Building your cryptographic inventory: A customer strategy for cryptographic posture management

Post-quantum cryptography (PQC) is coming—and for most organizations, the hardest part won’t be choosing new algorithms. It will be finding where cryptography is used today across applications, infrastructure, devices, and services so teams can plan, prioritize, and modernize with confidence. At Microsoft, we view this as the practical foundation of quantum readiness: you can’t protect or migrate what you can’t see. As described in our Quantum Safe Program strategy , cryptography is embedded in all modern IT environments across every industry: in applications, network protocols, cloud services, and hardware devices. It also evolves constantly to ensure the best protection from newly discovered vulnerabilities, evolving standards from bodies like NIST and IETF, and emerging regulatory requirements. However, many organizations face a widespread challenge: without a comprehensive inventory and effective lifecycle process, they lack the visibility and agility needed to keep their infrastructure secure and up to date. As a result, when new vulnerabilities or mandates emerge, teams often struggle to quickly identify affected assets, determine ownership, and prioritize remediation efforts. This underscores the importance of establishing clear, ongoing inventory practices as a foundation for resilient management across the enterprise. The first and most critical step toward a quantum-safe future—and sound cryptographic hygiene in general—is building a comprehensive cryptographic inventory . PQC adoption (like any cryptographic transition) is ultimately an engineering and operations exercise: you are updating cryptography across real systems with real dependencies, and you need visibility to do it safely. In this post, we will define what a cryptographic inventory is, outline a practical customer-led operating model for managing cryptographic posture, and show how customers can start quickly using Microsoft Security capabilities and our partners. Learn more about quantum-safe security What is a cryptographic inventory? A cryptographic inventory is a living catalog of all the cryptographic assets and mechanisms in use across your organization. This includes the following examples: Category Examples/Details Certificates and keys X.509 certificates, private/public key pairs, certificate authorities, key management systems Protocols and cipher suites TLS/SSL versions and configurations, SSH protocols, IPsec implementations Cryptographic libraries OpenSSL, LibCrypt, SymCrypt, other libraries embedded in applications Algorithms in code Cryptographic primitives referenced in source code (RSA, ECC, AES, hashing functions) Encrypted session metadata Active network sessions using encryption, protocol handshake details Secrets and credentials API keys, connection strings, service principal credentials stored in code, configuration files, or vaults Hardware security modules (HSMs) Physical and virtual HSMs, Trusted Platform Modules (TPMs) Why does this inventory matt