Work With Us

Three engagements, one ladder, each fixed in scope and fixed in fee, each built so the output survives contact with the board, regulator, engineering team, and vendor. Most organizations start with the baseline: it answers the urgent question and tells you whether you even need the rest.

Where to start

Before committing to a full transition program, you need one thing: an accurate, defensible picture of where you actually stand. The baseline produces it in a bounded 6 to 8 weeks, by building a CycloneDX-aligned Cryptographic Bill of Materials from working sessions with your system owners and verification against sanitized logs, rather than asking and writing it down. You leave knowing your real exposure, what to address first, and whether the full blueprint is even warranted. It turns an open-ended board question into a decision.

Start with a briefing →
A

ENTRY DIAGNOSTIC

Quantum Risk and Cryptographic Exposure Baseline

What it does for you: you walk into the board meeting able to say exactly where you stand, prove it to a regulator, and decide what comes next, without betting the program on a guess. It takes an open question off your desk and replaces it with an answer that holds up under scrutiny.

An organization with board reporting obligations on quantum risk, a regulatory environment that is beginning to ask questions, or an upcoming audit that will touch cryptographic posture needs one thing first: an accurate picture of where the exposure actually is.

This engagement produces that baseline in a bounded, time-fixed scope: a configuration-layer cryptographic inventory, the HNDL and Non-HNDL risk profile, a portfolio-readiness read, and a board-ready memorandum that quantifies the exposure as a decision the board can act on. Written for the board and defensible to the regulator. This is the document that lets leadership understand the exposure and commission the transition work that follows.

STRUCTURE

Fixed scope · Fixed fee

DURATION

6–8 weeks

FEE

Scoped to organizational complexity

WHAT THIS ENGAGEMENT INCLUDES

  • Quantum risk framing calibrated to data longevity profile and operational environment
  • A CycloneDX-aligned Cryptographic Bill of Materials (CBOM): drafted from working sessions with your system owners, then confirmed against sanitized logs and configurations and graded by Evidence Confidence per record. TLS is read at the configuration layer specifically, because a scan sees what a connection negotiates, not the weak fallbacks the configuration still permits
  • HNDL and Non-HNDL risk classification for in-scope systems, with Evidence Confidence documented per finding
  • Which cryptographic surfaces sit outside your direct control, flagged from the inventory itself, so you know what you can move yourself and what is gated behind a vendor
  • A portfolio-readiness read: where a single-algorithm migration would leave you fragile, and where a hybrid strategy is warranted
  • Board-ready risk and investment memorandum, with HNDL exposure quantified as a board-actionable liability, framed in business impact language

WHO THIS IS FOR · CISOs and CTOs with board reporting obligations on quantum risk, organizations entering a regulatory environment beginning to require documented PQC readiness posture, and leadership teams that need a defensible starting point before committing to a full transition program.

Addie LaMarr leads every Baseline engagement personally.

A redacted sample Board-Ready Risk & Investment Memorandum is available to read in full.

Read the sample →
B

FLAGSHIP ENGAGEMENT

Quantum-Ready Cryptography Transition Blueprint

What it does for you: the whole transition becomes a plan your board can approve, your engineers can execute, and your procurement team can hold vendors to, including the systems that cannot be migrated.

The Blueprint takes you from no visibility to a board-approved, engineering-executable, procurement-usable transition plan. The entire QRMF runs across the engagement: a full CBOM inventory built with your system owners and verified against logs, HNDL and Non-HNDL risk registers, vendor dependency and leverage assessment, the scored risk model, action routing with ownership, and the phased roadmap. And the decision at the center, which cryptography to trust and in what mix, is solved as a portfolio equilibrium, not a single-algorithm bet.

STRUCTURE

Fixed scope · Fixed fee

DURATION

8–12 weeks

FEE

Scoped to organizational complexity

DELIVERABLES AT STAGE 10

  • Cryptographic Inventory Strategy (the CBOM)

    A complete, CycloneDX-aligned Cryptographic Bill of Materials mapping every cryptographic asset across systems, data flows, and vendor dependencies, normalized to algorithm level, with an Evidence Confidence grade on every record and every Unknown labeled.

  • Prioritized Risk Model

    HNDL and Non-HNDL risk registers in executive language, scored by business impact, data longevity, and migration complexity, with Mosca's Theorem applied to the actual environment.

  • Portfolio Equilibrium & Hybrid Strategy

    The recommended cryptographic portfolio, computed as a Stackelberg equilibrium against an adapting adversary: which algorithms, in what mix, weighted so no single break sinks the estate, with the rationale a board can approve. The decision a single-algorithm migration cannot defend.

  • Vendor Autonomy Gap Analysis

    How much of the cryptographic estate you can migrate yourself versus what is locked behind vendor roadmaps, quantified as the percentage that is ungovernable without vendor action, with the leverage points to change it.

  • Plan for What Can't Be Upgraded

    Some of the estate can't be migrated on the timeline: legacy applications, OT controllers, IoT fleets, and vendor-controlled middleware stay quantum-vulnerable while the rest moves. The roadmap covers how to protect them in place, compensating controls, isolation, and transparent-proxy architectures that run quantum-resilient key establishment on their behalf, with a documented per-segment risk bound.

  • Board-Ready Roadmap

    A phased, dependency-aware transition plan with wave sequencing, decision gates, vendor escalation requirements, the migration architecture selected per environment type, and an investment narrative.

  • Governance Operating Model

    Decision rights, escalation paths, quarterly review cadence, and vendor accountability structure for the multi-year horizon PQC migration requires.

Addie LaMarr leads the governance design, executive alignment, and board deliverable review on every Blueprint engagement.

D

ONGOING ASSURANCE

Quantum Risk Governance Retainer

What it does for you: the program stays current and defensible as NIST, your vendors, and your estate all keep moving, without you re-learning the landscape every quarter.

A roadmap is a point-in-time document, and the post-quantum landscape doesn't hold still: NIST revises standards, vendors shift roadmaps, your estate changes, and the threat model moves. The Governance Retainer keeps the whole transition governance current as it does, so the program stays defensible between engagements, not only at the moment one closes.

It sustains the Governance Operating Model built during the engagement, keeps the inventory, the vendor posture, and the portfolio current as the landscape moves, and gives you decision support when a standard, a vendor, or an audit forces a call, capped at defined hours, with defined response windows and explicit exclusions.

This is an access retainer: structured around capped hours, defined response windows, and explicit scope boundaries. Offered selectively to organizations that have completed an initial engagement and have an established transition governance structure.

STRUCTURE

Monthly retainer

TERM

6–12 month basis

FEE

Scoped to governance requirements

WHAT THIS COVERS

  • Quarterly board-memo refresh
  • Regulatory and standards monitoring: NIST, CNSA 2.0, and your sector's regulators tracked, with what each change means for your roadmap
  • Vendor posture reviews for critical dependencies, kept current
  • Portfolio re-balancing as standards and vendor roadmaps shift, so the hybrid strategy stays current
  • Inventory and risk-register updates as your estate changes, with evidence re-graded
  • Governance Operating Model upkeep: decision rights, escalation paths, and review cadence held current
  • Monthly decision support within capped hours and defined response windows
  • Direct access to Addie LaMarr. Every conversation is with the founder.

On the record

Every decision, finding, and recommendation is captured in a federal-audit-grade record: what was decided, the evidence behind it, and who owned it. When a regulator, an auditor, or the board asks how you reached an answer, you can show the trail, not just the conclusion. The work produces the proof that defends it.

That record is the Phase 1 Governance & Control Ledger, kept across the engagement and mapped to the control frameworks your auditors already use.

NIST SP 800-53ISO 27001SOC 2

WHAT LAMARR LABS DOES NOT DO

These boundaries are deliberate. With no tools to sell you and no implementation contract to win, the firm has nothing riding on what the roadmap recommends, so it can tell you which systems not to migrate, which waves to delay, and where to push a vendor harder. You get advice built around your outcome, not around the next thing being sold to you.

  • Does not design, sell, or implement cryptographic tools
  • Does not take hourly engagements or open-ended retainers outside a scoped structure
  • Does not run standing meetings, manage internal project tooling, or perform staff augmentation
  • Does not perform general cybersecurity assessments or compliance checkbox exercises

How an Engagement Begins

The briefing request initiates a 30-minute alignment conversation. We determine whether there is fit. If there is, a structured proposal follows with defined scope, fixed fee, and specific deliverables. If there isn't, we say that and recommend what the right next step is.

Request an Initial Briefing