Convergence Radar Convergence Engine

← Feed

C

Agent-Run CBOM (Cryptographic Bill of Materials) Audits for Mid-Market Federal Contractors

47/100

Fixed-price, AI-agent-executed cryptographic inventory scans that give federal contractors the PQC-migration evidence the 2030 executive order will eventually force them to produce.

Interesting but not urgent. Β· created 2026-07-10 01:16 UTC

aisaasapiagentlong-termrevisit later

Scorecard

newness 7/10
convergence 7/10
demand evidence 2/10
existing spend 3/10
solo feasibility 8/10
speed to mvp 8/10
speed to revenue 3/10
distribution 4/10
competitive gap 4/10
expansion 7/10
founder fit 6/10

Penalty flags
long trust cycle no urgent pain (βˆ’9 from raw 53)

Opportunity brief

What changed
FACT (per provided sources): a White House executive order set a 2030 deadline for post-quantum cryptography migration across government and industry (Cloudflare blog), and frontier models now offer better cost-performance (GPT-5.6) plus long-running autonomous task completion (ChatGPT agent announcement). Together these make whole-codebase crypto inventory cheap to produce as a deliverable.
Why now
PARTIAL FACT / MOSTLY HYPOTHESIS: the deadline is real (source), but the claim that agencies will push PQC requirements into contractor procurement language 'years earlier' is an inference β€” no cited source shows FAR/DFARS flow-down clauses existing today. Agent economics crossing the viability threshold this quarter is supported directionally by the two AI sources but not quantified. The honest version of 'why now' is: the clock has started, first-mover positioning is cheap, but the buyer's clock has NOT visibly started.
Converging signals
(1) Federal 2030 PQC deadline creating a named compliance obligation [Cloudflare source]; (2) frontier-model cost-performance improvement [GPT-5.6 source]; (3) multi-hour autonomous agents returning finished deliverables rather than chat [ChatGPT agents source]. The convergence is real: the mandated first step of PQC migration β€” inventorying crypto usage β€” is exactly the sweep-classify-report work agents now do near zero marginal cost.
Customer pain
HYPOTHESIS: mid-market federal contractors will need documented PQC migration plans and lack cryptographers. Current pain intensity is LOW-TO-LATENT β€” no cited evidence shows contractors being asked for CBOMs in 2026 procurements or failing audits today. Pain becomes acute only when a contracting officer or prime puts it in writing. Compare: OMB M-23-02 already required agencies (not contractors) to inventory crypto, and that produced agency-side demand, not mid-market contractor spend.
Who pays
HYPOTHESIS: mid-market federal contractors and their software vendors, likely triggered by prime contractors flowing requirements down to subs. Secondary: MSPs/MSSPs serving the federal supply chain who want to resell a white-labeled scan. Today, the party with budget and an actual deadline is federal agencies and primes β€” both of whom buy through channels a solo founder can't use (enterprise/GovCon sales).
Solved today
FACT (general market knowledge, not from provided sources β€” treat as unverified): incumbents exist β€” IBM Quantum Safe Explorer, SandboxAQ AQtive Guard, PQShield/ISARA tooling, Entrust PQC assessments, plus open standards (CycloneDX 1.6 added CBOM support) and free tools (IBM's open-source cbomkit, Semgrep/CodeQL crypto rules). Big-4 and boutique security consultancies sell PQC readiness assessments at $25k+.
Why current solutions are bad
Incumbent tools are priced and packaged for enterprises and agencies; consultants are slow and expensive. A $2-5k fixed-price, one-week, agent-executed scan with a clean CycloneDX-CBOM deliverable and remediation priority list genuinely does not exist at the low end. HYPOTHESIS: the low end also may not exist because low-end demand doesn't exist yet.
Proposed product
'PQC Readiness Report' β€” a productized service: customer grants repo/config/cert-store access (or ships a tarball), coding agents sweep the codebase and infrastructure configs, classify every crypto usage (algorithm, key size, library, location), flag quantum-vulnerable instances (RSA, ECC, DH, SHA-1), and emit (a) a CycloneDX CBOM file, (b) an executive-readable migration-priority memo, (c) evidence artifacts suitable for attaching to procurement responses. Fixed price per repo/size tier. Human (Charles) reviews before delivery.
MVP version
1-2 weeks: agent pipeline (Claude Code headless, which he already runs in production for this exact pattern) + crypto-detection rulepack (regex/AST heuristics seeded from Semgrep crypto rules, agent-verified to cut false positives) + CBOM JSON emitter + report template. Test on 3-5 open-source repos and publish the sample reports as marketing artifacts. Total cost β‰ˆ compute + his time.
30-day build
Build pipeline; produce 3 public sample audits of well-known open-source projects; publish 'How quantum-vulnerable is [popular project]?' writeups for SEO/HN distribution; offer 5 free-or-$500 pilot scans to small GovCon software shops via LinkedIn/GovCon forums/r/govcon to test willingness to pay.
60-day build
Convert pilots to paid ($1.5-3k tier); approach 3-5 MSPs/compliance consultancies serving federal subs to white-label the scan; add cert/TLS-endpoint scanning (external scan needs no repo access β€” lower-friction entry product).
90-day revenue plan
Realistic: $3-10k total if 2-5 paid scans close. HYPOTHESIS with low confidence β€” this depends entirely on whether any buyer feels the deadline in 2026. The external TLS/cert scan sold as a cheap ($299-499) automated report is the most plausible path to first revenue inside 90 days because it needs no trust for code access.
Distribution path
Content-led (public sample audits, 'PQC readiness score' of popular stacks), GovCon-adjacent communities, and white-label through MSPs/compliance consultants who already have contractor trust. Avoids enterprise sales only if the MSP channel works; direct-to-contractor security sales normally require trust cycles.
Pricing hypothesis
$299-499 external cert/endpoint scan (automated); $1,500-5,000 per-codebase CBOM audit by size; $500/qtr re-scan subscription for drift monitoring. Per-scan transactional pricing matches his proven ELDT per-upload model.
Technical difficulty
LOW-MODERATE for him: agent orchestration, static scanning, and report generation are squarely in his demonstrated stack (headless Claude Code pipelines in production). Hard part is false-positive control and credibly classifying crypto usage without a cryptographer β€” mitigated by shipping an 'inventory + flags' product, never a 'security assurance' product.
Legal / regulatory risk
MODERATE: must avoid representing the report as a certified security audit or legal compliance opinion (disclaimer + 'inventory tool' positioning). Handling customer source code creates liability/NDA overhead. No license/certification is legally required to sell this. Federal supply chain buyers may ask for the vendor's own security posture (ironic barrier).
Platform dependency
Moderate dependency on Claude/agent pricing and availability; mitigable since the scanning core can fall back to deterministic rules with agent verification on top. No app-store or marketplace approval risk.
Founder fit
MIXED β€” the pattern matches his proven edge (regulation forces a party to produce a compliance artifact; he builds the automation and charges per transaction) BUT two elements of the ELDT winner are missing: (1) there is NO government portal to submit CBOMs into β€” the deliverable goes to a filing cabinet, not a federal system, so the 'submission layer' moat doesn't exist; (2) ELDT buyers were forced TODAY with per-event urgency, while PQC buyers are forced in 2030 with no enforcement mechanism visible yet. Systems thinking, AI pipelines, and public-records/compliance instincts all apply. Fit is good on capability, weak on urgency-shape.
Breakout potential
If FAR/DFARS or NIST guidance later mandates CBOM submission in a specific format or portal, whoever already owns the cheap-scan niche becomes the ELDT-style per-filing gateway β€” that is the real prize and worth positioning for now at low cost. Also expandable to CMMC-adjacent evidence automation.
Final recommendation
DO NOT pursue as the primary 30-90-day cash play β€” demand is latent and trust-gated. DO spend ≀1 week building the pipeline and publishing 2-3 public sample audits as a positioning bet: near-zero cost, tests real willingness to pay via a cheap external cert-scan product, and stakes a claim on the ELDT-shaped endgame (if CBOM ever becomes a mandated filing, he is pre-positioned). Revisit immediately if procurement flow-down language or a NIST/OMB contractor-facing requirement appears.
Next action
Spend 2-3 days adapting the existing Claude Code pipeline into a crypto-inventory scanner, run it against 3 popular open-source projects, and post the sample 'PQC Readiness Reports' publicly; simultaneously search SAM.gov and recent RFPs for any solicitation already containing post-quantum/CBOM language to test the demand hypothesis with facts.

Kill arguments (adversarial)

Competitors

β€’ IBM Quantum Safe (Explorer / open-source cbomkit) (link) β€” Enterprise crypto-discovery tooling plus a free open-source CBOM scanner; targets large orgs, not $2k mid-market scans. UNVERIFIED from provided sources β€” general market knowledge.
β€’ SandboxAQ AQtive Guard (link) β€” Well-funded cryptography-inventory/management platform aimed at enterprises and government. UNVERIFIED from provided sources.
β€’ Entrust / PQShield / ISARA PQC assessments (link) β€” Consultant-led PQC readiness assessments at consulting price points ($25k+); slow, human-heavy β€” the gap the productized scan targets. UNVERIFIED from provided sources.
β€’ Semgrep/CodeQL crypto rulepacks (DIY) (link) β€” Free static-analysis rules a contractor's own dev could run; the counter-argument is they produce noise, not an auditable CBOM deliverable. UNVERIFIED from provided sources.

Source citations (facts)

β€’ The White House's post-quantum executive order is an important milestone. It's time to get to work β€” A White House executive order sets a 2030 deadline for post-quantum cryptography migration across government and industry, creating the compliance obligation this opportunity depends on.
β€’ GPT-5.6: Frontier intelligence that scales with your ambition β€” Frontier-model cost-performance improved, lowering the unit cost of running large-codebase crypto-inventory scans as an automated service.
β€’ ChatGPT is now a partner for your most ambitious work β€” Long-running agents can complete multi-hour autonomous work and return finished deliverables, making whole-codebase CBOM audits feasible without human analyst hours.

Actions