The Quantum Threat
Three years ago, I had coffee with an old college friend who works at a quantum computing startup.
He was excited. Really excited.
Started explaining how their company was making breakthroughs in error correction, how they were getting closer to “cryptographically relevant” quantum computers, how everything was about to change.
I’ll be completely honest: I had no idea what he was talking about.
Qubits. Superposition. Shor’s algorithm. It all went over my head. I smiled, nodded, asked polite questions. But internally? I was lost.
Then he said something that I wrote off as nerdy paranoia at the time:
“The scary part isn’t when we finally build a powerful enough quantum computer. The scary part is that right now—today—people are harvesting encrypted data and just... storing it. They’re betting that in 5, 10, 15 years, we’ll have quantum computers powerful enough to decrypt it all. And they’re probably right.”
I remember thinking: Okay, calm down. That sounds like a Black Mirror episode, not a real threat.
Fast forward to last month.
I’m researching cybersecurity stocks—totally unrelated to quantum anything—and I come across this stat:
The global cybersecurity market hit $212 billion in annual revenue in 2025. Of that, $65-70 billion is tied directly to encryption products and services.
Then I see another number: U.S. federal government mandate to replace all quantum-vulnerable encryption by 2035.
And it hits me.
That $65-70 billion? That’s not a “growing market.” That’s infrastructure that’s about to become completely obsolete. Every VPN. Every TLS certificate. Every encrypted database. Every digital signature system. Every secure communication platform.
All of it. Replaced. In less than 10 years.
And suddenly, what my friend told me three years ago doesn’t sound paranoid anymore. It sounds obvious.
The Threat That’s Already Happening (While Everyone Looks the Other Way)
I called him back immediately.
“I told you this in 2022,” he laughed. “You just weren’t ready to pay attention.”
He was right. Back then, it sounded theoretical. Science fiction. Quantum computers were still lab experiments running toy problems.
But here’s what I missed—and what most investors are still missing:
You don’t need a working quantum computer for the threat to be real.
Right now, as you read this, sophisticated actors—nation-states, intelligence agencies, organized crime syndicates—are doing something deceptively simple:
They’re copying encrypted data. Massive amounts of it.
Your company’s emails from 2024. Banking transactions. Medical records. Trade secrets. Intellectual property. Government communications. Cryptocurrency wallets.
They can’t decrypt any of it today. The math is still too hard for classical computers.
But they don’t need to decrypt it today.
They’re just... storing it. Waiting.
This strategy has a name in cybersecurity circles: “Harvest Now, Decrypt Later” (HNDL).
Here’s how it works: steal encrypted data today—it’s everywhere on the internet and easy to grab. Store it, because storage is cheap and getting cheaper. Then wait 5, 10, 15 years for quantum computers to mature. When that day comes, decrypt everything retroactively. Profit.
A September 2025 research paper from the Federal Reserve laid it out explicitly: even if a system migrates to post-quantum cryptography in 2027, and quantum computers arrive in 2030, any data harvested today with a 10-year shelf life is still vulnerable.
Think about what data in your life—or your company’s operations—has value that extends 10+ years. Patents and R&D have 15-20 year value. Medical records last a lifetime. State secrets remain sensitive for decades. Financial transactions can be investigated 10+ years later. Personal communications are permanent.
It’s all being harvested. Right now.
And when quantum computers arrive—whether that’s 2030 or 2035 or 2040—it all becomes readable.
Why This Time Actually IS Different
I know, I know. “This time is different” is the most expensive phrase in investing.
But hear me out.
This isn’t hype. This isn’t speculative. This isn’t “maybe consumers will adopt this new thing.”
This is a mandated, regulated, time-sensitive infrastructure replacement affecting every encrypted system on Earth.
And the timing is perfect right now. Here’s why:
Back in 2020-2023, it was too early. No standards existed. NIST was still evaluating dozens of post-quantum algorithms. Companies couldn’t commit billions to migration when they didn’t know which algorithms would be standardized. You couldn’t even start planning.
By 2028-2030, it’ll be too late. Everyone will have already migrated. Every cybersecurity vendor will offer PQC as standard. Prices will be commoditized. The asymmetric returns will be gone. You’ll be buying Cisco at 15x earnings.
But right now, in 2024-2026, we’re in the sweet spot. NIST finalized standards in August 2024 with FIPS 203, 204, and 205. They selected a fifth algorithm in March 2025 as backup. Early production deployments are proving the tech works at scale. Regulatory deadlines are set for 2030-2035, creating real urgency. But mass enterprise migration hasn’t started yet. And the market hasn’t priced in which companies will dominate.
This is the 18-24 month window where early movers make asymmetric returns. After the infrastructure is proven. Before it’s priced in.
The Market Size That Should Excite Every Investor
Let me make the numbers concrete.
As of 2025, the global cybersecurity market generates $212 billion annually. Of that, $65-70 billion comes from encryption-related products and services.
By 2035, 100% of that $65-70 billion in encryption infrastructure needs replacement. Not an upgrade. Complete replacement.
The U.S. federal government alone is estimated to spend $7-12 billion on this migration. Global financial services will spend another $15-20 billion. Healthcare adds $8-10 billion. Enterprise and corporate sectors represent $25-30 billion. Critical infrastructure another $5-8 billion.
We’re looking at a $50-100 billion total addressable market over the next 9 years.
But here’s the kicker: unlike a new product category where you have to convince customers they need it, this migration is legally mandated.
The NSA started preferring PQC-ready vendors in 2025—that’s now. The U.S. government has mandated full migration by 2035. The NSA’s CNSA 2.0 guidelines require completion by 2033. The European Union set 2030-2035 deadlines depending on sector. Australia has an aggressive 2030 target.
Companies don’t get to say “we’ll wait and see.” They don’t have a choice.
The only question is: who gets paid to solve the problem?
What My Friend Actually Does (And Why He Saw This Coming)
When I called him back, I asked: “Why didn’t you convince me three years ago that this was urgent?”
He laughed. “Dude, I tried. You weren’t listening. But also, back in 2022, we honestly didn’t know if we’d get there. Quantum computers are hard. Really hard. Every time we made progress on one problem, three new problems appeared.”
“So what changed?”
“Two things. First, we’re closer than most people think. Not 20 years away. More like 8-12 years to cryptographically relevant quantum computers. Second—and this is what investors should care about—it doesn’t matter if we’re 5 years away or 15 years away. The HNDL threat is already active. The moment everyone figured that out, the migration became inevitable.”
He paused.
“The smart money isn’t betting on when quantum computers arrive. The smart money is betting on who builds the infrastructure to replace $70 billion worth of obsolete encryption.”
That’s when it clicked for me.
This isn’t a speculative quantum computing play. This is a mandated infrastructure replacement cycle.
And there are only a handful of companies that can execute it at scale.
In the premium section, I reveal:
The three companies that control over 80% of the PQC deployment market, and why one is absurdly undervalued relative to its position. I’ll show you Cloudflare’s hidden moat that has nothing to do with technology—and why Wall Street analysts are completely missing it. There’s a 2027 compliance catalyst coming that will force every Fortune 500 company to disclose their PQC readiness, and it’s going to trigger panic buying. I’ll walk you through exactly how to position your portfolio for the 2030-2033 rush when enterprises realize they’re out of time.
I’ve also identified a federal contractor play—a $2.8 billion market cap company that holds 60% of government PQC contracts but trades like a forgotten defense stock. And I’ll give you a complete valuation framework showing exactly when to buy, when to trim, and when to go all-in on each name.
This is the closest thing to a guaranteed infrastructure spending cycle I’ve seen in tech investing.
Not if. Who.
This report is based on 50+ hours of research, conversations with quantum computing engineers, NIST documentation, regulatory filings, and deployment timeline analysis. I believe post-quantum cryptography is the most under-appreciated, highest-conviction infrastructure play in cybersecurity—and we’re in the perfect entry window.
Macro Notes identifies the biggest market opportunities by providing analyses I conduct myself with the help of my team and several AI-powered financial research tools, plus countless hours of reading. Subscribe to never miss an opportunity and unlock all our content.