Convergence Radar Convergence Engine

← Feed

C

Crypto-BOM Scan & PQC-Readiness Attestation Reports for Small Federal Subcontractors

49/100

Automated AI-driven cryptographic inventory of a vendor's codebase plus a procurement-ready PQC-readiness report, sold per-scan to small ISVs facing post-quantum questionnaires from primes and agencies.

Interesting but not urgent. Β· created 2026-07-10 00:56 UTC

aisaasapiagentpublic recordsrevisit laterlong-term

Scorecard

newness 7/10
convergence 7/10
demand evidence 2/10
existing spend 3/10
solo feasibility 8/10
speed to mvp 8/10
speed to revenue 3/10
distribution 5/10
competitive gap 5/10
expansion 7/10
founder fit 7/10

Penalty flags
long trust cycle no urgent pain (βˆ’9 from raw 55)

Opportunity brief

What changed
FACT (Cloudflare source): a White House executive order sets a 2030 deadline for post-quantum cryptography migration across government and industry. FACT (DeepMind, OpenAI sources): agentic/frontier model costs per task dropped again, making whole-codebase automated analysis cheap. HYPOTHESIS: these compliance obligations are already propagating down federal supply chains as PQC questionnaires to small vendors β€” the input asserts this but provides no source showing a prime or agency actually sending such questionnaires today.
Why now
FACT: the EO gives PQC a hard 2030 clock, converting it into a budgeted compliance item. HYPOTHESIS: 'now' may actually be 12-24 months early for the small-vendor segment β€” flow-down of federal security requirements historically lags rule-making by years (CMMC took ~5 years from announcement to enforceable flow-down). The cost-of-scanning argument is real, but cheap supply does not prove present demand.
Converging signals
(1) Regulation: PQC EO with 2030 deadline (cloudflare.com source). (2) AI: computer-use in a cheap Flash-tier model makes agentic automation viable for solo builders (deepmind.google source). (3) AI: GPT-5.6 performance-per-dollar claim lowers per-repo scan economics (openai.com source). The convergence is coherent: regulation creates a reporting/attestation burden; cheap agents make the audit nearly free to produce.
Customer pain
HYPOTHESIS: a small ISV receives a PQC-readiness questionnaire from a prime, has never inventoried its cryptography, and faces either a five-figure consulting engagement or guessing on a form that carries contract risk. This pain is plausible but UNPROVEN β€” no signal in the input shows a single vendor complaining about a PQC questionnaire today. Contrast with the founder's ELDT win, where the mandate forced filings immediately and visibly.
Who pays
Small/mid-size ISVs, SaaS vendors, and subcontractors in federal supply chains (per the convergence description β€” hypothesis about timing). Secondary: MSPs/vCISOs who answer questionnaires for many small clients and could white-label the report; this may be the better first buyer since they feel the pain across a portfolio.
Solved today
HYPOTHESIS: today most small vendors simply don't answer, answer inaccurately, or pay consultants. Enterprises use emerging CBOM (cryptographic bill of materials) tooling β€” IBM's open-source CBOMkit, SandboxAQ AQtive Guard, Keyfactor, ISARA β€” all aimed at large organizations, not $500 SMB engagements.
Why current solutions are bad
Consulting is five figures and slow; enterprise CBOM platforms require deployment, budget, and security review a 10-person ISV won't do; open-source scanners (CBOMkit, Sonar cryptography plugin) produce raw inventories, not a procurement-ready attestation narrative a non-crypto-expert can attach to an RFP response.
Proposed product
A self-serve scan: vendor connects a repo (or uploads a tarball for the security-conscious), an agentic pipeline inventories TLS configs, JWT/signing algorithms, hashes, embedded certs, and vendored crypto libraries, classifies each as quantum-vulnerable or PQC-ready, and emits (a) a machine-readable crypto-BOM (CycloneDX CBOM format) and (b) a signed PDF 'PQC Readiness Report' with a migration-gap summary formatted to answer common questionnaire fields. Recurring re-scan subscription tracks drift.
MVP version
2-3 weeks: static-analysis pass (grep/AST + LLM classification) over one language ecosystem (start with Python or JS), CycloneDX CBOM output, templated PDF report, Stripe checkout, upload-a-tarball intake (no OAuth/app-review dependency). Deliberately NOT a live enterprise integration. The scan itself is honest static inventory β€” do not market it as a certified audit.
30-day build
Weeks 1-2: demand validation BEFORE building β€” mine GovCon/NDIA forums, r/govcon, LinkedIn, and prime-contractor supplier portals for actual PQC questionnaire language; interview 5 MSPs serving federal subs. If zero evidence of questionnaires in the wild, park the idea. Weeks 3-4: if validated, ship MVP scanner for one language, run it on 10 open-source projects, publish the results as content marketing ('we scanned 10 popular libraries for quantum-vulnerable crypto').
60-day build
Add second language ecosystem, CycloneDX CBOM export, and a questionnaire-answer generator (maps inventory to the specific questions primes ask). Land 3-5 paid scans at $299-$499 via direct outreach to vendors on SAM.gov/GSA schedules whose products are obviously software. Pursue 1-2 MSP white-label deals.
90-day revenue plan
Realistic: $1-5k total from 5-15 one-off scans plus one MSP arrangement β€” IF questionnaires are actually flowing. HYPOTHESIS: revenue at this stage depends entirely on external timing the founder does not control; the honest downside case is $0 because the pain has not yet arrived for this segment.
Distribution path
SEO/content on 'PQC readiness questionnaire' and 'crypto bill of materials' searches (low competition today), direct outreach to SAM.gov-registered small ISVs, MSP/vCISO channel, and posting scan results of public projects for credibility. No enterprise sales required for the SMB tier, which fits the founder constraint.
Pricing hypothesis
$299-$499 per scan/report; $99/mo re-scan subscription; $1-2k/yr MSP white-label per portfolio. Per-transaction pricing mirrors the founder's proven per-upload ELDT model.
Technical difficulty
Moderate. Static crypto inventory is well-trodden (existing open-source scanners prove feasibility); the differentiation is packaging, report quality, and questionnaire mapping β€” squarely in the founder's AI-workflow strength. Risk: false negatives (missed crypto in binaries/vendored code) create liability if the report is over-claimed.
Legal / regulatory risk
Moderate and manageable IF positioned as an 'automated inventory and self-assessment aid,' not a certification. Must disclaim reliance; a vendor that loses a contract after relying on a wrong report could claim damages. No license/accreditation currently required to sell this (FACT: no accreditation regime exists for PQC attestation as of the sources given; HYPOTHESIS: one could emerge and either legitimize or lock out unaccredited providers, as CMMC did with C3PAOs).
Platform dependency
Low. Depends on commodity LLM APIs (multiple substitutable providers per the two AI signals) and open standards (CycloneDX). No app-store or marketplace approval in the critical path if intake is tarball upload.
Founder fit
High but not the perfect ELDT pattern. Matches: regulation-compelled obligation, small forced-to-comply buyers, per-transaction pricing, AI-assisted fast prototyping, demonstrated ability to read a mandate and monetize the compliance layer. Mismatch: unlike ELDT there is NO government portal to submit into β€” this is a report product, not a filing product β€” and the compelled behavior (questionnaires) is hypothesized, not yet observed. Also, selling security assessments involves a trust hurdle ELDT didn't have.
Breakout potential
Good if timing proves right: crypto-BOM scanning generalizes to SBOM-adjacent compliance, EU CRA, and eventually a wedge into migration-remediation services or a continuous-monitoring SaaS. The 2030 deadline guarantees the market grows for years β€” the question is only whether SMB demand exists in 2026 or 2028.
Final recommendation
CONDITIONAL GO β€” validate before building. The convergence logic is sound and the product shape fits the founder's proven regulation-to-revenue playbook, but the load-bearing claim (small vendors receiving PQC questionnaires NOW) is a hypothesis with zero supporting evidence in the input. Spend 1-2 weeks on demand validation at near-zero cost; build only if real questionnaire language is found in the wild. If demand is 12+ months out, park it with a re-check trigger rather than kill it β€” the 2030 clock means the opportunity ripens rather than expires.
Next action
Spend 3 days mining evidence that PQC flow-down has started: search SAM.gov solicitations, GSA/prime supplier-requirement documents, NDIA/GovCon forums, and r/govcon for 'post-quantum' or 'quantum-resistant' questionnaire/attestation language; simultaneously message 5 MSPs serving federal subcontractors asking if any client has received one. Decision gate: at least 2 concrete artifacts or firsthand reports = build MVP; zero = set a 6-month revisit reminder.

Kill arguments (adversarial)

Competitors

β€’ IBM CBOMkit (link) β€” Open-source cryptographic bill-of-materials scanner; free, enterprise-oriented, raw inventory without procurement-ready reporting β€” proves feasibility and caps pricing.
β€’ SandboxAQ AQtive Guard (link) β€” Well-funded enterprise cryptography-inventory/PQC-migration platform; will likely move down-market as demand grows, but currently requires enterprise deployment and budget.
β€’ Keyfactor (link) β€” Certificate/crypto lifecycle management with PQC-readiness positioning; enterprise sales motion, not self-serve SMB scans.
β€’ ISARA (link) β€” PQC migration specialist (assessments and tooling); consulting-heavy model aimed at large organizations, leaving the sub-$1k SMB tier unserved.

Source citations (facts)

β€’ The White House's post-quantum executive order is an important milestone. It's time to get to work β€” A White House executive order sets a 2030 deadline for post-quantum cryptography migration across government and industry, creating a compliance clock.
β€’ Introducing computer use in Gemini 3.5 Flash β€” Agentic computer/browser control is now available in a cheap, fast model tier, making automation agents economically viable for solo builders.
β€’ GPT-5.6: Frontier intelligence that scales with your ambition β€” Frontier-model cost-performance improved, lowering per-task unit economics for AI-driven codebase analysis (inference from performance-per-dollar claim).

Actions