Federal procurement teams are starting to ask a question that most security organizations cannot answer: where is every RSA and ECC key, certificate, and cryptographic dependency in their environment, and which of them will break under post-quantum cryptography mandates? The National Security Agency's CNSA 2.0 suite pushes agencies and their vendors toward quantum-safe algorithms on a defined calendar (QuSecure, PostQuantum.com). The quantum hardware that the rules nominally guard against remains a forecast. The deadline is real.
RSA and ECC are the asymmetric algorithms that protect most internet traffic, bank transfers, code signing, and software updates. In a typical enterprise, the keys and certificates are scattered across cloud accounts, on-prem servers, container images, vendor SDKs, machine identities in CI/CD pipelines, and embedded firmware. The Q-Day framing suggests the work happens when a quantum computer arrives. The compliance framing says it has to happen now, because the federal procurement calendar will not wait.
That is the gap QIZ Security is positioning against. The company describes its platform as an API-based, agentless discovery layer that maps cryptographic assets across on-prem, cloud, and hybrid infrastructure (QIZ Security). In plain terms, it scans the environment for every RSA certificate, ECC key, TLS endpoint, and signed library, ranks them by business impact, and pushes the inventory into compliance workflows. The pitch is an inventory tool for a compliance deadline. The quantum computer is the backdrop.
QIZ announced a $17 million seed round to build that out, co-led by Bessemer Venture Partners and Merlin Ventures, with Evolution Equity Partners, Qbeat Ventures, Singtel Innov8, and Qino Cyber Capital participating (PR Newswire, Quantum Computing Report). The roster carries weight. Bessemer is a long-running enterprise infrastructure investor. Merlin focuses on defense and intelligence. Singtel Innov8 points at Asia-Pacific carrier distribution. A round this size establishes cryptographic posture management as a venture-backable category, but it does not establish a leader. QIZ has named Google Cloud, AWS, IBM, Cisco, and Deloitte as ecosystem partners (PR Newswire). The press release does not distinguish between marketplace listings, technical integrations, reference architectures, and reseller agreements, and the distinction matters for how durable the channel is. Treat the names as signal, not as a confirmed integration roster.
Q-Day, the moment a fault-tolerant quantum computer breaks today's public-key cryptography, does real work as a sales frame. The risk is genuine: a "harvest now, decrypt later" adversary can stockpile RSA-encrypted traffic today and read it once the hardware exists. Q-Day timing is a forecast rather than a date, and estimates from academic and government groups span more than a decade. Most enterprises will hit CNSA 2.0 procurement windows years before any quantum machine cracks a meaningful key, which means the deadline is doing the actual work while the threat model provides political cover. Conflating the two lets security spending hide behind a future catastrophe.
A $17 million seed is early evidence in a small but growing field. Cryptographic posture management and post-quantum migration services have been bundled into broader machine-identity and key-management platforms for years. The round confirms that venture capital will fund a specialist in this slot. The platform that wins will keep up with shadow IT, signed firmware, and machine identities in pipelines, and QIZ's pitch needs to land on inventory quality rather than Q-Day slides.
The next thing to watch is whether the federal calendar actually pulls inventory work into active procurement. The first CNSA 2.0 software-signing milestones are the test. If agencies start requiring cryptographic bills of materials in contract language, the inventory problem becomes a sales problem and the market QIZ is betting on materializes.