When the Heat Map Comes Back Red
I broke last week from the regular cadence to provide a little context around Quantum Guy and the mission. Picking the conversation back up, we talked about running a cryptographic discovery.
I told you to run the 90 minute cryptographic discovery and deliver the one pager on Friday. If you did it, you already know the answer to the client’s next question before they ask it.
The heat map came back red. It always does. That is not a bad outcome. That is the beginning of a billable relationship.
What Red Actually Means
Red does not mean broken. It means exposed. There is a difference, and you need to explain it clearly before the client’s anxiety turns into paralysis or a call to a competitor.
Red on Layer 1 means adversaries can see the shape of traffic today. They may already be logging it.
Red on Layer 3 is the one that keeps me up at night. Encrypted backups under RSA-2048 look secure today. They are not. Someone is collecting that ciphertext right now with the intention of decrypting it when Q-Day arrives. If those backups contain five years of patient records or M&A files, the exposure is not theoretical.
Red on Layers 2 and 4 means work to scope. Identity and application layer cryptography require vendor coordination and change management cycles that take time. Start those conversations now.
The Monday Call
Call the client. Do not email. Here is the structure.
Open with one sentence: “We found exposures in three of the four layers. Two are low-complexity fixes. One requires a longer conversation.”
That sentence tells them you found something real, that it is not all catastrophic, and that you have a path forward.
Walk the one pager layer by layer. Spend the most time on Layer 3. Ask one question about their backup retention policy. Whatever they answer, the follow up is the same: “That data needs a migration plan.”
What You Scope Next
The 90 minute inventory was triage. What they need now is a migration roadmap prioritized by risk, scoped by complexity, budgeted by phase.
Phase one: Remediate Layer 1 within 90 days. TLS, VPN ciphers, exposed endpoints.
Phase two: Protect long retention data. Identify the backup sets that live beyond the threat window and begin re-encryption under a quantum resistant scheme. NIST finalized ML-KEM and ML-DSA last year. Both are production-ready.
Phase three: Application and API layer, scoped by vendor roadmap. This is the long tail. Set a 24 month horizon and treat it as recurring work.
What You Bill for the Roadmap
A three phase roadmap for a 50 seat client runs 12 to 18 hours. Charge $4,500–$7,500. Deliver it as a working document they can take to the board or their cyber insurer.
Monday Morning Move
- Call the client you ran the inventory for last week.
- Walk them through the one pager in fifteen minutes.
- Leave the call with a verbal yes on the roadmap engagement.
You do not need a proposal yet. You need a yes. The proposal comes Tuesday.
Stay sharp.
The Quantum Guy
The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA assumes no liability for any loss or damage arising from its use.
Leave A Comment