Post quantum cryptography standards are settled. The real bottleneck is knowing which devices still run quantum vulnerable ciphers on protocols like SSH (the standard remote login protocol), and the 6% figure making the rounds comes from Forescout's own internet scans, the same…
The cybersecurity industry spent the last five years arguing about which post-quantum cryptography algorithm should replace today's public-key systems like RSA and elliptic-curve encryption. That argument is over. The relevant standards are settled. The harder, less photogenic question now is operational: which devices in any given enterprise are still running quantum-vulnerable ciphers, and how does anyone actually find out?
A new product launch this week from Forescout, a network-security vendor long associated with asset visibility, is built to answer exactly that question, and it leans on a statistic that is doing a lot of work in the press coverage: only about 6% of the roughly 186 million internet-facing SSH servers that Forescout scanned currently support post-quantum key exchange. SSH, the near-universal remote-login protocol, sits at the foundation of how administrators and automation reach servers, and a server that only negotiates classical ciphers is, in Forescout's framing, an exposure waiting for a sufficiently powerful quantum computer to decrypt previously captured traffic.
The dashboards themselves, embedded inside Forescout's 4D Platform, score the cryptographic ciphers supported by every asset the platform can see across IT, operational technology (OT), Internet-of-Things (IoT), and Internet-of-Medical-Things (IoMT) environments, then surface the results as both platform visibility and executive reporting. Forescout describes the system as the first network-layer solution able to identify non-quantum-safe ciphers in real time across managed, unmanaged, and evasive devices, language that is best read as the vendor's positioning rather than a third-party benchmark.
The mechanism matters because the wider industry narrative on PQC readiness has shifted from algorithms to inventory. Independent trade publication TechTarget reported this month that about 90% of systems are unprepared for PQC, framing the gap not as a choice of cipher suite but as a "Q-Day" readiness problem, where Q-Day is shorthand for the moment a cryptographically relevant quantum computer can break today's public-key encryption.
The underlying driver is the harvest-now-decrypt-later attack model: adversaries record encrypted traffic today with the expectation of decrypting it once quantum capability arrives. Any SSH or TLS endpoint that only negotiates classical key exchange is therefore treated as a time-bomb exposure, regardless of how strong the rest of its configuration looks.
What makes Forescout's announcement analytically interesting, rather than simply a vendor announcement repackaged across the trade press, is the source of the 6% figure itself. It is not a neutral measurement. It comes from Forescout's own internet-wide scanning, and the dashboards it is being paired with are built on the same vendor's visibility platform. That is a productive tension worth naming: the gap the vendor is selling to fix is measured by the vendor's own instruments, and the headline statistic is the size of the problem only inside the slice of the internet that those instruments can reach.
The visible scope is broad: Help Net Security's write-up of the announcement runs through the IT, OT, IoT, and IoMT coverage and the executive-reporting layer, while IT Security Guru frames the 6% number as a slow-progress signal on the broader quantum-safety transition. Regional wires, including TelcoNews and SecurityBrief Australia, have picked up the same core statistic and pushed it into telecom and Asia-Pacific enterprise-security feeds.
For a security team trying to use this announcement to argue for visibility investment, the productive framing is not "Forescout says 6%" but "Forescout can see 6%, and we have no idea what it cannot see." That is the falsifier to bring to any vendor-led PQC readiness statistic, including this one. Network visibility tools have well-known blind spots: non-routable internal IPs, traffic inside encrypted tunnels the scanner cannot introspect, devices that fingerprint inconsistently, and OT and IoT endpoints that never appear in the addressable scan surface at all. A 6% figure that counts only what the scanner can reach is, if anything, an optimistic lower bound on the share of endpoints still negotiating classical ciphers. The exposure is at least as large as the headline number suggests, and possibly larger in ways the visibility tooling structurally cannot report.
The follow-on problem, which Forescout's launch only gestures at, is what happens after the inventory arrives. Even a complete, continuously updated map of every quantum-vulnerable cipher on the network does not by itself upgrade a single SSH endpoint; it produces a remediation backlog. Configuration rollouts across legacy OT gear, medical devices, and unmanaged IoT firmware do not accept the same push-button fix as a server fleet, and the second-phase question, how the inventory actually gets translated into ciphers replaced on schedule, is where the vendor's dashboard story hands off to operational reality.
What to watch next: an independent scan or academic measurement of PQC-suite support on the same internet surface would change the framing from "vendor research" to "industry baseline." Until then, the 6% number should be read as the visible floor, not the ceiling, of the PQC readiness problem, and as a useful reminder that the binding constraint on quantum-safe encryption is not which algorithm to pick but whether an organization can continuously know what is running on every device it owns.