Data center server racks

Ask a security team to produce a list of every cryptographic algorithm, certificate and key in their environment, and the honest answer in most organisations is: they can’t, not completely. Cryptographic decisions accumulate silently over years, made by different teams, in different systems, long before anyone was thinking about quantum risk. A Cryptography Bill of Materials (CBOM) is how that gap gets closed.

The Definition, Precisely

A CBOM is a structured, machine-readable inventory of every cryptographic asset in use across a system or organisation. It extends the same logic a Software Bill of Materials (SBOM) applies to software dependencies, but focused specifically on cryptography — algorithms, key lengths, certificates, libraries, and the protocols that use them.

What Actually Belongs in One

A CBOM that’s useful for migration planning, not just compliance box-ticking, needs to capture:

  • Algorithms and key lengths — e.g. RSA-2048, ECC P-384, ML-KEM-768
  • Libraries and their versions — OpenSSL, BoringSSL, a language’s built-in crypto library
  • Certificate details and where key material is stored — HSM, software keystore, cloud KMS
  • Protocols and configurations in use — TLS versions, cipher suites, signing workflows

The industry is converging on OWASP CycloneDX as the standard machine-readable format for expressing this, which matters in practice: a CBOM built to that standard is portable across tooling and auditors, rather than locked into one vendor’s proprietary export format.

Why “We’ll Discover It During Migration” Fails

It’s tempting to treat discovery as something that happens organically once a migration project starts. In practice, this produces a predictable outcome: new cryptographic assets keep surfacing throughout the project, timelines slip, and the organisation never reaches a point where it can say with confidence “we’ve found everything that matters.” A CBOM built ahead of migration — and kept continuously current — turns that open-ended uncertainty into a known, bounded scope.

From List to Leverage

A CBOM by itself is just an inventory. Its real value comes from mapping each asset to the business service it actually protects, so exposure can be assessed in terms that matter to the business — not “we have 4,000 certificates using RSA-2048” but “our payment gateway depends on twelve of those certificates, and three expire this quarter.” That mapping is what turns a compliance artefact into an operational one.

Quantum Sentinel builds and maintains this automatically through Enterprise PQC Discovery, presenting it as a living Enterprise CBOM rather than a static report that goes stale the day it’s generated. Read the full CBOM whitepaper for a deeper look.

Scroll to Top