What changed
FACT (Cloudflare blog): a White House executive order set a 2030 deadline for post-quantum cryptography migration, converting PQC from research topic into a budgeted compliance obligation. FACT (Cointelegraph): researchers warn AI is shortening the shelf life of point-in-time crypto security audits, pushing the market toward continuous re-auditing. INFERENCE: the same audit-decay logic applies to PQC inventories β a 2027 inventory is stale by 2028 as code and vendors drift.
Why now
FACT: the EO deadline exists now and consultancies are selling one-off PQC assessments. HYPOTHESIS: the continuous-audit framing has not yet saturated the PQC market, leaving a positioning gap. Counterpoint (kill-side): 2030 is four years away β for most buyers this is next-fiscal-year planning, not a 30-90-day urgent purchase.
Converging signals
(1) Federal 2030 PQC deadline (regulation, Cloudflare source); (2) AI-driven decay of point-in-time audits creating demand for continuous monitoring (complaint, Cointelegraph source); (3) long-running AI agents making continuous automated re-scanning cheap to operate solo (ai, OpenAI source). The causal chain is coherent: recurring obligation + audit decay => monitoring subscription, not one-off assessment.
Customer pain
HYPOTHESIS: CISOs and compliance officers at federal agencies and contractors must show ongoing migration progress, and a stale one-off inventory won't satisfy auditors. FACT-ADJACENT but not in provided sources: no provided source shows a buyer complaining about stale PQC inventories today β the pain is projected, not observed. That is a serious demand-evidence gap.
Who pays
CISOs / compliance officers at federal contractors and regulated enterprises. KILL-SIDE REALITY: this is an enterprise security buyer with vendor-risk review, procurement cycles, and a strong bias against giving repo/network access to an unknown solo vendor β directly against the founder's no-enterprise-sales constraint.
Solved today
One-off PQC readiness assessments from consultancies (per convergence description); free TLS scanners (e.g., Qualys SSL Labs) for the endpoint slice; open-source CBOM tooling (IBM cbomkit, CycloneDX CBOM standard); funded vendors (SandboxAQ AQtive Guard, Keyfactor, InfoSec Global) already selling continuous cryptographic inventory to exactly this buyer.
Why current solutions are bad
One-off assessments go stale (supported by the Cointelegraph audit-decay signal by analogy β INFERENCE, not a PQC-specific finding). But the 'bad' is being fixed by well-funded incumbents whose whole pitch is continuous cryptographic-agility monitoring, so the gap is thinner than it looks.
Proposed product
A 'CBOM monitor': scheduled scans of public TLS endpoints for quantum-vulnerable ciphers/certs, repo scans for crypto library usage, plus a vendor-attestation tracker; each scan emits a dated, diff-able compliance evidence report. Priced as a subscription per domain/repo.
MVP version
External-only wedge (no repo access needed): scan a company's public TLS endpoints and certificates, classify quantum-vulnerable algorithms, produce a dated PQC-exposure report with a re-scan diff every month. Buildable solo in 2-4 weeks with existing tooling (zgrab2/sslyze + report generation via headless Claude).
30-day build
Ship the external TLS PQC-exposure scanner; scan 50 federal-contractor domains; send unsolicited exposure reports as the demo-value hook (matches founder's demonstrated-value sales style).
60-day build
Convert report recipients to a $99-299/mo monitored-domain subscription; add certificate-expiry/algorithm-drift diffs as the recurring-evidence artifact.
90-day revenue plan
HYPOTHESIS with low confidence: 5-10 subscriptions ($500-3,000 MRR) if the cold-report hook lands. Kill-side: security teams routinely ignore unsolicited scan reports, and buyers big enough to care route the purchase through procurement β realistic 90-day revenue is plausibly $0.
Distribution path
Cold outbound of demonstrated-value scan reports to compliance officers at federal contractors; content SEO on 'PQC inventory / EO 2030 compliance'. No marketplace, no self-serve buyer pool identified β this is the plan's weakest link.
Pricing hypothesis
$99-299/mo per monitored domain (external wedge); $1k+/mo for repo-level CBOM (requires trust the founder doesn't have with this buyer class).
Technical difficulty
External TLS wedge: low-moderate, solo-feasible. Full product (repo scanning, vendor attestations, evidence chain auditors accept): high β that is a funded-team product.
Legal / regulatory risk
Moderate: unsolicited scanning of third-party infrastructure is legally gray in aggressive forms (stick to standard TLS handshakes); selling 'compliance evidence' invites liability if an auditor rejects it. Not heavily regulated per se, but reputational stakes for buyers are high.
Platform dependency
Low. No app store or platform gatekeeper; standard protocols.
Founder fit
LOW-MODERATE despite the compliance flavor. Critical distinction from the proven FMCSA ELDT edge: the EO compels *migration*, but (in the provided sources) it does NOT compel a specific party to *file into a government portal* that a tool can submit to per-transaction. No portal, no per-filing wedge β this is instead an enterprise security-monitoring sale to CISOs, which the founder explicitly avoids. HYPOTHESIS worth tracking: if OMB/CISA inventory-submission requirements flow down to contractors as a concrete filing obligation, this converts into exactly his shape β that is the trigger to revisit.
Breakout potential
High for someone: cryptographic inventory becomes a permanent compliance category through 2035. But the breakout accrues to funded vendors with SOC2, sales teams, and auditor relationships.
Final recommendation
KILL for now as a 30-90-day cash play: wrong buyer (enterprise CISO), wrong urgency (2030), and incumbents already selling the continuous-inventory story. Convert to a watchlist item with a concrete revisit trigger: the moment a PQC rule creates a mandatory *filing/registration* obligation for a definable class of contractors (flow-down inventory submissions, attestation portals), rebuild this as a per-filing submission tool β that is the founder's proven FMCSA-shaped edge. Do not build the monitoring SaaS on spec.
Next action
Spend <2 hours, not 2 weeks: set a monitoring rule (RSS/alerts) on OMB, CISA, and FAR council PQC guidance for any contractor-facing inventory-submission or attestation requirement; log this convergence as 'revisit on filing-mandate trigger' and move on to faster-revenue candidates.