
“Quantum-safe,” “quantum-resistant,” and “post-quantum ready” have become increasingly common phrases on security product marketing pages. Some of these claims are precise and well-supported. Some are aspirational. Very few marketing pages make it easy to tell which is which — so it’s worth knowing what to actually check.
Ask Which Specific Standard Is Implemented
A credible claim will name the actual standard — ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205) — rather than the generic phrase “post-quantum algorithms.” If a vendor can’t immediately answer “which NIST-standardised algorithm, specifically,” that’s worth treating as a signal to dig further, not a reason to walk away outright, but definitely a reason to ask a more specific question.
Ask Whether It’s Hybrid or Post-Quantum-Only
Given how new the post-quantum algorithms are in production deployment, a hybrid implementation (classical plus post-quantum together) is generally the more mature, lower-risk claim than “post-quantum-only.” A vendor confidently offering post-quantum-only with no hybrid option is worth a direct question about what happens if an unexpected weakness is later found in the post-quantum component alone.
Ask What “Quantum-Safe” Actually Covers
A product can be quantum-safe in one specific respect — say, the TLS connection to its management console — while everything else about how it handles, stores, or signs data remains entirely classical. “Quantum-safe” as a blanket claim about an entire product needs to be broken down: safe for which specific operation, exactly?
Ask for Independent Verification, Not Just the Claim
Third-party security assessments, published technical documentation, or participation in interoperability testing efforts all carry more weight than a marketing page’s own assertion. A vendor confident in their implementation should have no difficulty pointing to this kind of evidence.
Why This Matters for Your Own Inventory
Every third-party product marked “quantum-safe” without this level of verification is a potential gap in your own cryptographic inventory — a system your CBOM might record as “handled” when it’s only partially so. Vendor claims deserve the same scrutiny as internal systems, not an exemption from it.