
Ninety days isn’t enough to migrate anything meaningful, and that’s not the point. It is enough to move from “we don’t know where our cryptographic exposure is” to “we have a prioritised, evidence-based plan” — which is the foundation every credible migration is actually built on.
Days 1–15: Scope and Baseline
- Identify the top 20 business-critical services to include in the first pass
- Confirm the discovery method — agentless, read-only, no production disruption
- Establish a single owner and a reporting cadence for the programme
Days 16–45: Discover and Inventory
- Run network-level TLS and certificate discovery across in-scope services
- Extend discovery to PKI, HSMs, and source code repositories
- Consolidate findings into a single, CycloneDX-aligned CBOM
Days 46–70: Assess and Prioritise
- Map each cryptographic asset to the business service it protects
- Score exposure using business context and recognised guidance (NIST, CNSA 2.0)
- Identify two or three pilot candidates — high impact, low blast radius
Days 71–90: Plan and Report
- Draft a phased migration roadmap for the prioritised systems
- Identify where certificate lifecycle automation is the limiting bottleneck
- Present findings to the board or steering group with concrete next-phase asks
What “Success” Looks Like at Day 90
Not a completed migration — a credible, evidence-based answer to five questions: where is cryptography used, which algorithms protect what, which certificates are at risk, which systems are quantum-vulnerable, and what should be prioritised first. That answer is what makes every subsequent phase a planning exercise instead of a discovery exercise.
This sequence mirrors Quantum Sentinel’s own ECEM lifecycle — Discover, Inventory, Assess, Prioritise — compressed into a realistic first-quarter timeline rather than treated as a multi-year abstraction.