Post-quantum cryptography (PQC) is often discussed as a future problem, but organizations are already exposed today due to long-lived cryptographic assets and the risk of “harvest now, decrypt later.” While many systems claim PQC readiness, few teams can answer a basic question: where is cryptography actually used, and which systems are still vulnerable?
This talk introduces a practical, discovery-first approach to PQC using Asset and Cryptographic Discovery and Inventory (ACDI). We demonstrate an open-source scanner that identifies cryptography across common services such as TLS and SSH, analyzes certificates and key algorithms, and highlights post-quantum-relevant weaknesses caused by legacy protocols or long-lived trust assets. We then show how these findings map to NIST’s PQC standards and enable teams to prioritize migration, adopt hybrid cryptography, and reduce risk incrementally. The session avoids heavy mathematics and focuses on actionable visibility and migration strategies.