What changed
FACT (per provided sources): a White House executive order sets a 2030 deadline for post-quantum cryptography migration across government and industry (blog.cloudflare.com/post-quantum-eo-2026). FACT: computer-use agents are now available in a cheap Flash-tier model (deepmind.google), and frontier reasoning cost-per-task keeps dropping (openai.com/gpt-5-6). HYPOTHESIS: these together make automated per-repo crypto discovery cheap enough to sell profitably at $500-$2,500 per scan instead of consultancy engagements at $25k+.
Why now
FACT: the EO creates a hard 2030 clock. HYPOTHESIS: agencies will push inventory/attestation requirements down to suppliers via procurement language over the next 12-24 months, and early movers who can hand a prime contractor a CBOM will win contract renewals. CAUTION (inference): an EO directs agencies, not small vendors directly β contractor obligations typically arrive later via FAR/DFARS rulemaking, so the 'forced buyer' at the long tail may not be legally forced yet. That timing gap is the central risk of this idea.
Converging signals
1) Federal PQC EO with 2030 deadline (regulation, cited). 2) Flash-tier computer-use agents make UI/browser automation cheap (ai, cited). 3) GPT-5.6-class cost-performance lowers per-scan reasoning cost (ai, cited). The bridge: a compliance obligation meets a collapsed cost of automated discovery, opening a price tier consultancies cannot serve.
Customer pain
HYPOTHESIS with strong prior: small federal contractors and gov-facing SaaS vendors have no cryptographer, no inventory of where RSA/ECC/SHA-1 live in their code, dependencies, certs, and TLS configs, and no way to answer a prime's or contracting officer's 'what is your PQC posture?' questionnaire. Today that question is starting to appear in security questionnaires and renewals; by the time FAR clauses land it becomes a filing obligation. No direct source in the input evidences current SMB purchasing β that must be validated in week 1.
Who pays
Small/mid federal contractors (SAM.gov registrants), SaaS vendors on or seeking FedRAMP-adjacent business, and the MSPs/MSSPs who serve them (an MSP can resell one scan across 30 clients). The MSP channel is the realistic wedge: one relationship yields many scans.
Solved today
Enterprise cryptography-discovery platforms (SandboxAQ AQtive Guard, Keyfactor/InfoSec Global) priced and sold for large enterprises; big-4 and boutique quantum-readiness consulting engagements; or β for the long tail β nothing at all, i.e., ignore it until forced. Open-source pieces exist (IBM's CBOMkit, sonar-cryptography) but require expertise to run and interpret.
Why current solutions are bad
Enterprise tools require procurement cycles, agents/appliances, and five-figure minimums a 15-person contractor will never pay. Consultants are slower and more expensive still. Open source produces raw findings, not the artifact the buyer actually needs: a signed, plain-English readiness report they can hand to a prime or contracting officer. The deliverable gap (attestation artifact, not migration) is exactly the solo-serviceable slice.
Proposed product
A productized scan: customer connects a repo (GitHub app) and lists domains; agentic pipeline runs static crypto-usage detection (leveraging existing OSS scanners), TLS endpoint probing, dependency/CBOM assembly, and an LLM-written executive readiness report mapped to the EO/NIST PQC algorithm guidance, with a prioritized remediation list. Output: CBOM (machine-readable) + branded PDF report. Charge per scan; MSP tier with white-label reports. Re-scan subscriptions for drift monitoring are the expansion revenue.
MVP version
2-3 weeks solo: GitHub-app or CLI intake β run existing open-source crypto scanners + custom regex/AST rules for the top 20 crypto misuse patterns β sslyze/zlint against public endpoints β Claude/GPT pipeline assembles CBOM JSON and writes the readiness report from a fixed template. No dashboard needed; email the PDF. Manual QA of each report initially (it doubles as trust-building).
30-day build
Week 1: before building, run the kill test β 25 outbound conversations with MSPs serving federal contractors and with small primes' subcontract managers, asking 'are you being asked about PQC yet, and what would you pay for the report?' Weeks 2-3: build the scanner pipeline against 5 open-source repos as demo reports. Week 4: publish 3 sample reports as lead magnets; offer 10 paid pilot scans at $500.
60-day build
Convert pilots to case studies; land 2-3 MSP reseller deals (white-label at $300/scan wholesale); add TLS-endpoint-only 'lite scan' at $199 for pure-SaaS vendors; automate report QA to under 1 hour of human review per scan.
90-day revenue plan
Target: $5k-$15k cumulative β e.g., 15 direct scans at $500-$1,500 plus 1-2 MSP partners doing 5-10 wholesale scans. This is deliberately modest: revenue is capped until procurement flow-down creates real forcing pressure. If week-1 discovery finds no one currently paying, park the build and set a tripwire on FAR/DFARS PQC rulemaking instead.
Distribution path
No enterprise sales: SAM.gov and FPDS data to build a target list of small contractors by NAICS (a public-records skill Charles already has); cold outreach with a free teaser scan of their public TLS endpoints ('your login page still negotiates X; here's what the 2030 EO means for you') β demonstrated value, not relationship sales; MSP/MSSP partnerships; SEO/content on 'PQC attestation for federal contractors' where competition is still thin.
Pricing hypothesis
$199 endpoint-only lite scan; $500-$1,500 full repo+infra scan and report depending on repo count; $99/mo re-scan/drift monitoring; MSP wholesale $300/scan white-labeled. Per-scan pricing mirrors his proven per-upload ELDT model.
Technical difficulty
Moderate and squarely in his lane: orchestration of existing scanners + agentic glue + report generation. The hard part is false-positive control (calling something 'quantum-vulnerable' wrongly damages credibility) β mitigated by conservative rules and human QA on early reports. No novel cryptography required; the product inventories crypto, it doesn't implement it.
Legal / regulatory risk
Low-moderate. The report must be framed as an inventory/readiness assessment, not a certification or legal attestation of compliance β clear disclaimers needed. Scanning only customer-authorized repos/domains keeps CFAA risk nil. HYPOTHESIS: if a formal federal attestation portal emerges (as with CISA's secure-software attestation), that becomes the per-filing upsell that matches his ELDT playbook exactly.
Platform dependency
Low. Core pipeline is OSS scanners + interchangeable LLM APIs; GitHub App is a convenience, not a dependency (CLI/zip intake works). No app-store or single-platform approval risk.
Founder fit
High on shape, with one honest gap. Matches his proven pattern β regulation compels a party to demonstrate something to the government; he builds the automation layer and charges per transaction β and leverages public-records skill (SAM.gov targeting), AI-workflow strength, and demonstrated-value selling. The gap versus ELDT: today there is no portal to file into and no enforcement date biting small vendors yet, so he is selling ahead of the forcing function rather than inside it.
Breakout potential
If FAR/DFARS PQC clauses land, every one of ~100k+ SAM-registered entities with software exposure needs this artifact recurringly, and the drift-monitoring subscription plus per-filing submission service becomes a durable compliance annuity. Cryptographic inventory also generalizes beyond federal (PCI, insurers) if the federal wedge works.
Final recommendation
CONDITIONAL GO β validation-first. The convergence is real and the shape fits his proven regulatory-filing playbook, but the forcing function hasn't reached the long-tail buyer yet, which threatens the 30-90-day cash requirement. Spend one week and near-zero dollars on 25 buyer conversations plus a free-teaser TLS scan campaign; build the full pipeline only if at least 3 parties agree to pay for a pilot scan. Otherwise tag 'revisit later' with a tripwire on FAR/DFARS PQC rulemaking and prime-contractor questionnaire adoption.
Next action
Pull a SAM.gov extract of small IT/software contractors (NAICS 5415xx), run a free public-TLS-endpoint teaser scan on 50 of them, and send 25 outreach emails/calls this week asking whether PQC questions have appeared in their questionnaires and what a $500 readiness report is worth to them.