PQC-migration beneficiaries — ranking the named vendors by share of obligated post-quantum spend (2026-2027)
The question
Which PQC-migration beneficiary names (CrowdStrike CRWD, Cloudflare NET, Palo Alto Networks PANW, Thales) capture the largest share of obligated (mandate-driven, hard-dated) post-quantum cryptography enterprise spend through 2026-2027? This operationalizes the quantum-layer-v1 thesis recommendation — anchor on PQC migration adopters (lower variance, obligated dollars) rather than quantum-hardware pure-plays (high variance, roadmap-execution risk).
What we already know (from the vault)
- [[2026-05-24-quantum-computing-2026-milestone-thresholds]] — the parent brief. Its load-bearing finding: the four quantum pure-plays (IonQ, QBTS, RGTI, Quantinuum-via-Honeywell) are still in trust-the-roadmap territory; the investable instrumentation bifurcates into (a) pure-play roadmap bets (high variance) and (b) PQC-migration adopters (lower variance). RDCO's semiconductor-sales-anchor pattern transfers cleanest to (b). The brief explicitly named milestone 4 — "NIST PQC migration hitting cloud-provider GA defaults" — as the obligated-dollars anchor analog, and flagged this exact beneficiary question as an open follow-up. This brief closes it.
- [[2026-03-11-ark-invest-quantum-computing-bitcoin]] and [[2026-04-20-3blue1brown-grovers-algorithm-clarification]] — directionally confirm 2026 quantum is NOT at cryptographically-relevant scale (CRQC). The thesis must NOT rest on "quantum breaks crypto soon"; it rests on the mandate calendar being real regardless of when CRQC arrives ("harvest-now-decrypt-later" + hard federal deadlines).
- The vault has no investing-build-thesis output for quantum yet — this brief is direct input to the next [[investing-build-thesis]] dispatch. Sizing convention there is R-unit; weights below are expressed as thesis-tilt (overweight / core / satellite / watch), not R-units, since position sizing is the build-thesis step's job.
What the web says
- The obligated-dollars anchor is real and quantified. US government-wide PQC migration cost is estimated at $7.1B in 2024 dollars, 2025-2035 (OMB, per the US PQC regulatory framework). This is the closest analog to "obligated semiconductor sales" — a hard appropriated/mandated number, not a TAM guess.
- Hard deadlines through 2027 (the binding triggers):
- CNSA 2.0 — Jan 1, 2027: all new National Security System acquisitions must be CNSA 2.0 (PQC) compliant. This is the most immediate hard procurement gate. (Phase-out 2030-2031, full NSS mandate 2031.)
- FIPS 140-2 sunset — Sep 21, 2026: FIPS 140-2 certificates move to Historical; only FIPS 140-3-validated modules accepted for new federal procurement. This is a direct HSM/key-management catalyst (Thales territory).
- OMB M-23-02 / NSM-10: annual cryptographic-inventory submissions through 2035 for civilian agencies; designation of migration leads + funding assessments. Continuous obligation, 2035 target.
- EO 14306 — Jan 2, 2030: all federal systems must support TLS 1.3 or successor (TLS/edge territory).
- CISA product categories (Jan 23, 2026) name categories, not vendors: cloud services, web browsers/servers, endpoint security, networking hardware/software, IAM, containers. The mandate spreads obligated dollars across exactly the layers the four named vendors occupy.
- Cloudflare (NET) is the furthest-shipped. Hybrid PQC key exchange went default-on for all sites on its network in early 2025; >50% of human web traffic through Cloudflare was PQC-protected by Oct 2025, and >two-thirds as of April 2026. This is the single cleanest "real money / shipped at scale" signal among the four — though it is largely bundled into existing CDN/edge revenue, not a separately-priced PQC line.
- Palo Alto Networks (PANW) has integrated PQC into its platforms; NGS ARR ~$6.3B (+33% YoY); platformization extended via CyberArk + Chronosphere deals. Falcon-style policy-enforcement framing.
- CrowdStrike (CRWD) positions Falcon as the endpoint layer for crypto-agility / PQC policy enforcement; ~$5.25B ending ARR, record $1.01B net-new ARR FY26. PQC is a future attach narrative, not yet a discrete revenue driver.
- Thales (EPA: HO, not US-listed) — Luna T-Series HSM 7.15.0 ships fully standardized PQC algorithms in core firmware; Thales+Quantinuum PQC starter kit. HSMs are the highest-leverage layer for the FIPS 140-3 / CNSA 2.0 procurement gates (key generation, storage, signing).
- Market sizing (speculative, for contrast): PQC pure-market estimates cluster at $0.42B (2025) → $2.84B (2030), ~46% CAGR (MarketsAndMarkets). Note this is the narrow PQC-product market — an order of magnitude smaller than the $7.1B federal-migration obligation, because most spend flows through bundled platform/edge/HSM revenue, not standalone "PQC products."
Convergences and contradictions
- Convergence: vault predicted NIST PQC migration would be the cleaner obligated-dollars anchor than quantum-advantage benchmarks. Web fully confirms — $7.1B federal obligation + four hard dates 2026-2031 are appropriated/mandated, not roadmap promises.
- Convergence: vault's milestone-4 "default-on TLS = real money" test is met by Cloudflare (default-on since early 2025, two-thirds of traffic by Apr 2026). The signal the brief said to watch for has already fired for NET.
- Contradiction / caution: the narrow PQC-product market ($2.84B by 2030) is far smaller than the federal obligation ($7.1B) — because "obligated PQC spend" is overwhelmingly embedded in platform/edge/HSM revenue lines that vendors do NOT break out. This is the core measurement problem: none of the four discloses a PQC revenue line-item. "Share of obligated PQC spend" is therefore an inferred exposure, not a reported number. Treat the ranking as a qualitative exposure-mechanism ordering, not a quantified revenue split.
- Contradiction: "every CISO is now a buyer" PR framing (post-Google-accelerated-timeline) vs. the parent brief's AES-128-is-safe finding — the urgency is procurement-mandate-driven (harvest-now-decrypt-later + federal dates), NOT CRQC-is-imminent. Discount any beneficiary pitch that leans on "quantum breaks crypto in 2027."
Synthesis for RDCO
The honest finding is that "largest share of obligated PQC spend" cannot be answered as a clean revenue split — no named vendor reports a PQC line-item, and the $7.1B federal obligation flows through bundled platform/edge/HSM revenue. So the ranking below orders by exposure mechanism quality: how directly a vendor's revenue sits in the path of a hard-dated mandate, and how far it has already shipped (shipped > announced > attach-narrative). Ranked by share of obligated (not speculative) PQC spend, the order is Thales > Cloudflare ≈ Palo Alto Networks > CrowdStrike.
Thales ranks first on obligated-dollar directness because HSMs and key-management sit on the two hardest near-term procurement gates — FIPS 140-2 sunset (Sep 2026) and CNSA 2.0 new-acquisition (Jan 2027) — where a non-compliant module is simply disqualified from federal purchase. That is the most mandate-coupled, least-discretionary spend in the stack. The catch: Thales is Euronext Paris (HO.PA), defense-conglomerate-diluted (PQC is a sliver of a ~€20B revenue base), so the exposure is high-purity but the float is low-concentration. Cloudflare ranks first on shipped-at-scale evidence — default-on PQC TLS since early 2025, two-thirds of human traffic by Apr 2026 — but that revenue is bundled into the CDN/edge line and is largely not the federally-obligated dollar (Cloudflare's PQC is consumer/commercial-internet, not NSS procurement). PANW and CRWD are platform-attach plays: real, growing, but PQC is a future cross-sell narrative riding on ARR growth that exists for reasons mostly unrelated to the mandate calendar.
For the quantum-layer-v1 build-thesis, the cleanest instrumentable anchor remains Cloudflare's public PQC-traffic percentage (a live, published, default-on adoption dashboard — milestone 4 fired) paired with the CNSA 2.0 / FIPS 140-3 procurement calendar as the obligated-dollar backbone (Thales-adjacent). The variance ordering inverts the share ordering: CRWD/PANW are lower-idiosyncratic-variance (diversified security platforms, PQC is upside-optionality not thesis-load-bearing) while a pure Thales-style HSM bet is higher-concentration on the procurement gate. This argues for a core (NET) + satellite (PANW/CRWD) + watch (Thales, for the FIPS-140-3/CNSA-2.0 catalyst dates) structure rather than a single name.
This is investing-thesis input, not a recommendation to trade. Any real-money deploy requires explicit founder authorization per the paper-trade authorization gate (canonical APPROVE or explicit "deploy" verb); structural agreement is not sufficient.
Beneficiary table
| Ticker | PQC exposure mechanism | Obligated-dollar share signal | Variance / risk | Thesis weight |
|---|---|---|---|---|
| Thales (HO.PA) | HSMs + key management + PKI; Luna T-Series ships NIST PQC (ML-KEM/ML-DSA/SLH-DSA) in core firmware; Thales+Quantinuum PQC kit | Highest directness. Sits on the two hardest gates: FIPS 140-2 sunset (Sep 2026) + CNSA 2.0 new-acquisition (Jan 2027). Non-compliant HSM = disqualified from federal procurement. | High-purity exposure but low concentration: PQC is a sliver of a ~€20B defense-conglomerate; Euronext Paris (FX + ADR-access friction); spend not broken out | Watch — buy the catalyst (FIPS 140-3 / CNSA 2.0 procurement-date confirmations), not the headline |
| Cloudflare (NET) | Default-on hybrid PQC TLS 1.3 across entire edge since early 2025; PQC IPsec + WARP client; the de-facto internet PQC on-ramp | Most shipped-at-scale. >2/3 of human TLS traffic PQC-protected (Apr 2026); milestone-4 "default-on = real money" test already fired. But revenue is bundled in CDN/edge, mostly NOT the NSS-obligated dollar | Moderate. PQC is bundled upside, not a priced line; rich valuation; commercial-internet exposure, not federal-procurement | Core — the cleanest live instrumentable adoption dashboard for the thesis |
| Palo Alto Networks (PANW) | PQC integrated into platform (network/firewall); platformization (CyberArk + Chronosphere); NGS ARR ~$6.3B (+33% YoY) | Moderate. Network-layer PQC sits in a CISA-named category; mandate is tailwind, but PQC is cross-sell attach, not a discrete obligated line | Lower idiosyncratic variance (diversified platform); PQC is optionality, not thesis-load-bearing | Satellite |
| CrowdStrike (CRWD) | Falcon positioned as endpoint layer for crypto-agility + PQC policy enforcement; ~$5.25B ARR, $1.01B net-new FY26 | Lowest directness of the four. Endpoint crypto-agility is a future attach narrative; no current PQC-specific obligated dollar | Lowest PQC-specific exposure; ARR growth driven by reasons largely unrelated to the mandate calendar | Satellite (watch for attach proof) |
Ranking rationale: ordered by directness of coupling to a hard-dated mandate, not by absolute revenue. Thales has the highest obligated-dollar purity (procurement-gate-or-disqualified); Cloudflare has the most shipped evidence but on bundled, mostly-commercial dollars; PANW/CRWD are platform-attach optionality.
Open follow-ups
- Does any of the four disclose a PQC-attributable revenue or ARR line in a 2026 10-Q / 10-K? (Currently none do — if one starts, that vendor becomes the instrumentable leader and the ranking should re-rank to it.)
- What is the US-listed proxy for Thales HSM exposure? (HO.PA ADR liquidity; or is Entrust / a US-listed HSM peer a cleaner vehicle for the FIPS-140-3/CNSA-2.0 catalyst?)
- CNSA 2.0 Jan-1-2027 new-acquisition deadline: are there public DoD/agency PQC procurement awards or RFPs in 2026 that name vendors and dollar amounts (USASpending.gov / SAM.gov) — the literal obligated-dollar trail?
- Does Cloudflare's published PQC-traffic percentage have an API/scrapeable endpoint to wire as a live thesis-instrument (analogous to the hyperscaler-capex anchor)?
- How much of the $7.1B federal obligation is appropriated vs. estimated-future? (Appropriated portion is the truly-obligated dollar; the rest is a planning figure.)
Sources
Vault:
- [[2026-05-24-quantum-computing-2026-milestone-thresholds]] (parent brief; this closes its open follow-up)
- [[2026-03-11-ark-invest-quantum-computing-bitcoin]]
- [[2026-04-20-3blue1brown-grovers-algorithm-clarification]]
- [[investing-build-thesis]] (skill, for the next dispatch)
Web:
- US PQC regulatory framework 2026 (deadlines, $7.1B federal cost, CNSA 2.0 / OMB M-23-02 / FIPS 140-2 sunset / EO 14306)
- CNSA 2.0 & NIST PQC deadlines 2026-2035 (AxelSpire)
- Cloudflare secures majority of internet traffic with PQC (default-on since early 2025; >50% Oct 2025)
- State of the post-quantum Internet 2025 (Cloudflare blog)
- Thales Post-Quantum Crypto Agility / Luna HSM
- Post-quantum cryptography market 2025-2030 ($0.42B → $2.84B, ~46% CAGR; MarketsAndMarkets)
- Google accelerated the PQC timeline — every CISO is now a buyer (PRNewswire, framing flag)