Introduction

You cannot manage what you cannot see. This principle has always been true in cybersecurity, and it applies with particular force to post-quantum cryptography readiness. Before any organisation can meaningfully plan a transition to quantum-resistant algorithms, it needs to understand where cryptography is currently used across its estate, what algorithms are in play, and which systems and data flows depend on them.

Standards bodies and national cybersecurity agencies now recommend building a cryptographic inventory — sometimes referred to as a Cryptographic Bill of Materials (CBOM) — as a foundational step in PQC readiness. This recommendation is consistent across NIST, ETSI, ENISA and the NSA’s CNSA 2.0 guidance. The message is clear: without visibility of your cryptographic landscape, any PQC planning is built on assumptions rather than evidence.

Yet for many organisations, the scale and complexity of this task is not immediately obvious. Cryptography is deeply embedded across modern IT environments, often invisibly, and the volume of cryptographic assets in use has grown far beyond what manual processes can track.

Why Cryptographic Visibility Is the Starting Point

Most organisations acknowledge that cryptography underpins their technical security controls and digital infrastructure. Encryption protects data in transit and at rest. Digital certificates authenticate users, devices and services. Signed code and firmware updates ensure the integrity of software deployments. These are not peripheral functions — they are fundamental to how the organisation operates.

Yet despite this fundamental dependency, the precise locations, functions and dependencies of cryptographic controls are often poorly documented or completely unknown. PKI environments have typically evolved organically over many years, with different teams deploying certificates for different purposes, using different certificate authorities and following different policies. The result is a fragmented cryptographic landscape with limited central oversight.

This limited visibility creates a significant problem for PQC readiness. If you do not know where cryptography is used, you cannot assess which systems are most exposed to quantum risk. If you do not know which algorithms are in use, you cannot determine where migration is needed. And if you do not understand the dependencies between cryptographic services and business processes, you cannot prioritise change without introducing unacceptable operational risk.

A cryptographic inventory addresses this gap. It provides the factual foundation on which all subsequent PQC planning, investment and execution decisions can be made.

The Scale of the Challenge

One of the reasons cryptographic inventory is often deferred is that organisations underestimate the volume of cryptographic assets in their environments. The numbers are significant.

A typical Microsoft Windows environment may contain between 80,000 and more than 500,000 certificates. These include certificates embedded within line-of-business applications, certificates shipped as part of the operating system’s trusted root store, and certificates deployed by enterprise PKI for internal authentication and encryption.

Red Hat Linux installations typically hold between 200 and 20,000 certificates, depending on the role and configuration of the system. iOS devices alone can contain between 40,000 and more than 200,000 certificates across the system trust store and any enterprise-deployed profiles.

These figures illustrate a critical point: the volume of certificates in modern environments has grown exponentially, and the traditional approach of managing them through spreadsheets, ad hoc scripts or manual tracking is no longer feasible. This is not a failure of diligence — it is a reflection of how deeply cryptography has become embedded in every layer of the technology stack.

As with activities like patching and anti-virus management, there comes a tipping point where the scale and complexity of the task simply cannot be handled manually. Cryptographic inventory management has now reached that point. Organisations that continue to rely on manual processes will find themselves unable to maintain the visibility needed to support a PQC transition.

Where to Start: A Practical Approach

While the ultimate goal is comprehensive visibility across the entire cryptographic estate, organisations do not need to attempt a full discovery exercise on day one. A phased approach is both practical and effective.

A useful starting point is to focus on externally facing systems and services. These are the systems most likely to be exposed to network-level interception and therefore most relevant to Harvest Now, Decrypt Later risk. Understanding which certificates protect your external interfaces, which algorithms they use and when they expire provides immediate, actionable insight.

An alternative — or complementary — approach is to describe a “day in the life” of key user personas within the organisation and identify where cryptography is involved. This exercise maps the cryptographic touchpoints encountered by different roles as they interact with systems, data and services throughout a typical working day. It is a surprisingly effective way to surface cryptographic dependencies that are otherwise invisible.

Both of these approaches share an important characteristic: they create a shared understanding across technical and non-technical stakeholders. This is valuable in its own right, because it builds the organisational awareness and stakeholder buy-in needed to support subsequent investment in more comprehensive discovery tooling. When the time comes to make the case for automated scanning and inventory management, the groundwork has already been laid.

The Evolving Tooling Landscape

A new generation of discovery tools is emerging to help organisations map the certificates and cryptographic assets embedded across their environments. These tools use a variety of approaches — network scanning, agent-based discovery, integration with certificate authorities and analysis of configuration data — to build a picture of the cryptographic landscape.

While these tools vary in maturity, scalability and usability, they are evolving quickly. The market is responding to the growing demand for cryptographic visibility driven by PQC readiness requirements, and it is reasonable to expect that tooling capabilities will improve substantially over the coming months and years.

However, it is important to approach tooling selection with realistic expectations. No single tool will provide complete visibility across every environment, application and device type. Most organisations will need a combination of approaches, supplemented by manual analysis in areas where automated discovery has limited reach. The goal should be a progressively more complete picture, not perfection from day one.

It is also worth noting that today, the outputs of most discovery tools remain highly technical. They are designed for PKI specialists and security engineers, not for boardroom consumption. Significant refinement is typically needed before the findings can be presented in a clear, business-friendly format that supports informed decision-making at leadership level. This translation from technical data to business-relevant insight is an area where independent guidance can add considerable value.

Protecting the Inventory Itself

For CISOs, there is an important security consideration that is sometimes overlooked in the enthusiasm for building cryptographic visibility: the inventory itself is a highly sensitive asset.

A comprehensive cryptographic inventory provides a detailed map of your cryptographic dependencies and potential weak points. It identifies which algorithms are in use, where certificates are deployed, which systems depend on which cryptographic services and where vulnerabilities or gaps exist. In the wrong hands, this information would be an invaluable resource for an attacker planning to exploit cryptographic weaknesses in your environment.

Any tooling, data repository or reporting platform used to store or present cryptographic inventory data must therefore be risk-assessed and adequately protected as a high-value asset. Access should be tightly controlled, data should be classified appropriately and the inventory should be subject to the same governance and protection standards as other sensitive security intelligence.

This is not a reason to avoid building a cryptographic inventory. It is a reason to ensure that the inventory is managed with the same level of care and rigour that you would apply to any other sensitive security capability.

From Inventory to Action

A cryptographic inventory is not an end in itself. Its value lies in what it enables. With a clear picture of your cryptographic landscape, you can make informed decisions about where PQC migration should be prioritised, which systems are most exposed to quantum risk, where algorithm upgrades are needed most urgently and how to sequence change to minimise operational disruption.

The inventory also provides a baseline against which progress can be measured. As your organisation transitions to quantum-resistant algorithms, the inventory becomes the means by which you track coverage, identify gaps and demonstrate to senior leadership and regulators that the transition is being managed systematically.

Without this foundation, PQC planning is essentially guesswork. With it, organisations have the evidence base needed to invest confidently, prioritise effectively and execute with clarity.

How Unsung Can Help

Unsung helps organisations build practical cryptographic inventories that support PQC readiness planning. We guide clients through the process of identifying cryptographic dependencies, selecting appropriate tooling, interpreting discovery findings and translating technical data into business-relevant risk assessments.

Our approach is always proportionate and phased. We help you start where it matters most, build stakeholder engagement through early wins and develop a roadmap for progressively deepening your cryptographic visibility over time. We also advise on the security governance of the inventory itself, ensuring that this sensitive capability is properly protected from the outset.

If your organisation is beginning to consider how to build cryptographic visibility as a foundation for PQC readiness, we would welcome the opportunity to discuss how we can support your approach.

‍

Want to explore this topic further?

This blog is part of a series drawn from our strategic whitepaper, Post-Quantum Cryptography: A Strategic Whitepaper for the C-Suite. It provides vendor-neutral, business-focused guidance on navigating the quantum era — covering the threats already in play, lessons from previous hype cycles, and practical steps your organisation can take today. Download your copy here: https://2f4v3l.share-eu1.hsforms.com/20qJjHSynQkuJKhI_xq9Msg