CBOMs and Post Quantum: Getting Ahead in the Burgeoning Quantum Market Space

Binarly and QuSecure announced a new technological partnership, pledging to deliver a comprehensive solution that automates enterprises’ migration to quantum-secure systems, combining Binarly’s vulnerability detection and cryptographic analysis capabilities with QuSecure’s expertise in Post-Quantum Cryptography (PQC) and crypto-agility. QuSecure’s orchestration platform, QuProtect, enables centralized control and management of cryptographic assets within enterprises’ networks coupled with dynamic key rotation, algorithm switching capabilities to PQC, and continuously updated asset inventories. Meanwhile, Binarly offers premium software inspection capabilities via deep binary-level cryptographic analysis, identifying code defects beyond known vulnerabilities within software, firmware, and containers with vulnerable, compromised, or weak cryptographic assets, including cryptographic algorithms and protocols, expired x509 certificates, and compromised or leaked private keys. Combined, Binarly and QuSecure will enable enterprises to generate dynamic Cryptographic Bills of Materials (CBOMs) that are automatically updated and can be exported and downloaded for regulatory compliance and audit purposes.

The unification of Binarly and QuSecure’s offerings promises a full-stack solution for asset management and risk remediation, proffered via single pane of glass visibility. However, more specifically, by combining their expertise, Binarly and QuSecure are poised to lead the market with regard to CBOM generation tools, granting both a prominent role in the impending quantum transition. Discovery and inventory-taking have been earmarked as the first stages of preparing for the PQC migration by leading institutions, including the U.K. National Cybersecurity Centre (NCSC), helping to expedite and de-risk enterprises’ PQC migration. CBOMs are a crucial component to the PQC migration given their role in outlining potentially weak or compromised cryptographic assets and their associated dependencies, providing a structured inventory of assets and their potential security risks and, therefore, optimizing the process of vulnerability detection and remediation, which is necessary for enterprises seeking to batten down the hatches ahead of the prospect of Cryptographically Relevant Quantum Computers (CRQCs).

The rise of discovery-orientated offerings, including CBOM generation tools, is projected to continue both as part of the “shift left” in digital trust, making the burgeoning CBOM subsegment a hotspot for strong and sustained growth over the next 5 to 10 years. In particular, the December 2027 deadline for providing a Software Bill of Materials (SBOM) with all digital products sold in Europe, mandated by the Cyber Resilience Act (CRA), is expected to act as a catalyst; accelerating demand for tools for generating SBOMs. As an extension to SBOMs, CBOMs offer more granular insight into the specific cryptographic context of a given environment and its dependencies, particularly regarding cryptographic encryption, algorithm parameters (e.g., modes of operation, key sizes and lengths), and communications protocols, thus rendering CBOM generation tools as—if not more—significant as SBOMs within the PQC transition. Given that some regulatory schemes, including the CRA have already begun to standardize the format and elements of an SBOM, it will not be long before CBOMs are mandated to follow a set formula, opening a new market for smaller and newer vendors with unique cryptographic capabilities and niche expertise as it pertains to CBOMs.

As early movers, Binarly and QuSecure are well-primed to succeed within this new CBOM market subsegment. However, beyond their role as pioneers in a fairly nascent subsegment, Binarly and QuSecure’s partnership is indicative of the approach needed to succeed in what is expected to become an increasingly competitive and crowded market space, as well as a key battleground for digital trust vendors. Vendors seeking to expand their offerings into this space should:

• Prioritize Ease of Integration: Migration to PQC is already complex for enterprises; thus, simplifying the integration of CBOM tools and other solutions is crucial to amplifying these tools’ impact. For example, QuProtect is available for purchase via direct outreach to QuSecure and through third-party partners including Accenture, Dell, Cisco, and Carahsoft. Further, following an announcement in June 2025, QuProtect is also available via federal acquisition channels provided by Carahsoft, including AWS Marketplace, SEWP V, ITES-SW2, and OMNIA Partners. Other vendors like IBM have presented CBOM tools to the Post-Quantum Cryptography Alliance (PQCA) under the Linux Foundation.
• Focus on Cultivating Brand Reputation: The CBOM market is immature, with the adoption cycle in the early phases. Finding a space in this growing subsegment relies heavily on having a trusted and reputable brand, particularly given the cryptographic depth at which CBOM vendors are operating. Engagement in strategic government and national partnerships is vital here, as is engagement with pertinent regulatory bodies per CBOM and SBOM standardization efforts.
• Look Beyond Static and Internal Assets: QuSecure’s discovery capabilities enable it to look beyond static assets to determine what is being used for encryption within the communications channel; a critical functionality for enterprises looking to secure their assets against CRQCs. At the same time, Binarly’s cryptographic analysis delves deep into third-party components, beyond internal assets. This unique combination places Binarly and QuSecure’s solution out ahead of its competition, making it hard to rival and priming the two for continued success in the CBOM market.
• Cater to the Full Cryptographic Lifecycle Through Partnerships and Collaboration: Resource pressures and a lack of quantum expertise mean that enterprises require end-to-end solutions that assist their migration to quantum-secure systems from start to finish. Binarly and QuSecure’s partnership enables them to provide a comprehensive platform that includes not only the identification and discovery of assets, but also extends to remediation, offering a fully assisted transition to a quantum-safe system. Providing a CBOM is the first step, but if vendors want to expand their customer base, offering remediation based on the CBOM follows naturally. Acquiring additional capabilities via partnerships, acquisitions, and collaborations will help plug existing functionality gaps, enabling vendors to keep pace with the platformization trend across digital trust and drive their competitive positioning across the quantum tooling markets.
• Incorporate Business Context into Remediation Processes: QuSecure’s encryption hot-swapping functionality is a crucial remediation tool. Yet, to bolster the competitiveness of remediation capabilities further, vendors should focus on integrating the specific business context of a given enterprise into this process. The sensitivity of data protected, the use case for a given cryptographic asset, and the existence of potential in-line software mitigations or compensating controls are key context for a CBOM on the security side. However, the business impact of a potential breach or compromise of a cryptographic asset must be also communicated to decision makers. Providing a contextualized CBOM with remediation actions that consider the specific operational and financial consequences of potential cryptographic updates or changes will provide vendors with a strong competitive edge, boosting prospects for revenue generation in the CBOM space.