Q-Day Is Coming. Is Your Portfolio Ready?
Memo on why the quantum timeline moved up and what it means for the trade
In December 2024, Google unveiled a quantum chip that did in five minutes what would take the world’s fastest supercomputer 10 septillion years. The key argument against quantum advancement had been that scale added more noise than compute capability, but Google’s Willow chip proved that quantum error correction can scale. Ten months later, its Quantum Echoes algorithm achieved a 13,000x speedup over classical supercomputers, and Jensen Huang pivoted from calling functional quantum systems “decades away” to declaring an “inflection point.” The quantum timeline moved up fast.
But how has the market priced this in? The Defiance Quantum ETF (QTUM) returned 124% over three years, with pure-play names like Rigetti and D-Wave posting trailing twelve-month gains exceeding 1,900%. Morgan Stanley flagged forward sales multiples exceeding 400x, dwarfing even the dot-com peak of 31–51x.
The problem is that quantum computing hardware companies are burning cash with no clear path to profitability, the architecture question is unresolved, and the real buyer base could end up being only a handful of hyperscalers who will eventually bundle the compute layer into their own cloud platforms.
The investable thesis is the second-order effect: the forced migration to replace RSA encryption before quantum computers can break it. RSA protects every bank transfer, every government secret, every medical record. That is what PQC means: Post-Quantum Cryptography, the replacement encryption standards designed to survive the quantum era.
NIST finalized post-quantum cryptographic standards in August 2024, and the NSA’s CNSA 2.0 mandate has hard compliance deadlines starting January 2027. Google moved its own PQC migration deadline to 2029. This is the Y2K trade of the 2020s, and the spending wave is just beginning. The federal spend floor alone is $7.1 billion by 2035, and commercial migration historically runs 3-4x larger. The trade spans both the security platforms that can swap encryption without disrupting the business underneath, and the chips and hardware that will need physical replacement because they can’t handle the heavier math.
In this article:
1. Why the quantum timeline moved up and what it means for the trade
2. Why the quantum supply chain is a valuation trap
3. The real thesis: RSA is already obsolete and the replacement cycle has hard deadlines
4. The Y2K parallel: why this becomes a panic spend
5. PQC software, platforms, and network security: who captures the migration value
6. PQC hardware and infrastructure: the forced upgrade cycle
7. QKD and the quantum internet: what comes after PQC
8. Portfolio positioning: how to structure the trade
The Quantum J-Curve
Why did the quantum timeline move up, and what does it mean for markets?
For decades, the case against quantum computing was simple: it couldn't scale. While classical computers store information as bits, each one a 0 or a 1, quantum computers use qubits, which can represent 0, 1, or both simultaneously. This allows them to explore many solutions at once rather than one at a time. The problem was reliability. Every qubit you added introduced more errors, and past a certain point the machine was just generating noise. Build it bigger, and it just breaks faster.
Google's Willow chip dismantled that assumption. Published in Nature in December 2024, the 105-qubit processor was the first to demonstrate that error rates actually decrease as you add more qubits, not increase. The benchmark result was dramatic (a computation that would take a classical supercomputer 10 septillion years, completed in under five minutes), but the error correction breakthrough was the real story. It meant quantum computing could scale.
The second catalyst came in October 2025. Google’s Quantum Echoes algorithm, running on the same Willow hardware, achieved a 13,000x speedup over classical supercomputers on structural learning computations. This moved the narrative from “can quantum computers work?” to “how fast are they getting useful?”
NVIDIA’s Jensen Huang, who had publicly dismissed functional quantum systems as 15–20 years out, reversed course and called it an “inflection point.” NVIDIA began integrating its CUDA-Q platform with quantum processors, signaling that the GPU ecosystem sees quantum as complementary rather than competitive.
Capital markets responded with a frenzy. The Defiance Quantum ETF (QTUM) returned 124% over three years and 39.9% trailing twelve months. Rigetti and D-Wave both posted trailing twelve-month gains exceeding 1,900%, vastly outperforming even established AI infrastructure names like Palantir at the height of the “AI Bubble.” IonQ, the sector's commercial leader, traded at a 138x price-to-sales multiple on $130 million in revenue. Morgan Stanley flagged that sector valuation multiples had reached 400x projected forward sales, well beyond the dot-com peak range of 31–51x.
But the market is making assumptions based on excitement and FOMO that simply don’t hold water. The immediate investment consequence isn’t in the uncertain quantum pure-play, but rather in what quantum computing threatens to break: the encryption that protects virtually every digital transaction on earth.
Post-Quantum Cryptography, or PQC, is the set of replacement encryption standards designed to survive a world where quantum computers can crack current methods. Google moved its own PQC migration deadline to 2029, ahead of the NSA’s 2031 target and the federal government’s 2035 mandate. That decision reflects an internal assessment: Google believes a cryptographically relevant quantum computer is close enough to warrant replacing its encryption stack within three years. The market is pricing quantum computing as a speculative technology play, but the signal from the companies building the hardware is that the threat is near-term and the migration is urgent
The Quantum Supply Chain Trap
Why is the quantum computing supply chain uninvestable?
The quantum supply chain looks like the obvious trade, and that is exactly the problem. There are four competing quantum architectures (superconducting, trapped-ion, photonic, and neutral atom) with fundamental differences in how they operate, how cold they need to be, and how well they perform at scale. Nobody can claim to know which one will win. Investing in quantum hardware today is like picking a smartphone manufacturer in 2004. Nokia sure looked like a great bet at that point, but early leads in one context don’t always translate when technologies shift.
The valuation picture makes the risk-reward situation worse. IonQ is the sector’s commercial leader with $130 million in FY2025 revenue, a 202% year-over-year expansion, and a $3.34 billion cash war chest. That sounds impressive until you compare it to the $18 billion market cap, which implies a 138x price-to-sales multiple. Rigetti generated $7.1 million in revenue (declining 34% year-over-year) with a $216 million net loss. D-Wave posted $24.6 million in revenue but a $355 million net loss, and insiders sold $1.74 million in equity over the past 90 days. D-Wave trades at 147x forward sales on an estimated $44 million in FY2026 revenue. These multiples make the dot-com peak look disciplined.
The market is pricing quantum hardware companies as if they’re the next NVIDIA, suppliers to a massive distributed demand base where millions of customers drive volume through the supply chain. The problem is that quantum computers aren’t GPUs. They require purpose-built facilities and dedicated teams to run. The only access model that works is cloud-based.
Google, Amazon, Microsoft, and IBM all offer quantum computing as a service through their platforms. All demand from every bank, pharma company, and government agency that eventually needs quantum compute funnels through a handful of hyperscalers who are simultaneously building their own quantum hardware in-house. The independent hardware companies are selling to customers who are also building competing products.
Cryogenics is often cited as the infrastructure play beneath the architecture war, since every quantum approach needs extreme cooling. These sensitive systems see heat as “noise” that corrupts the results. Regardless of which technology wins, there will be some need for cooling. Even photonic systems need cryocoolers at near absolute zero for their detectors. But if the real buyer base is only a handful of hyperscalers, the installed base for cooling equipment is hundreds of units, and a shift toward photonic technology undermines even what’s left of the cryogenic demand case.
This is the pattern that repeats across every infrastructure cycle. When your biggest customers are also your competitors, margins compress and optionality disappears. Cloud computing, networking, and semiconductors all played out the same way.
The valuation gap tells the full story. Quantum compute stocks trade on price-to-sales at 138x to 5,455x because there are no earnings. PQC pure-plays trade on forward sales at 3.5–6.5x. PQC platform plays have real price-to-earnings ratios: Infineon at 16x, Fortinet at roughly 35x, Palo Alto Networks at roughly 55x, Zscaler at roughly 65x. The further you move from quantum compute toward PQC migration, the more the valuation framework looks like normal investing.
The Real Trade
Why is RSA encryption already obsolete?
Every encrypted channel on earth, from bank transfers to military communications to medical records, relies on a type of math problem that classical computers can’t solve fast enough to crack. RSA encryption, the standard since the 1970s, works because factoring enormous numbers takes a classical computer longer than the age of the universe. Think about how difficult it is to find large prime numbers, RSA works on the same type of mathematics.
But quantum computers change the equation. A method called Shor’s algorithm, run on a sufficiently powerful quantum machine, solves the same category of math problem in minutes. In 2019, researchers estimated that cracking RSA-2048 would require 20 million qubits. By June 2025, Google's own research lowered that to 1 million. In March 2026, Google moved its internal deadline for Q Day, the day a quantum computer can break today's encryption, to 2029. That caught even Microsoft's former PQC lead off guard. The timeline is compressing faster than the market has priced in.
The vulnerability isn't theoretical. A practice called Harvest Now, Decrypt Later (HNDL) is already underway. China, Russia, and North Korea are among actors known to be actively intercepting and storing encrypted data today with the expectation that quantum computers will eventually crack it. The Department of Homeland Security and the UK’s National Cyber Security Centre both operate under the assumption that current harvesting is underway. For classified government communications, diplomatic cables, long-lived financial records, and medical data, the secrecy window overlaps with the quantum threat window. The data being harvested today may become readable within the decade.
NIST, the National Institute of Standards and Technology is the federal agency that sets technology standards for the US government. They finalized the first post-quantum cryptographic standards in August 2024. The three new algorithms, CRYSTALS-Kyber (ML-KEM), CRYSTALS-Dilithium (ML-DSA), and SPHINCS+ (SLH-DSA), are built on math that quantum computers can't crack. But to run these algorithms requires an upgrade both to the software handling cybersecurity and to the hardware that currently handles cryptography.
But the NSA’s CNSA 2.0 (Commercial National Security Algorithm) mandate then set the clock: all new National Security System acquisitions must be PQC-compliant by January 2027, and software and firmware must exclusively use PQC by December 2030, while cloud and browser infrastructure must follow by December 2033. Full federal migration is targeted for 2035. The EU’s DORA and NIS2 directives add international regulatory pressure on the same timeline.
The compliance deadlines make this a procurement cycle, not a discretionary upgrade. Every government contractor, every bank that handles federal funds, and every cloud provider that serves the public sector will need to migrate. That’s before you account for the commercial shadow migration, which historically runs 3–4x larger than the government-mandated spend.
The Y2K Parallel
Why does PQC migration become a panic spend?
Y2K cost $308 billion globally to fix a two-digit date field. The scope was enormous but the fix was simple: find every instance of a two-digit year in your codebase and replace it with a four-digit year. PQC migration is structurally larger. The new encryption algorithms produce keys and signatures that are 6x to 18x bigger than what RSA uses today. That means every device that handles encryption needs more memory, more processing power, and more bandwidth to do the same job. Many devices simply cannot handle the larger payloads. Smart meters, satellites, vehicles, and IoT devices with ten-plus year lifecycles lack the memory or compute to run the new encryption math, which means firmware upgrades won’t cut it. Full hardware replacement is required for anything that can’t be upgraded.
The spending pattern follows the same S-curve as Y2K: awareness, denial, gradual acceptance, and then panic as the deadline approaches. PQC is currently in “gradual acceptance.” The first CNSA 2.0 compliance deadline arrives in January 2027, and most organizations have done little more than assess their exposure. 2026 is the first year of mandatory PQC deployment for new federal systems. The migration hasn’t started in earnest, and the clock is already ticking.
The market projections reflect the early stage. The PQC market is estimated at $420 million in 2025, growing to $2.84 billion by 2030 at a 46% CAGR. Some estimates project $30 billion by 2034. The federal spend floor alone is $7.1 billion by 2035. Commercial and enterprise migration, historically 3–4x the government-mandated spend, would push the total well beyond those numbers. For context, Y2K’s $308 billion was concentrated in a three-year window. PQC’s spend will distribute over a longer period, but the cumulative total is likely larger because it touches every encrypted connection on earth, not just date fields in legacy code.
PQC Software, Platforms, and Network Security
Which companies capture the most durable value from the PQC migration?
The most obvious way to play the migration cycle is to invest in those companies that can uplift security without having to rip out existing systems. In Y2K, it was the consulting and remediation firms that crawled through legacy codebases. In the PQC migration, the equivalent the security platforms that can swap encryption algorithms without disrupting the business logic underneath. Those security platforms that can intercept network traffic, re-encrypt it using the new algorithms, and pass it through, while the applications and devices on either side never know anything changed, that is known as “crypto-agility.” To rotate cryptographic standards centrally as they evolve, rather than upgrading every endpoint individually. NIST will keep refining these algorithms as the math matures, so the vendors that can push updates from one central control plane win over the ones that require device-by-device upgrades.
5A. Crypto-Agility Platforms
The cleanest expression of this idea might be Zscaler (ZS), which routes all of a company's internet traffic through its cloud before it reaches the destination. Every connection passes through Zscaler's security checkpoint, where it gets inspected and encrypted. More than 40 million users route through Zscaler's cloud, and revenue is growing above 20%. When NIST updates the algorithms, Zscaler updates its cloud once and every connection flowing through it is automatically using the new encryption. That's crypto-agility at scale, and it's the core reason ZS belongs in the PQC basket.
The same logic applies at the network edge. Palo Alto Networks (PANW) launched 14 quantum-safe firewall models that re-encrypt RSA-protected traffic to PQC standards in real time. This lets organizations upgrade their perimeter first without ripping out every internal system simultaneously, which is especially useful for large enterprises. PANW is one of the largest companies in the list, so it’s not as much of a pure play, but they’ve also introduced certificate management tools targeting a $1 billion ARR opportunity. Because every digital certificate that currently uses RSA will eventually need to be re-issued in a quantum-safe format, this is also crucial.
In February 2026, PANW completed its $25 billion acquisition of CyberArk, the identity security leader. Every digital certificate and machine identity that currently relies on RSA will eventually need to be re-issued in a quantum-safe format, and CyberArk gives PANW the platform to manage that migration across the enterprise.
Fortinet (FTNT) has the broadest PQC product set in the security space. Its FortiOS platform already supports quantum-safe authentication, hybrid key exchanges, and secure access at the network edge. Full-year billings hit $7.55 billion with 16% growth, and the stock trades at 24.9x EV/FCF (CY26E), cheaper than CrowdStrike at 56.2x and Zscaler at 26.6x. Fortinet is also the only vendor integrating both PQC and Quantum Key Distribution (QKD) into a single platform.
The crypto-agility theme doesn't stop at firewalls. F5 (FFIV) does something similar one layer deeper in the stack, sitting in front of enterprise applications and managing how traffic reaches them. The company has effectively transitioned from a hardware load balancer business to a software platform, with software now accounting for 53% of product revenue and subscription revenue growing 19% year over year. When encryption standards change, F5 handles the update at the application delivery layer so the applications behind it don't need to be rewritten. That's the same pattern as Zscaler and Palo Alto, just applied to the app rather than the user or the perimeter.
Check Point (CHKP) and Cloudflare (NET) round out the section, though neither is a pure PQC story. Check Point shipped post-quantum key exchange in its latest firmware, but only for VPN (Virtual Private Network) connections, while the rest of the network stack still needs upgrading. It's a narrower approach, but VPNs carry a lot of sensitive government traffic and Check Point gets credit for being early.
Cloudflare is the opposite case: the most advanced PQC deployment on earth with plans to go PQC-only by mid-2026, but they're giving it away. PQC is a feature baked into the platform, not a product line, so the direct revenue catalyst is limited even though a growing share of the internet's encrypted traffic now flows through Cloudflare's infrastructure.
5B. Constrained Devices and Alternative Approaches
The new NIST algorithms are built on lattice-based math, a category of cryptography that uses complex multidimensional grid structures instead of the prime number math behind RSA. Lattice-based algorithms are far harder for quantum computers to crack, but they also demand more processing power and memory. IoT sensors, defense hardware, and embedded controllers often lack the bandwidth or compute to run those heavier calculations.
Arqit Quantum (ARQQ) addresses that gap. For IoT sensors, satellites, and battlefield radios that run on minimal processing power, there needs to be a different approach entirely. Arqit’s software platform lets two devices generate matching encryption keys at the same time without ever transmitting the key itself. Once both sides hold the same key, they encrypt with simple symmetric cryptography, which is already quantum-safe and requires no hardware upgrades. The platform runs as a software overlay on existing infrastructure. The PQC migration is still mandated otherwise, but Arqit’s technology fills a crucial gap.
5C. Identity and Endpoint Security
The identity and endpoint layers will need to migrate alongside everything else, and the companies that run those layers will push the upgrade centrally. This upgrade includes the systems that verify who is allowed to access what.
Okta (OKTA) issues the tokens and certificates that control access across thousands of enterprise networks. Every one of those will eventually need to be quantum-safe. The core platform hasn’t shipped PQC yet, but 67% of Okta’s financial services customers are already investigating solutions, and the cloud-native architecture means the upgrade deploys centrally when it comes. And CrowdStrike (CRWD) is in a similar position on enterprise devices. Its Falcon platform protects millions of devices, the 2026 roadmap includes quantum-resistant integrations, but nothing has shipped. PQC efforts are in the works, but the stocks are also operating well in their niche as is.
5D. Testing, Compliance, and Migration Services
The migration itself creates a separate category of winner: companies that don’t do the encrypting but make the transition possible. Testing, consulting, and traffic inspection all become growth businesses once organizations move from assessing their exposure to actually deploying PQC.
Every organization deploying PQC also needs to verify it works without breaking network performance. Viavi Solutions (VIAV) built the first cloud-based testing platform that supports all of NIST's PQC algorithms, giving enterprises a way to validate their encryption upgrades across the full network stack before flipping the switch. The PQC revenue is still early, but every company that migrates will need to prove compliance, and VIAV is building the tools they will use to do it.
In the lead-up to Y2K, it was the consulting firms that captured more of the spend than the tech vendors. Accenture (ACN) is the closest equivalent in the PQC-era. Their PQC consulting practice has already run a pilot with Banco Sabadell, and they partnered with AWS on migration tooling. When the panic spend hits, the consulting firms get called first.
5E. The Japan Question
Japan’s PQC migration faces tougher hurdles even than the US. The country’s critical infrastructure, from banking to telecom to government networks, relies heavily on on-premise appliances and hybrid cloud environments that make the transition structurally harder than it is for more cloud-native environments. Trend Micro (4704.JT) is the dominant endpoint security vendor in that market, with a massive installed base across Japanese enterprise and government customers.
Trend Micro has the dominant installed base across Japanese enterprise and government, and Japan's critical infrastructure isn't going to migrate on foreign platforms. The company has passed the current federal encryption certification (which expires September 2026), and its PQC research is active. The hybrid-cloud install base makes migration harder than it would be for a cloud-native vendor, and operating margins in the high teens trail peers above 25%. This is partly because of the R&D required. But Japanese organizations move fast once aligned, and the regulatory pressure is building. The sheer size of the installed base and the near-certainty that domestic vendors will lead the migration makes Trend Micro one of the more compelling names to watch as PQC spending accelerates in Asia.
Section 6: PQC Hardware and Infrastructure
What hardware needs to be replaced, and who benefits from the forced upgrade cycle?
With more advanced encryption comes bigger data payloads that slow down firewalls and hit capacity limits as larger keys and signatures move through them. The billions of IoT devices deployed, from smart meters to satellites to vehicles, simply don’t have enough memory or processing power to run the new algorithms. You can’t fix that with a software update. This is a forced hardware replacement cycle, and it starts with the chips that sit inside those devices.
6A. Pure Semiconductor Plays
Most devices that handle sensitive data carry a Trusted Platform Module, or TPM, a small dedicated chip that verifies the device's identity and runs its encryption. Every TPM in production today runs RSA. Infineon (IFNNY) shipped the first PQC-ready TPM back in 2022, making it the earliest mover in quantum-safe device authentication. When the CNSA 2.0 deadlines force organizations to upgrade, Infineon’s massive installed base across automotive and industrial applications becomes a refresh cycle. The stock trades at just 16x CY27E P/E.
The pure-play PQC semiconductor in the basket is SEALSQ (LAES), the only public company shipping a PQC-native semiconductor. Its QS7001 chip is designed for secure elements and TPMs. Every device that currently runs RSA-based authentication will eventually need a quantum-safe replacement, and LAES has a $49.8 million pipeline of those replacements in production today. The market cap is tiny and the stock is volatile, but the product exists and it’s shipping.
6B. Semiconductor Components & Other Devices
Not every device uses a standalone security chip. In many cases, the encryption engine is built directly into the main processor that runs the device. NXP, Microchip, and STMicroelectronics all make components that add security processing power to existing chips without replacing the unit. The differences are in where they sit and how far along they are.
When a car, a payment terminal, or an industrial controller needs to upgrade from RSA to PQC, the encryption engine is already inside the silicon. NXP’s (NXPI) automotive-focused units have the same capability, and they are unique in supplying to that space. The controllers embedded in servers, laptops, and industrial equipment that manage platform security also need upgrading. Microchip Technology's (MCHP) latest controllers already meet CNSA 2.0 compliance requirements today, which puts them ahead of most of the semiconductor industry. They also have the broadest IoT footprint of the group, which means more devices in the field that will eventually need replacing.
STMicroelectronics (STM) has taken the widest approach. It released software libraries so that its existing microcontrollers can run PQC algorithms without new hardware, and its automotive chips include accelerators to handle the heavier math. ST claims to be the first semiconductor company offering quantum-resistant features across all of its product lines. The limitation is that these are software patches and accelerators layered onto existing chips, not dedicated PQC silicon. That keeps STM further back in the queue than Infineon or Microchip, which are shipping purpose-built PQC hardware today.
Lastly, although many companies are moving towards software and cloud-native solutions, many data centers still use physical appliances that decrypt traffic so security tools can scan it for threats before re-encrypting it. A10 Networks (ATEN) has been gaining on this demand. Although they haven't announced PQC-specific products yet, the larger keys and heavier math means that if existing hardware can't keep up with the load, companies either upgrade to more powerful appliances or add more of them.
6C. Accelerators and FPGA’s
Some systems already have processors that work fine but need extra horsepower to handle the heavier PQC math. There are two ways to solve that. One is a dedicated accelerator, a chip whose only job is to run encryption so the main processor doesn't have to. The other is a programmable chip that can be reprogrammed in the field to run whatever algorithm NIST standardizes next. Both approaches avoid replacing the full system.
Silicom (SILC) builds the dedicated accelerators. They have two customers with the systems deployed, and the stock is up 42% year-to-date. Management projects the PQC addressable market to exceed $3 billion by 2030. Lattice Semiconductor (LSCC) builds the programmable chips, known as FPGAs, or Field-Programmable Gate Arrays, and was the first to certify them CNSA 2.0 compliant. Revenue is estimated at $631 million for 2026 with 21% growth. The programmability is the key differentiator. NIST will keep evolving the standards, and LSCC's chips can be reconfigured to run updated algorithms without physically replacing the hardware.
6D. Defense and Enterprise Infrastructure
The defense and enterprise infrastructure layer rounds out the hardware story. These are the systems where a failure is a national security incident or a payment network going down. The hardware is purpose-built, heavily certified, and expensive to replace. That makes the upgrade cycle slower but also stickier, because these buyers don't have the option of skipping it.
Classified military communications are already moving. Viasat (VSAT) is primarily a satellite and communications company, but its defense division builds the encryption devices the U.S. government uses across satellite links, tactical radios, and ground networks, generating $332 million in defense revenue and growing 9% YoY. CEO Mark Dankberg said the company's competitive position has "probably improved a little because of the urgency of the problem, and the market size has improved a lot."
On the financial side, Thales (THLLY) makes the dedicated encryption processors that banks and payment networks use to secure transactions. Every one of those processors will eventually need to handle the larger key sizes that PQC demands, which means either firmware upgrades or full hardware replacements across the global banking infrastructure. When governments and central banks set a cutover date, these systems move.
QKD and the Quantum Internet
What comes after post-quantum cryptography?
PQC upgrades the math that protects encrypted data. Quantum Key Distribution, or QKD, goes a step further and changes the physics. QKD uses the behavior of quantum particles to distribute encryption keys so that any interception is physically detectable. If someone tries to intercept a quantum-distributed key, the act of observing the particle changes it, which alerts both parties that the key has been compromised. The protection comes from physics itself rather than from the difficulty of a math problem.
Some organizations are adopting both: PQC for general encryption and QKD for their most sensitive channels, including military communications, intelligence, and interbank settlement. The QKD market is estimated at $446 million in 2024, growing to $2.49 billion by 2030. But the geopolitical gap is already enormous. China has built a 4,600-kilometer QKD fiber backbone from Beijing to Shanghai. The United States has 8 kilometers, a pilot network run by EPB in Chattanooga, Tennessee. The EU’s EuroQCI initiative is in early stages. This gap will likely drive significant future US investment, but the timeline is years away.
Investability is the biggest problem here though. ID Quantique is Swiss and private. Toshiba’s QKD business is a rounding error within the conglomerate. QuantumCTek is listed only in China and may not be investable for a lot of US institutions. There is essentially nothing pure-play to buy in QKD today.
The exception is Fortinet, which is the only network security vendor integrating both PQC and QKD into a single platform (FortiOS). If you want QKD exposure today through a real business with real earnings, Fortinet is the way in. QKD is worth watching as the longer-term evolution of quantum-safe communications, but PQC is the trade you can make today, and Fortinet covers both.
Portfolio Positioning
How do you structure a trade around the PQC migration theme?
Not every name in the PQC basket carries the same risk. Some are small companies where PQC is the whole business. Others are large platforms where PQC is one growth driver among many. The right approach to implement trade ideas off this thesis is to structure across tiers based on conviction and risk tolerance, with the heaviest weighting toward names that have real earnings and direct exposure to the compliance-driven migration cycle.
Terminal X's deep research reports on the PQC space cover over 120 cited sources across the sector, along with primary research from NIST, NSA, and broker sources, spanning 25+ equities across the quantum and post-quantum sectors. The full research reports, including valuation models and detailed company analysis, are available upon request.
Where the Weight Should Be
Not every sub-theme in the basket is equally investable. Crypto-agility platforms deserve the largest allocation because they capture recurring revenue from the migration without requiring hardware replacement cycles to play out. ZS is the cleanest expression of the thesis, though they don’t have very much direct revenue exposure yet. But their cloud-native architecture, 40 million users, 20%+ revenue growth, and the ability to push PQC updates centrally without touching a single customer device is appealing.
Terminal X’s deep research points to PANW and FTNT to round out the group. PANW’s CyberArk acquisition gives it the certificate and machine identity management layer that every enterprise will need during the migration, and FTNT is the only vendor covering both PQC and QKD in a single platform.
FFIV deserves attention as a less obvious play: the software transition is working (53% of product revenue, subscription growing 19% YoY), and it sits in front of enterprise applications the same way ZS sits in front of users.
The semiconductor layer is the second-heaviest allocation. Terminal X’s hardware deep dive makes the case that roughly 25-30% of the active IoT install base will require physical silicon replacement rather than firmware updates, creating a mandatory refresh cycle for chipmakers. IFNNY is the anchor as the earliest mover in PQC-ready security chips, with a massive automotive and industrial installed base trading at just 16x P/E. NXPI adds automotive-specific exposure. MCHP has the broadest IoT footprint and is already CNSA 2.0 compliant. LAES is the pure-play semiconductor bet: tiny, volatile, but the only public company shipping a PQC-native chip with a $49.8 million pipeline.
Constrained devices and accelerators carry some of the highest optionality. ARQQ is the only public company solving PQC for devices too limited to run the new algorithms, and SILC and LSCC are the only way to add PQC capability to existing systems without full hardware replacement. These are sized as asymmetric bets: small downside, but if the migration accelerates on the panic timeline, they have no direct competitors.
Identity and endpoint security and testing and compliance are catalyst-dependent. OKTA and CRWD are strong businesses that will benefit from PQC when they ship it, but neither has a PQC product today. They belong in the basket at smaller weightings as optionality on the migration timeline. VIAV and ACN capture the compliance and consulting spend, which historically runs large in any forced migration cycle, but the revenue is still early and so they also represent smaller weightings.
Defense and enterprise infrastructure is the stickiest part of the cycle but the slowest to convert. VSAT and THLLY serve customers where the upgrade is mandatory and the switching costs are enormous, but the procurement timelines in defense and banking stretch longer than in commercial IT. These are best scaled into over time.
The watchlist includes names where PQC exposure is real but the investment case has structural issues. Trend Micro (4704.JT) has the installed base but faces margin compression from the R&D required to retrofit a hybrid legacy portfolio. ATEN is gaining from physical appliance demand but is structurally challenged as the market moves toward software. CHKP’s PQC implementation covers only VPNs. NET has the most advanced deployment on earth but gives it away. These are names to monitor for catalysts rather than to own at size.
In any case, this is a fast-moving sector that requires constant monitoring. The PQC migration will produce new entrants and new technologies that warrant a re-evaluation as they mature. Quantum Key Distribution is the most obvious one. The QKD market is growing but there is almost nothing investable today: ID Quantique is private, Toshiba's QKD business is a rounding error, and QuantumCTek is listed only in China. Fortinet remains the only public company integrating QKD into a shipping network security platform.
On the hardware side, Xanadu is a private Canadian company building photonic quantum processors that could eventually enable QKD infrastructure at scale, though the company's current focus is quantum computing rather than key distribution. As QKD companies go public or existing vendors build out their platforms, this section of the basket will need updating.
Catalyst Calendar
The CNSA 2.0 timeline provides a sequence of hard catalysts that will force procurement spending regardless of market conditions:
- September 2026: FIPS 140-2 sunset
- January 2027: All new NSS acquisitions must be CNSA 2.0 compliant
- 2029: Google’s self-imposed PQC migration deadline
- December 2030: Software and firmware must exclusively use PQC
- 2031: NSA full migration target
- December 2033: Cloud and browser migration deadline
- 2035: Complete federal migration
The catalyst that accelerates all of this is harder to date. It probably isn't a quantum decryption breach, because HNDL harvesting is already happening well ahead of that. More likely it's a headline cycle: Google or IBM or Microsoft announcing billions in PQC spending, executives telling Congress the threat is immediate, and every security team that's been sitting on an assessment realizing they're behind. The compliance deadlines make this trade work on their own, but that kind of headline compression turns a steady migration into a panic.
Every infrastructure migration follows the same arc: years of awareness, months of urgency, and a final scramble where the bulk of the money gets spent. Y2K cost $308 billion to fix a two-digit date field. PQC touches every encrypted connection on earth, and the compliance deadlines are already set. The companies discussed above sit at the chokepoints of that migration, whether it plays out over 10 years or compresses into 6 months. The math has already changed, and the spending hasn't caught up yet.
This article synthesizes multiple Terminal X deep research reports on the PQC space, covering over 120 cited sources across the sector, along with primary research from NIST, NSA, and broker sources including Goldman Sachs, Morgan Stanley, and Citi. The full research reports, including valuation models and detailed company analysis, are available to Terminal X subscribers. The analysis covers 25+ equities across the quantum and post-quantum sectors.
Disclosures: Positions and ratings reflect Terminal X research views. This is not investment advice. Do your own work.
Want to build your own thesis? Launch Terminal X