I have spent over 30 years in cybersecurity, including stints leading practices at IBM, PwC, and KPMG, running cryptography and quantum startups, and serving as CISO and CTO for Fortune Global 500 organizations. The first time I was asked to assess the threat quantum computers pose to cryptography was in 2001. Over the past several years, the quantum thread that ran through my career became the main thread: I’ve led PQC migration programs with 120,000+ tasks for telecoms and financial institutions, advised governments on the quantum threat, and built PostQuantum.com into a publication with over a million monthly readers. Earlier this year I published the Applied Quantum PQC Migration Framework, a free, open, CC BY 4.0 methodology that takes organizations from “we know quantum is a risk” to “we are actively migrating and can prove it.”

And I keep running into two problems that compound each other.

The first is that the knowledge base for running a PQC migration barely exists. There are no established methodologies beyond what I and a handful of others are building now. There are no shelves of books on the subject. Most consultants advising organizations on PQC migration have never run one. I watch programs stall because teams drew the wrong analogy — treating this like a Y2K remediation, or a standard infrastructure refresh, or a compliance checkbox exercise — and built plans that collapse when they encounter the actual complexity of cryptographic dependencies across an enterprise. PQC migration is the largest, most complex IT/OT overhaul most organizations will ever attempt, and the people responsible for executing it are largely working without a map.

That is why I published the framework. But a framework alone is not enough, because the second problem is that the ground keeps shifting. A CISO who built her roadmap around NIST’s 2035 deprecation horizon in January discovered by May that regulators are clustering their deadlines around 2028 to 2030. An architect who planned solo ML-DSA signature deployment in March now has a 59-page paper quantifying why that decision carries an order of magnitude more risk than hybrid. A PKI team that assumed post-quantum certificates would be larger versions of today’s X.509 chains just learned that the world’s largest certificate authority chose an entirely different architecture.

No established playbook, and the few reference points that exist keep moving. That is why I am launching The PQC Migration Brief.

What This Newsletter Does

Every issue applies a single editorial filter: does this development affect how organizations plan, execute, or govern their PQC migration?

If yes, I cover it. If no, I skip it, no matter how interesting the quantum computing news might be. You will not find quantum hardware milestones here unless they change CRQC timeline estimates enough to affect migration urgency. You will not find quantum sensing or quantum AI coverage. You will not find general industry funding news. For that broader coverage, PostQuantum.com and Quantum Observer are the right places.

What you will find: algorithm guidance updates that affect your selection decisions. Regulatory developments that change your timelines. Vendor readiness changes that alter your procurement assumptions. Infrastructure findings that affect your deployment planning. Lessons from real programs, including my own, about what works and what fails in practice. And, where the established knowledge simply does not exist yet, the practitioner judgment calls and methodology decisions that I am building into the framework as I go.

Every analyzed item ends with a concrete practical takeaway. Something specific enough that you could forward it to your program manager or steering committee and they would know what to do with it.

Why Now

Three things converged in 2026 that made a dedicated migration-focused channel necessary rather than optional.

First, the compliance calendar compressed. A year ago, most migration roadmaps assumed a comfortable glide path to 2035. Today, CNSA 2.0’s procurement gate hits January 2027. A draft U.S. executive order targets 2030 for agencies and contractors. The EU is writing PQC obligations into NIS2 implementing law. India finalized a 2029 deadline for critical infrastructure. Google and Cloudflare both committed to 2029 for full post-quantum migration. Organizations planning to a 2035 horizon are planning to a deadline their regulators, vendors, and counterparties have already abandoned.

Second, the implementation questions got harder and there is almost nowhere to turn for answers. Early PQC guidance was “do an inventory, prioritize, migrate.” That advice is correct in the way that “buy low, sell high” is correct. The practitioners I work with are past that stage. They need answers to questions like: should I deploy solo ML-DSA or hybrid Ed25519+ML-DSA for signatures? How do I plan PKI modernization when the Web PKI is forking between Merkle Tree Certificates and traditional X.509? What do I do when my HSM vendor’s FIPS 140-3 validation is 18 months away and my compliance deadline is 8 months away? No textbook covers this. Most advisors have not faced it. The answers are being discovered in real programs right now, and this newsletter is where I share what I am learning.

Third, the noise level increased. Vendor marketing, Q-FUD (quantum fear, uncertainty, and doubt), and breathless media coverage make it harder to identify which developments actually matter for migration planning. A practitioner who reads every quantum news item spends hours filtering signal from noise. This newsletter does that filtering for you.

How This Connects to the Framework

The Applied Quantum PQC Migration Framework is the reference methodology: an 8-phase, end-to-end guide covering everything from executive mandate and business case through discovery, CBOM, risk scoring, roadmap, pilots, infrastructure, and vendor governance. It is free, completely open, and published under CC BY 4.0. No email gate, no signup required. Use it, adapt it, build on it.

This newsletter is the ongoing companion. The framework tells you how to migrate. The newsletter keeps you current on what changed since you last looked. When a development affects a specific framework phase, I will say so and link to it. When a development requires the framework itself to be updated, I will note that too.

I also write about quantum security more broadly on PostQuantum.com, and my book Quantum Ready covers organizational quantum readiness for practitioners who want the full argument in one place. Applied Quantum is my firm, where we help financial services, government, telecoms, and critical infrastructure organizations execute what the framework describes.

What’s Coming

The first substantive issues are already drafted. Here is what to expect over the next two weeks:

The ML-DSA hybrid debate is settled. Daniel Bernstein’s June 2026 paper provides open-source attacks that recover ML-DSA secret keys in under a second, backed by a statistical model showing solo ML-DSA deployment produces roughly ten times more breakable keys than hybrid Ed25519+ML-DSA. I will walk through what the paper says, where its estimates are strong, where they require nuance, and what it means for your Phase 5 deployment decisions.

The Web PKI is forking. Let’s Encrypt, Google, and Cloudflare have aligned on Merkle Tree Certificates as the post-quantum authentication path for browsers. Your internal PKI (microservices, VPNs, mTLS, device authentication) will take a different path. I will cover what this two-track reality means for PKI modernization planning and what you should be doing now.

Every deadline moved forward. Five countries tightened their PQC timelines between March and June. NIST advanced nine additional signature candidates to the third round. The G7 central banks published their first quantum risk report for financial services. Google’s secret ECC-breaking circuits were independently reproduced in two months. I will map the pattern and explain what it means for program timelines.

Subscribe if you want the analysis filtered, grounded, and actionable. Unsubscribe whenever it stops being useful. The framework is yours regardless.

Welcome to The PQC Migration Brief.

— Marin