>
    Strata Copilot
    Insights: Quantum-Safe Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Insights: Strata Cloud Manager
    5. Insights: Quantum-Safe Security
    Download PDF
    Strata Cloud Manager

    Insights: Quantum-Safe Security

    Table of Contents

    Insights: Quantum-Safe Security

    Quantum-Safe Security eases the PQC transition through a live cryptographic inventory, continuous risk assessment, and risk remediation guidance.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    The Quantum-Safe Security app (InsightsQuantum-Safe Security) helps you plan, prepare for, and manage the post-quantum cryptography (PQC) migration. The app provides comprehensive visibility into your cryptographic posture, so you know where and how cryptography is used across the enterprise, asset vulnerabilities, and quantum readiness. In addition to actionable insights, the app provides remediation guidance. The app builds a real-time inventory of your applications, user devices, infrastructure, and IoT devices assets and their cryptographic materials, including protocols, keys, algorithms, and certificates). The main view of the app is a dashboard that displays a prioritized view of current risk and where remediation matters most, which enables you to analyze trends and monitor quantum readiness and resilience at a glance.
    The application discovers assets and cryptography in use, contextualizes the data, and evaluates risk exposure and quantum readiness by analyzing decrypted and unencrypted SSL/TLS sessions, VPN tunnels, and SSH sessions, and device telemetry observed by Next-Generation Firewalls (NGFW), Prisma Access, and other telemetry sources.
    To get started, review the app prerequisites and follow the steps in Enable Comprehensive Cryptographic Visibility.
    To launch the application, select InsightsQuantum-Safe Security or use the Strata Visions switcher (select Quantum Resilience).

    How It Works

    The Quantum-Safe Security app processes telemetry from Next-Generation Firewalls (NGFWs), Prisma Access, and other supported sources through the Strata Logging Service , the centralized cloud-based repository for storing all the metadata collected by your sensors. Primary sources of this data are SSL/TLS and SSH decryption logs, Traffic logs, and Tunnel Inspection logs, which provide rich cryptographic metadata from decrypted and undecrypted SSL/TLS sessions, SSH sessions, and VPN tunnels.
    Your NGFWs and Prisma Access tenants act as distributed, agentless sensors across your networks, inspecting traffic and extracting relevant cryptographic attributes and context. Using the ingested data, the app discovers assets, identifies cryptographic dependencies, and assesses quantum readiness and risk. This data enables it to build a live cryptographic bill of materials (CBOM) with rich context and provide actionable insights and specific recommendations.
    Recommendations

    Key Concepts

    Cryptographic Risk
    Quantum-Safe Security performs a risk assessment for each asset it discovers. By analyzing cryptography usage from session, certificate, and tunnel telemetry in aggregate, it categorizes each asset into one of three Cryptography Risk categories:
    • Data Exposure Risk—Identifies assets using legacy or deprecated algorithms that violate NIST and other compliance standards
    • Harvest Now, Decrypt Later (HNDL) Risk—Identifies assets using classical algorithms that are vulnerable to future quantum computers, which may allow adversaries to harvest encrypted data today to decrypt later
    • Quantum-Secure—Identifies assets already using NIST-approved PQC-compliant algorithms
    This classification provides actionable intelligence to manage cryptographic risks proactively and ensure business continuity. The Quantum-Safe Security app continuously monitors cryptographic usage across the enterprise to ensure accuracy of risk category and help you track effectiveness of mitigation actions.
    The following table shows the fields that are checked to determine the cryptography risk:
    Risk Classification Field Mapping
    Data FieldsFields Checked
    Sessions
    • Protocol
    • Elliptical Curve
    • Key Exchange Algorithm
    • Encryption Algorithm
    • Authentication Algorithm
    Certificates
    • Certificate Key Algorithm
    • Key Size
    • Certificate Signing Algorithm
    Tunnels
    • IKE Protocol
    • Elliptical Curve
    • Key Exchange Algorithm
    • Encryption Algorithm
    • Authentication Algorithm
    Quantum Readiness
    Quantum Readiness reflects the capability of an asset to support PQC, which depends on its specific hardware and software attributes. An asset is Quantum Ready when its underlying hardware or software supports quantum-resistant algorithms, even if they are not in use. An asset is Quantum Safe if its hardware or software actively uses PQC or hybrid PQC that complies with NIST or other PQC standards.
    While Quantum Readiness is a fixed attribute—an asset either has PQC capability or not—your configuration plays a role in what state the asset is in. For example, enabling PQC for SSL/TLS sessions ensures that quantum-ready assets use quantum-safe sessions.
    The following table shows which attributes Quantum-Safe Security checks to determine Quantum Readiness for each asset class:
    When asset context is lacking, it is not possible to give a definite indication of Quantum Readiness. In that case, if a single PQC key exchange is observed for that asset over the selected time period, it is inferred to be Quantum Ready.
    PQC Readiness Attributes by Asset Class
    Asset ClassAttributes Looked At
    Application
    • Hardware—Server hosting the app is certified by the vendor to be PQC-capable
    • Software—Cryptographic library (for example, OpenSSL 3.5+ and Java Crypto API) supports PQC key exchange algorithms
    User
    • Hardware—User device hardware model is PQC-capable
    • Software—Operating system supports PQC; browser is PQC capable (for example, Prisma Browser 131+); VPN client is PQC-enabled
    Infrastructure
    • Hardware—NGFW is PQC-capable (for example, fourth and fifth generation NGFW)
    • Software—NGFW or other appliances run PAN-OS 12.1+
    IoT Device
    • Hardware— Device hardware model is PQC-capable
    • Software—Operating system and cryptographic library support PQC
    If hardware is not PQC ready, then it will not be quantum-ready. The way to make it quantum ready is to replace the hardware.
    Cipher Translation Proxy
    To secure legacy systems or IoT devices that cannot be upgraded, the app recommends that you enable cipher translation. Cipher translation is the process of intercepting network traffic secured with classical encryption (like RSA or ECDHE) and re-encrypting it in real-time using quantum-safe algorithms (like ML-KEM) at the network edge. Hybrid post-quantum (PQ) key exchange enables this process.
    NGFWs running PAN-OS 12.1 or later versions act as the inline proxy, upgrading the security of sessions. Communications between the parties is secure as long as at least one of the two mechanisms—classical or PQC—remains uncompromised. Cipher translation protects against the Harvest Now, Decrypt Later threat, does not require upgrades or other changes to the endpoint, and facilitates a gradual transition to PQC without disrupting business operations.
    Hybrid post-quantum (PQ) key exchange enables cipher translation. During a hybrid PQC key exchange, parties (for example, a browser and an application) simultaneously execute a traditional key exchange and a PQ key encapsulation mechanism (KEM). The shared key resulting from the two exchanges combines to create a final session key.
    General Cipher Translation Workflow
    The cipher translation process is as follows:
    1. Classical Negotiation—The client and server negotiate a standard classical TLS cipher suite.
    2. PAN-OS Intervention– An NGFW running PAN-OS 12.1 or later intercepts the communication through SSL Forward Proxy or SSL Inbound Inspection. Based on the settings in the decryption profiles and decryption policy rules, the NGFW injects PQC-based key material into the TLS handshake process to the client-side, server-side or both sessions
    3. Key Establishment—The final session key is derived from a combination of the classical key exchange and the quantum-safe key exchange.
    4. Secure Communication—The resulting TLS session is secured by a hybrid key that defends against both classical and quantum attacks.

    Components

    Overview
    A dashboard summarizing the cryptographic health of your network for the selected time duration. It provides a consolidated view of discovered assets and the volume of data in transit, segmented by cryptographic risk and quantum readiness status. You can also view the number of available recommendations for the quantum-readiness status.
    Dashboard Components
    • Central Pie Chart—Shows the distribution of total volume of data in motion across each cryptographic risk.
    • Left Arc— Shows the total number of assets detected in the time duration and the distribution across each type of asset.
    • Right Arc—Shows the number of quantum-ready and quantum-safe assets and the number of recommendations available to move an asset to quantum safe or quantum ready. The right arc provides a shortcut to the specific recommendations in the inventory's recommendation panel.
    • Weekly Impact Summary—Shows trends in the number of quantum-ready browsers, sessions with deprecated algorithms, cipher translation usage, and more.
    Inventory
    The inventory is your dynamic cryptographic bill of materials (CBOM). It provides a complete view of your organization's cryptographic posture and compliance even as your environment evolves. It catalogs applications, user devices, infrastructure, and IoT devices across your organization along with their cryptographic dependencies (such as keys, certificates, libraries, cipher suites, protocols) and enriches assets with context such as hardware models, operating system, cryptographic library versions, and browser versions, and telemetry, such as device owner. It also shows cryptographic risk, quantum readiness, whether cipher translation is in use, and other identifying details.
    The Show Recommendations panel provides targeted recommendations (for example, upgrade pathways) for specific asset types, risks, and readiness. It also reports the number of impacted assets
    The following sections outline how to customize your dashboard and inventory views.

    How To Use the Dashboard

    Set the Time Range
    Adjust the time range to identify newly discovered assets or analyze trends and your cryptographic posture over different durations. historical auditing? Available options include: Past 24 Hours, Past 7 Days, or Past 30 Days.
    Filter by Asset Class
    The dashboard transform itself shows data, insights and recommendations specific to that asset class.
    In the left arc, select All Assets, Applications, User Devices, Infrastructure, or IoT Devices.
    Investigate Cryptographic Risk
    When viewing All Assets, click View Details on a specific risk category. The pie chart becomes a container with deeper insights such as the top contributors to that risk.
    If you select a different asset class, then the dashboard transform to itself shows data, insights and recommendations specific to that asset.
    If you select a specific asset class (for example, IoT Devices) and there is only one risk category represented, the dashboard shows details such as number of tunnels detected.
    Access Recommendations
    In the right arc, under the Quantum Ready or Quantum Safe headers, select a recommendation category (for example, Hardware Recommendations). This directs you to the specific recommendations in the recommendations panel in the inventory.

    How To Use the Inventory

    Set the Time Range
    Adjust the time range to identify newly discovered assets or analyze trends and your cryptographic posture over different durations. historical auditing? Available options include: Past 24 Hours, Past 7 Days, or Past 30 Days.
    Filter Assets
    Filter the inventory by Type (for example, type of application), Quantum Readiness, Cryptography Risk, Cipher Translation or a combination of filters. Available filters differ between asset types. For example, you might filter assets by quantum readiness and cryptographic risk to prioritize them for PQC migration. For example, to identify web applications ready for migration, apply both the Type (select Internet) and Quantum Readiness (select Ready) filters.
    • To apply filters:
      1. Click Add Filter.
      2. Select a filter, such as Quantum Readiness.
      3. Select filter values, such as Ready or Not Ready.
      4. (Optional) Add more filters.
    • To clear filters, click Reset Filters.
    • To find assets more readily, you can use the Search.
    Manage the Inventory Look
    Customize your view and navigate between pages of the inventory using the pagination and navigation settings below.
    • Assets per Page. To adjust the number of assets displayed on a single page of the screen, select a Page Size. Available options are: 10, 20, 50, 100.
    • Navigation: Jump to a specific page by entering a Page number in the range or using the directional arrows.
    Drill-down into Individual Assets
    To open a detailed view of a specific asset, click the Asset Name.
    Explore Recommendations
    • To view recommendations, click Show Recommendations, and then click Quantum Ready or Quantum Safe. Recommendations targeted to the goals of quantum readiness or quantum safety display.
    • Hide Recommendations
    • Search within recommendations using terms like "hardware" or "software".

    What does the app show you?

    In general, the Overview and Inventory show you cryptography is in use across your enterprise, where vulnerabilities exist, and what actions to take. The app displays the following information at both individual asset and aggregate levels.
    • The cryptographic risk of assets
    • Volume of data in transit that is vulnerable to data exposure and Harvest Now, Decrypt Later attacks
    • Volume of quantum-secure data, protected against current and quantum threats
    • Number of discovered applications, user devices, infrastructure, IoT devices
    • Number of quantum-ready or quantum-safe assets
    • Asset context and cryptographic dependencies, including operating system, detailed device attributes such as specific hardware models, cryptographic libraries in use (for example, deprecated OpenSSL versions), and browser versions
    • Top risk contributors (for example, use of a specific TLS version)
    • Weekly impact summary showing trends in the number of:
      • Quantum-ready browsers
      • Sessions with deprecated algorithms
      • Cipher translation usage
    • Remediation recommendations for upgrading or migrating assets in the following categories:
      • Hardware
      • Software
      • Certificate compliance
      • Data configuration
      • Cipher translation
    • Certificate validity

    How can you use the data in the app?

    Use the data from the Quantum-Safe Security app to strategically plan and execute the transition to PQC. Here is a non-exhaustive list of ways to use app data:
    • Assess your cryptographic posture
      • Quickly identify and quantify vulnerability of architecture
      • Identity assets/cryptography vulnerable to data exposure and Harvest Now, Decrypt Later (HDNL) risks
      • Identify quantum-ready and quantum-safe assets
      • Quantify assets that need remediation
      • Identify weaknesses such as the use of outdated cipher suites or
      • Identify top risk contributors such as deprecated cryptography and number of impacted assets
      • How quantum ready is your cryptographic landscape
    • Prioritize and remediate
      • Identify how, if necessary, assets and cryptography can be updated or replaced
      • Mitigate risk of future data exposure
      • Prioritize mitigation based on risk assessment (For example, assets with long-lived, sensitive data have HNDL risk classification and can be moved to top of the migration queue)
      • Develop a comprehensive remediation roadmap
      • Identify specific policy rules or profiles that make sessions vulnerable.
      • Identify infrastructure, applications, and other assets that can be upgraded to be cryptoagile, support PQC, etc.
      • Identify invalid certificates
      • Make action plan based on recommendations
      • Set migration priorities based on risk assessment, criticality of asset, and other criteria
      • (Coming soon) Automated cipher translation proxy and other remediation workflows
    • Track compliance and progress
      The inventory serves as the authoritative source for cryptographic governance, enabling continuous crypto-hygiene monitoring and compliance tracking as your environment evolves.
      • Monitor quantum-ready and quantum-safe assets and risks
      • Validate and track quantum-safe assets
      • Demonstrate measurable progress toward Security Requirements for Cryptographic Modules (FIPS 140-3), Digital Operational Resilience Act (DORA), and other regulations and standards
      • Build reports for stakeholders
      • Help you establish and enforce quantum governance, for example policies, etc.
      • Dedicate resources, set action plans for different teams
      • Track effectiveness of mitigation actions

    © 2026 Palo Alto Networks, Inc. All rights reserved.