Developers know they need to migrate to post-quantum cryptography but have no visibility into where vulnerable crypto (RSA, DH, ECC) lives across their codebase, dependencies, and infrastructure.
A CLI/CI tool that scans source code, configs, TLS endpoints, certificates, and dependency trees to inventory all cryptographic usage, flags quantum-vulnerable primitives, and generates a prioritized migration plan with PQC replacements.
Freemium - free open-source scanner for single repos, paid tiers for org-wide scanning, CI integration, compliance reporting, and remediation tracking
The pain is REAL but not yet ACUTE for most teams. Security leaders know PQC migration is coming, but there's no burning deadline for most industries yet. The pain signals you found ('still sleeping on it', 'gonna be scrambling') confirm awareness without urgency. Government/defense and financial services feel it most — everyone else is still in 'we should probably look into this' mode. Score will rise to 8-9 within 2-3 years as deadlines harden.
Every organization using cryptography (i.e., everyone) will eventually need this. TAM for crypto inventory/migration tooling is estimated at $2B+ by 2030. The immediate serviceable market is security teams at mid-to-large companies (50K+ potential orgs globally). Even the SMB tail is large. This is a 'picks and shovels during a gold rush' play — selling tools during a mandatory industry-wide migration.
Tricky. Enterprise security teams WILL pay ($50-200K/year) but have long procurement cycles. The developer/DevSecOps persona you're targeting is harder — they're used to free OSS tools and may not have budget authority. The freemium model helps, but converting free CLI users to paid org-wide licenses requires a strong enterprise sales motion. Compliance mandates will be the forcing function for budget, but those aren't fully in place yet for most sectors.
A solo dev can build a credible MVP CLI scanner in 4-8 weeks that greps codebases for crypto API calls (OpenSSL, BouncyCastle, Go crypto, Python cryptography lib), parses certificate chains, and checks TLS endpoints. That gets you 60% of the value. The HARD parts that take it from toy to real: dependency tree deep scanning, binary analysis, accurate false-positive filtering, and generating genuinely useful migration plans (not just a list of findings). Network/infra scanning adds significant complexity. Start narrow.
This is the strongest signal. The market is bifurcated: expensive enterprise suites (IBM, SandboxAQ) that cost $100K+ and require sales calls, versus toy open-source regex scripts. There is NO middle-market, developer-first, CLI/CI-native PQC scanner with a self-serve freemium model. This is exactly the gap Snyk exploited in vulnerability scanning, and Trivy exploited in container scanning. The playbook is proven — just apply it to PQC.
Strong recurring dynamics: codebases change constantly (new dependencies, new crypto usage), PQC standards are still evolving (new algorithms, deprecation schedules), compliance requirements will tighten over time, and migration is a multi-year process needing continuous monitoring. CI/CD integration creates natural stickiness — once it's in the pipeline, it stays. Migration progress tracking is inherently longitudinal.
- +Massive clear gap between enterprise-only tools ($100K+) and useless OSS scripts — the 'Snyk for PQC' positioning is wide open
- +Regulatory tailwinds are guaranteed — NIST standards finalized, government mandates hardening, compliance frameworks updating. This market WILL grow
- +Developer-first CLI/CI approach matches how modern security tooling wins (Snyk, Trivy, Semgrep playbook)
- +Open-source-led growth can build community and credibility before needing enterprise sales
- +Once embedded in CI pipelines, extremely sticky with natural expansion from single repo to org-wide
- !TIMING RISK: The market may be 12-24 months early. Most orgs aren't actively migrating yet — you'll be selling preparedness to people who aren't scared enough. Could mean slow initial traction and long runway needed
- !IBM, SandboxAQ, or a well-funded startup could ship a developer-friendly tier and close the gap from above. SandboxAQ in particular has the resources and talent to go downmarket
- !Snyk, Semgrep, or an existing SAST/SCA vendor could add PQC scanning as a feature, instantly reaching millions of existing users — commoditizing your core value prop overnight
- !Accuracy is critical in security tooling — false positives erode trust fast. Building a scanner that's genuinely useful (not just noisy) requires deep crypto expertise
- !Enterprise sales cycle for security tooling is brutal — even with product-led growth, converting to paid org-wide licenses takes dedicated sales effort and time
Enterprise suite that scans Java/Python codebases, certificates, and network traffic for quantum-vulnerable cryptography. Part of IBM's broader Quantum Safe portfolio integrated with z/OS and Cloud Pak. Generates CBOM
AI-driven cryptographic management platform that discovers, inventories, and manages cryptographic assets across enterprise infrastructure. Scans code, network traffic, certificates, and cloud configs. Spun out of Google's Alphabet.
Certificate lifecycle management platform expanding into PQC readiness. Focuses on PKI infrastructure, certificate inventory, and crypto agility for TLS/certificate migration. Strong in certificate and key management.
Was a standalone crypto analysis tool that could scan Java applications and network traffic for cryptographic usage. Created CBOM inventories and flagged weak or non-compliant crypto. Acquired by SandboxAQ in 2023.
Scattered open-source tools and scripts that grep for crypto function calls
CLI tool (Rust or Go for speed and single-binary distribution) that: (1) scans a git repo for crypto API usage across top 5 languages (Python, JS/TS, Java, Go, C/C++), (2) checks TLS certificates of configured endpoints, (3) outputs a CBOM-lite JSON report with quantum-risk ratings (safe/vulnerable/unknown), (4) generates a markdown migration roadmap with specific PQC replacement recommendations per finding. Ship as a single binary, publish to Homebrew/apt, add GitHub Action. That's your MVP — 6 weeks, one dev.
Free open-source CLI (single repo scanning, local reports) → Free tier on cloud dashboard (3 repos, basic history) → Team plan $49/repo/month (CI integration, org-wide dashboard, trend tracking) → Enterprise $500+/month flat (unlimited repos, compliance reports, SSO, remediation tracking, SBOM/CBOM export). Long-term: consulting/professional services for migration execution, not just scanning.
8-12 weeks to MVP and open-source launch. 3-6 months to meaningful GitHub stars and early adopter feedback. 6-12 months to first paying customer (likely a forward-thinking fintech or government contractor). 12-18 months to repeatable revenue if compliance mandates accelerate. This is a long-game bet — plan for 12-18 months of runway before meaningful revenue unless you land a design partner early.
- “most devs are still sleeping on it”
- “we need to start thinking about migration paths now”
- “gonna be scrambling to patch everything at once”
- “better to start experimenting with pq algorithms in non-critical systems now”
- “how can you prove your company fully rolled out post-quantum-resistant-encryption”