Woman planning schedule on desk calendar

Ninety days isn’t enough to migrate anything meaningful, and that’s not the point. It is enough to move from “we don’t know where our cryptographic exposure is” to “we have a prioritised, evidence-based plan” — which is the foundation every credible migration is actually built on.

Days 1–15: Scope and Baseline

  • Identify the top 20 business-critical services to include in the first pass
  • Confirm the discovery method — agentless, read-only, no production disruption
  • Establish a single owner and a reporting cadence for the programme

Days 16–45: Discover and Inventory

  • Run network-level TLS and certificate discovery across in-scope services
  • Extend discovery to PKI, HSMs, and source code repositories
  • Consolidate findings into a single, CycloneDX-aligned CBOM

Days 46–70: Assess and Prioritise

  • Map each cryptographic asset to the business service it protects
  • Score exposure using business context and recognised guidance (NIST, CNSA 2.0)
  • Identify two or three pilot candidates — high impact, low blast radius

Days 71–90: Plan and Report

  • Draft a phased migration roadmap for the prioritised systems
  • Identify where certificate lifecycle automation is the limiting bottleneck
  • Present findings to the board or steering group with concrete next-phase asks

What “Success” Looks Like at Day 90

Not a completed migration — a credible, evidence-based answer to five questions: where is cryptography used, which algorithms protect what, which certificates are at risk, which systems are quantum-vulnerable, and what should be prioritised first. That answer is what makes every subsequent phase a planning exercise instead of a discovery exercise.

This sequence mirrors Quantum Sentinel’s own ECEM lifecycle — Discover, Inventory, Assess, Prioritise — compressed into a realistic first-quarter timeline rather than treated as a multi-year abstraction.

Scroll to Top