Methodology · Timeline projection
Today, 2030, post-PQC. The exposure curve, with sources.
The Timeline visualizer on every report shows three exposure bars: today's measured score, the 2030-2032 window, and the post-PQC-migration steady state. This page documents the multipliers used, the projection sources, and the limits we acknowledge.
What the timeline shows
Three horizontal bars per report:
- Today — current measured DBR score with current key-reuse multiplier (
1.0× baseline).
- 2030-2032 — projected score applying a key-reuse multiplier based on accumulated harvested traffic by that window.
- Post-PQC migration — steady-state once PQC handshake adoption is broad (currently projected mid-to-late 2030s for general-purpose deployment per NIST roadmap).
The multipliers
| Snapshot | Multiplier | Rationale |
|---|
| Today (2026) | 1.0× | Current measured exposure. |
| 2030-2032 | 1.18× (low) / 1.35× (mid) / 1.55× (high) | Reflects 4-6 additional years of harvested traffic against the same long-lived keys. |
| Post-PQC | varies — depends on retrospective key compromise and migration completeness | The pre-migration tail does not vanish; harvested traffic from before the cutover remains decryptable if the underlying key was used through both eras. |
The mid (1.35×) is the default visualized; the low/high band is shown as range whiskers. The multiplier scales the keyPersistence + certLifetime contribution, not the keyExchange or subdomainScale components.
Source assumptions
- NIST IR 8547 — Transition to Post-Quantum Cryptography Standards. Used for general-purpose adoption-window estimation.
- NSA CNSA 2.0 — Commercial National Security Algorithm Suite 2.0; the U.S. national-security PQC requirement timeline (CNSA 2.0 algorithms required by 2033).
- Mosca's theorem framing — combine secrecy-lifetime + migration time + CRQC arrival probability to estimate harvest exposure.
- Public CRQC arrival projections — academic + industry roundup; we use a wide 2030-2040 band rather than a point estimate, with no implied probability mass on any specific year.
What this projection does NOT claim
- It does not predict CRQC arrival. The bars are not "by 2030 you will be decryptable"; they are "if a CRQC arrives in the indicated window, here is what your accumulated exposure looks like."
- It does not assume malicious harvesting at any specific organization. Multipliers describe cumulative-exposure-if-harvested. Whether your traffic is actually being harvested is not measurable from outside.
- It does not assume PQC is universal post-migration. "Post-PQC" reflects the steady state once mainstream deployments adopt PQC; a residual long tail is expected.
- It does not advise specific calendar dates for migration. "Begin migration now" is the consensus posture across NIST/NSA/ENISA; specific deadlines depend on data sensitivity lifetime.
- It does not factor regulatory acceleration. If new mandates compress migration timelines, post-PQC steady state arrives sooner. We track public guidance; we do not predict regulatory action.
Limitations + edge cases
- The multipliers assume continued use of the currently-observed key. If a domain rotates to a fresh key, the post-rotation baseline resets — but pre-rotation harvested traffic is not made safe.
- Domains with very short cert lifetimes and frequent key rotation already minimize the pre-2030 multiplier; their bars should appear nearly flat, which is the intended visual signal of good posture.
- The projection is per-domain and does not aggregate across an organization's full cert estate. A vendor-portfolio view (paid feature) sums the projection across monitored domains.
Try it
- Web: every report includes the timeline.
- API:
/api/scan?domain=... returns timeline object with the three values + multiplier band.