Your data is not used for any purpose other than those described here.
How this tool works
The PQC Decision Tree routes your organisation to the post-quantum cryptography concern most relevant to your situation. It is not a risk score. There is no numerical output. The design is intentional: many organisations at the awareness stage need a clear statement of which problem is theirs, not a weighted aggregate they cannot yet interpret.
Questions branch based on your answers. If you indicate no long-lived sensitive data, you will not see the follow-up questions about certificates and devices. The shortest path is three questions; the longest is eight. Most paths complete in under two minutes.
Six outcomes cover the primary PQC concern categories: low immediate relevance, long-lived data exposure, trust infrastructure, regulatory obligation, migration complexity, and broad readiness required. Each outcome maps to the most appropriate next step.
Does your organisation hold or transmit sensitive data that needs to remain confidential for a significant period of time?
Think about your most important records. Contracts, personnel files, health records, financial transaction histories, intellectual property, legal documents, classified information. The key question is: if someone captured encrypted copies of this data today and could read it in 10 years, would that cause material harm?
Nothing is transmitted from your browser.
Does your organisation issue, manage, or depend on digital certificates, code signing, firmware signing, or device identities in significant ways?
This covers TLS certificates for websites and APIs, code signing certificates for software releases, firmware signing for devices, certificate authorities (CA) you operate or rely on, and identity certificates in access management systems. The question is about how central these are to your operations, not just whether they exist.
Nothing is transmitted from your browser.
Does your organisation build, operate, or maintain devices, firmware, embedded systems, or industrial control systems?
This includes IoT devices, medical devices, industrial control systems, operational technology (OT), network equipment, and any hardware that uses certificates or cryptographic keys baked in at manufacture and is difficult to update remotely. The concern is about the cryptographic lifetime of the device: a device in service for 10 years will outlast the safety window for current asymmetric algorithms.
Nothing is transmitted from your browser.
Does your organisation operate in a regulated industry or under contracts that include cybersecurity or cryptography requirements?
This covers financial services regulation (PCI DSS, DORA), healthcare regulation (HIPAA, NHS Digital standards), government and defence standards (NCSC Cyber Essentials Plus, ISO 27001 in regulated contexts, government procurement frameworks), critical infrastructure requirements, and any contracts with quantum-readiness or cryptographic standard clauses. If your organisation is subject to external audit of your cryptographic practices, answer Yes.
Nothing is transmitted from your browser.
How dependent is your organisation on external vendors for the cryptographic services that protect your most sensitive systems?
This means cloud key management services (AWS KMS, Azure Key Vault, Google Cloud KMS), hardware security modules (HSMs) provided or managed by third parties, SaaS platforms whose encryption capabilities you cannot directly configure, or telecommunications providers whose network encryption you rely on. If your organisation's ability to migrate cryptography depends on decisions made by your vendors, that dependency is relevant here.
Nothing is transmitted from your browser.
Does your organisation operate legacy systems or systems that are difficult to update?
This means systems that run outdated operating systems or software, embedded systems with fixed cryptographic libraries, industrial control systems with long refresh cycles, or any critical infrastructure that cannot be updated without significant downtime or capital expenditure. If your organisation is running systems that were deployed 10 or more years ago and are still in production, consider them legacy for this purpose.
Nothing is transmitted from your browser.
Need a structured PQC assessment?
The Decision Tree identifies your primary concern. The PQC Risk Assessment scores your organisation across all risk domains and produces an evidence base for executive decision-making.
Explore the PQC Risk Assessment