The Approach
A post-quantum migration built against a fixed list of threats breaks the moment the adversary adapts, and adapting is what adversaries do. They choose which algorithms to attack, what to harvest, and when, and they move after you've committed. The rigorous way to decide cryptography against an opponent who responds to your choices is game theory: it produces a portfolio weighted to hold up against their best response, not just against this year's threat estimate. That is what “decided like a portfolio” means, and it's why a single-algorithm migration is the most fragile move on the board.
Why Now
Harvest-Now-Decrypt-Later
Encrypted data collected today can be decrypted once quantum hardware arrives. For anything that has to stay secret for years, the relevant clock is the collection date, not the decryption date, and the collection date is now.
Read the Assessment →The Mosca’s Theorem Window
If your required confidentiality period plus your migration timeline already exceeds the quantum-window estimate, you're inside the risk window. Most organizations are. Most haven't run the number.
Read the Assessment →Trust and Integrity Exposure
A separate quantum attack breaks the digital signatures behind PKI, code signing, and certificate chains. If a certificate authority’s signature becomes forgeable, the blast radius is every system that trusts a certificate.
Read the Assessment →A cryptographic transition is won or lost in the unglamorous part: the inventory that's actually true, the sequence that survives contact with the vendor landscape, and the evidence that still holds when someone checks.
The Methodology
Cryptographic Inventory Strategy
Where cryptography exists across systems, data flows, and vendor dependencies, classified by Evidence Confidence: Verified, Documented, Inferred, Assumed, or Unknown. Every entry is traceable to the evidence that produced it.
HNDL and Non-HNDL Risk Registers
Long-term confidentiality exposure and trust and integrity exposure, separated and prioritized by business impact. Mosca’s Theorem applied to the actual data longevity profile. The underlying calculation is visible.
Board-Ready Roadmap
A phased, dependency-aware transition sequence that engineering can execute, procurement can use to pressure vendors, and the board can approve with appropriate investment framing.
Portfolio Equilibrium Strategy
How to weight a hybrid set of algorithms so no single break sinks the estate. A game-theoretic model turns the migration from a one-algorithm bet into a defensible portfolio position, scored against an adversary who also gets to move.
Who This Is For
You already know this is going to land on your desk. The work here is making sure that when it does, you have an answer you can stand behind, not a guess you have to defend. The leaders who work with LaMarr Labs choose to handle it on their watch rather than leave it to a successor.
HIGHEST TIMELINE PRESSURE
Financial Services
The BIS, G7 Cyber Expert Group, and NCSC have published explicit quantum-readiness roadmaps for this sector. The regulatory case for starting now already exists. The advisory gap is operational.
LONGEST DATA HORIZONS
Life Sciences
Genomic data, longitudinal health records, proprietary research, and clinical trial data have the longest required confidentiality horizons of any commercial sector. The data longevity math is unforgiving.
VENDOR-CONTROLLED SURFACES
Complex Enterprise
Organizations with managed PKI, cloud KMS, SaaS identity providers, CDNs, and code signing platforms face a version of this problem that internal scanning cannot solve. The real blockers are in vendor roadmaps.
SELECTIVE BY DESIGN
The work is built for a specific situation, so a few engagements are a better fit elsewhere: organizations seeking compliance checkbox documentation without underlying governance, early-stage companies whose cryptographic infrastructure will be migrated by vendors, and engagements where the primary goal is implementation rather than transition governance.
The Perspective Behind This Work
Built From Inside the Systems Being Protected
Addie LaMarr spent 8 years as a COMSEC Specialist in the United States Air Force, managing Wing-level cryptographic systems under NSA directives. After the Air Force, she advised the FBI CISO and the Office of Justice Programs CISO at the Department of Justice, and contributed directly to the NIST High Value Asset federal cybersecurity policy framework.
This work comes from eight years of direct operational exposure: managing classified cryptographic systems under NSA directives and seeing where enterprise cryptographic governance breaks down in practice.
Reverse-engineering the academic model behind the firm's portfolio tooling surfaced an error the paper's own authors confirmed in writing.
FOUR CLIENTS PER QUARTER · EVERY BRIEFING PERSONALLY CONDUCTED
Read the Full Background