Enterprise MigrationJune 10, 2026

Q-Day Is on Someone Else's Calendar. You Just Haven't Seen the Invite

Adversaries are using “harvest now, decrypt later” to collect your encrypted data today and decrypt it after Q-Day. What it means for enterprise leaders - and why the breach already happened.

Allison Seller

Chief Executive Offiver

Q-Day Is on Someone Else's Calendar. You Just Haven't Seen the Invite

There is a comfortable assumption buried in most enterprise risk plans: that a threat hasn't arrived until the tools to execute it exist. The strategy known as harvest now, decrypt later breaks that assumption completely.

Right now, somewhere, your encrypted traffic is being copied and stored. Not because anyone can read it today, but because someone is confident they will read it later. Harvest now, decrypt later means the most important date in your security calendar is one you were never shown.

"For any data that must stay secret for a decade, the breach has already happened. Quantum only decides the day it becomes readable."

The Breach That Already Happened

We tend to picture a breach as a dramatic moment: alarms, exfiltration, a headline. Harvest now, decrypt later is the opposite. It is silent and patient. Encrypted data is intercepted and warehoused, waiting for the day a quantum computer can unlock it.

From a leadership standpoint, the uncomfortable reframe is this: for any data with long-term value, the breach has effectively already occurred. What remains undecided is only when the contents become readable. That single shift (from future risk to present loss) is what makes this threat different from anything on your current risk register.

How Harvest Now, Decrypt Later Actually Works

The mechanics are simple, which is what makes them dangerous. An adversary intercepts encrypted data in transit or at rest and stores it cheaply at scale. They cannot read it yet. They don't need to. They are betting on time, specifically on the arrival of a quantum computer capable of breaking the asymmetric encryption protecting that data.

Storage is cheap and patience is free, so the economics favor the attacker. Harvest now, decrypt later turns today's ordinary encrypted traffic into a future asset for whoever collected it.

Which of Your Data Is Actually at Risk

Not everything needs to stay secret for a decade. A one-time access code does not. But patient records, financial histories, intellectual property, legal files, government contracts, and customer identities do. And those are exactly the assets adversaries prioritize collecting.

The test is simple to state and revealing to answer: which of our data would still be damaging if it were exposed ten years from now? Whatever fits that description is on the harvest list today.

Q-Day: The Date You Don't Control

"Q-Day" is shorthand for the moment a quantum computer can break current encryption at scale. No one can mark it precisely on a calendar, and that is the point. You don't get to choose when it arrives, only how prepared you are when it does.

Meanwhile, the same advances powering today's AI breakthroughs are pouring talent and capital into quantum computing. The timeline is being compressed by the very investment cycle leaders are already watching closely for other reasons. NIST finalized post-quantum standards in 2024 precisely because the gap between "not yet" and "too late" is narrowing.

Closing the Window You Can Still Control

You cannot un-harvest data already collected. What you can control is the window that remains, by moving your highest-sensitivity, longest-life data to quantum-resistant protection before Q-Day, not after. The NSA's CNSA 2.0 guidance, with milestones in 2027, gives you the timeline to plan against.

Every month of delay extends the exposure window on data being collected right now. Against a harvest now, decrypt later adversary, speed of preparation is the only lever leadership actually holds.

Why Boards Underestimate Harvest Now, Decrypt Later

The threat is easy to underrate because it violates how risk is usually scored. Most enterprise risk models weigh likelihood against impact in the present tense: what could happen this year. Harvest now, decrypt later doesn't fit that frame, because the damaging event (collection) has already happened, and the consequence simply hasn't been delivered yet.

That timing mismatch makes the threat feel theoretical right up until it isn't. By the time the consequence lands, there is nothing left to protect. The data was taken years earlier. Leaders who internalize this stop asking whether the risk is real and start asking how much of their long-life data has already been collected.

Turning the Threat Into a Prioritization Map

The practical response to harvest now, decrypt later is not panic. It's triage. Rank your data by two axes: how sensitive it is, and how long it must stay confidential. Anything high on both axes is your priority queue, because that is precisely what an adversary gains the most from storing today.

This map does something useful politically as well as technically: it turns an abstract quantum threat into a concrete, defensible list of what to protect first and why. A board can fund a prioritized list. It struggles to fund a vague warning.

From there, the work is sequencing: moving the top of that list to quantum-resistant protection on a schedule that beats Q-Day, rather than trying to boil the ocean all at once.

From Awareness to a Funded Plan

The leap most enterprises fail to make is from understanding harvest now, decrypt later to actually funding a response to it. Awareness sits in a slide. A plan sits in a budget. Bridging the two requires translating the threat into the language leadership controls (risk, liability, and timeline) rather than the language of algorithms.

That translation is straightforward once the prioritization map exists. You can point to specific categories of long-life data, state how long they must stay confidential, and show that adversaries gain the most by collecting exactly those today. Suddenly the abstract becomes a defensible line item with a clear first action.

From there the program almost writes itself: inventory, prioritize, and migrate the top of the list to quantum-resistant protection on a schedule that beats Q-Day. The hardest part was never the technology. It was deciding the threat was real enough to fund before the consequence arrived. And funding it early costs a fraction of what a forced, last-minute migration will. Either way the migration happens. The only variable is whether you run it on your own schedule or on the attacker's. The enterprises that move early convert an existential-sounding threat into an ordinary, well-managed program with a budget and a timeline, which is exactly what it should have been from the start.

Frequently asked questions

Yes. Security agencies and standards bodies treat it as a present concern. Encrypted data captured today can be stored indefinitely and decrypted once quantum hardware is capable, so long-life data is at risk now.

Q-Day is the informal term for the point at which a quantum computer can break the encryption protecting most of today’s digital systems. The exact date is unknown, which is why preparation - not prediction - is the priority.

Identify data that must remain confidential for years, then prioritize migrating it to quantum-resistant encryption ahead of Q-Day. Reducing the exposure window on long-life data is the most direct mitigation.

The CONUX Briefing

Get the next briefing in your inbox.

Monthly deep dives on quantum resilience, AI control planes, and the infrastructure protecting tomorrow's critical systems. No noise.

Unsubscribe anytime · No spam

Continue reading

All articles

Enterprise Migration

June 1, 2026

The Question Every CISO Will Be Asked in the Next 18 Months

Quantum readiness assessment isn't a technical exercise — it's a leadership one. Here's the question your board will ask, and what being ready actually looks like.

TC

Team Conux

Read