Top 10 Post-Quantum Cryptography Tools and Frameworks for Enterprises in 2026

Cloudflare has achieved something remarkable: it has made post-quantum cryptography the default for the majority of its global TLS traffic, covering over six million internet-facing domains, without requiring customers to do anything. As of early 2026, more than 60 percent of TLS connections terminating at Cloudflare's global network use hybrid X25519 + ML-KEM-768 key exchange, making Cloudflare the operator of the world's largest deployed PQC-protected network by connection volume. The mechanism is straightforward. Cloudflare's edge infrastructure negotiates hybrid ML-KEM with any client that supports it — Chrome 124 and later, Firefox, and modern versions of Safari all do — while falling back gracefully to classical X25519 for older clients. This means that for any organization with their DNS and TLS termination running through Cloudflare, post-quantum protection on the client-to-edge leg of every HTTPS connection is already active. Zero configuration required. Cloudflare's Zero Trust and SASE offerings extend this protection further. Cloudflare Access, Gateway, and WARP (the enterprise VPN replacement) all support hybrid PQC tunnels, meaning enterprise employees accessing internal applications through Cloudflare's network are protected against HNDL attacks on their session traffic. Cloudflare claims to be the first vendor to deliver a complete SASE stack with end-to-end PQC support — a significant milestone for enterprises replacing legacy VPN infrastructure. For the edge-to-origin leg (Cloudflare to the customer's own servers), Cloudflare supports PQC via its Argo Smart Routing and Tunnels products when the origin server supports ML-KEM. This requires updating origin-side TLS configuration, which Cloudflare provides documentation and tooling to support. The company also publishes detailed cryptographic telemetry showing cipher suite distribution across its network, giving security researchers and enterprise customers visibility into real-world PQC adoption rates at scale.

Microsoft's post-quantum cryptography deployment is the most significant for enterprises running Microsoft-centric infrastructure, which remains the majority of Fortune 500 organizations. The cryptographic foundation is SymCrypt, Microsoft's open-source cross-platform cryptography library written in C, and the Windows Cryptography Next Generation (CNG) API layer that exposes PQC primitives to applications through a stable, documented interface. As of early 2026, SymCrypt and CNG provide generally available support for ML-KEM (all three parameter sets: 512, 768, 1024 per FIPS 203), ML-DSA (all parameter sets per FIPS 204), and SLH-DSA (selected parameter sets per FIPS 205) across Windows 11, Windows Server 2022 and later, and Azure's TLS infrastructure. This is not a preview or beta — it is production-grade, shipping in the OS. The most consequential development for enterprise PKI teams arrived in May 2026: Active Directory Certificate Services gained support for ML-DSA certificate issuance and enrollment. This means enterprise Certificate Authorities built on Windows Server can issue ML-DSA digital certificates to domain-joined devices, service accounts, and users through the existing ADCS infrastructure — without replacing the CA software or migrating away from Active Directory. For organizations that have spent years building out ADCS-based PKI, this is the migration path that requires the least architectural disruption. Microsoft 365 services, Azure Key Vault, and Azure TLS termination all negotiate hybrid PQC with compatible clients. The Azure SDK across .NET, Java, Python, JavaScript, and Go has been updated to negotiate ML-KEM hybrid TLS, meaning applications built on Azure SDKs inherit PQC protection with a dependency version bump. Microsoft has also published a detailed PQC readiness guide for hybrid Azure AD and on-premises deployments, addressing the complex certificate chain scenarios that enterprise architects typically encounter during migrations.

Google's post-quantum cryptography strategy operates across three distinct layers: the Chrome browser (the world's most-used TLS client), Google Cloud infrastructure, and the open-source Tink cryptographic library. Together, these layers give Google an outsized influence on the overall pace of PQC adoption across the internet — and give enterprises building on Google Cloud a well-documented, developer-friendly path to quantum-resistant systems. At the browser layer, Chrome 124 shipped with hybrid X25519 + ML-KEM-768 as the default key exchange mechanism for TLS 1.3 connections. This made Chrome the first major browser to ship PQC by default, and because Chrome accounts for roughly 65 percent of global browser market share, Google's decision effectively made hybrid ML-KEM the predominant key exchange for a majority of HTTPS traffic worldwide. Any server negotiating TLS with Chrome users — including every enterprise application accessed through a browser — is already running PQC on the client-to-server leg when the server supports it. At the cloud infrastructure layer, Google Cloud KMS supports PQC key types for asymmetric signing and key wrapping operations. Google's production infrastructure uses X-Wing, a formally specified hybrid KEM that combines X25519 with ML-KEM-768 under a single, auditable construction. X-Wing has an IETF draft specification (draft-connolly-cfrg-xwing-kem) and has been formally analyzed for security, which gives it stronger provable security properties than informal hybrid concatenations. For developers, Tink is Google's highest-value contribution to the PQC ecosystem. This open-source multi-language cryptographic library (Java, C++, Python, Go, JavaScript) provides high-level, hard-to-misuse PQC APIs that abstract away algorithm parameter selection and implementation complexity. Tink's design philosophy — making it harder to do cryptography wrong than right — makes it the most accessible path to PQC for application development teams who are not cryptographic experts. The library is widely used outside Google: Tink processes hundreds of billions of operations per day across Google's production systems.

IBM's Quantum Safe Suite takes a fundamentally different approach from the cloud-native PQC deployments of AWS, Cloudflare, and Microsoft. Rather than focusing primarily on algorithm deployment, IBM has built the most comprehensive enterprise migration tooling available — centered on the concept of the Cryptographic Bill of Materials (CBOM), an inventory of every cryptographic asset in an organization's software supply chain. The suite has three primary components. IBM Quantum Safe Explorer performs automated scanning of source code, binaries, and running applications to identify cryptographic dependencies — which algorithms are in use, in which library versions, in which codepaths. This is not limited to TLS; it covers key derivation functions, block cipher modes, hash functions, digital signature schemes, and certificate chains throughout the codebase. Explorer produces machine-readable CBOM output compatible with the CycloneDX standard, enabling integration with existing SBOM tooling and vulnerability management platforms. IBM Quantum Safe Advisor ingests the CBOM output and maps each cryptographic usage against the CNSA 2.0 requirements, NIST migration guidance, and the organization's own risk policies. It produces a prioritized remediation roadmap, identifying which vulnerabilities are highest risk (long-lived data, external interfaces, NSS-adjacent workloads) and sequencing the migration to minimize operational disruption. This advisory function is what distinguishes IBM's offering from purely technical libraries. IBM Quantum Safe Remediator provides guided remediation, including pre-built migration recipes for common IBM technology components (Db2, MQ, WebSphere, z/OS, OpenShift) and integration with IBM's mainframe stack. The z16 processor includes dedicated hardware acceleration for ML-KEM and ML-DSA operations — a critical capability for financial institutions and telcos running transaction processing on IBM mainframes. IBM has documented deployments with multiple Fortune 500 financial institutions, including full CBOM generation across legacy COBOL and Java codebases exceeding ten million lines of code.

The Open Quantum Safe project, maintained by the University of Waterloo's Institute for Quantum Computing and stewarded by the Linux Foundation, is the most important open-source infrastructure project in the post-quantum cryptography ecosystem. If you are running any PQC implementation that is not a direct cloud-native service, there is a significant probability it either uses liboqs directly or was validated against it. liboqs is a C library implementing more than 30 post-quantum cryptographic schemes, including all three NIST-finalized algorithms (ML-KEM in all parameter sets, ML-DSA in all parameter sets, SLH-DSA in selected parameter sets), plus NIST-standardized alternatives like HQC, and additional schemes under ongoing evaluation. The library is designed for research, prototyping, and integration — not as a standalone TLS endpoint, but as the algorithmic foundation that other software builds on top of. The oqs-provider is the integration layer that connects liboqs to OpenSSL 3.x via the OpenSSL provider API. This is the piece that enables real-world TLS testing: any OpenSSL-based application (nginx, Apache, curl, OpenVPN, and thousands of others) can be recompiled or configured to use PQC key exchange and authentication via oqs-provider, without modifying the application itself. This has made OQS the de facto standard for enterprise PQC compatibility testing — security teams use it to verify that their existing TLS infrastructure can negotiate hybrid PQC before migrating production systems. OQS also maintains forks of OpenSSH and other widely deployed protocols with PQC support, and provides language bindings for Python, Java, Go, Rust, and Node.js through liboqs-python, liboqs-java, and similar wrapper projects. The project runs an OQS demo TLS server and maintains compatibility matrices against every major TLS client, which is used extensively by enterprise architects validating migration readiness. Android and embedded platform support is documented and tested.

Hardware Security Modules represent the highest-assurance tier of cryptographic infrastructure, storing private keys in tamper-evident, tamper-resistant physical devices that resist both logical attacks and physical extraction attempts. Thales Luna HSM version 7.9, released in 2025, is the first commercially available HSM with native firmware support for ML-KEM and ML-DSA — meaning PQC key generation, key wrapping, and digital signature operations occur entirely within the secure hardware boundary, never exposing private key material to the host system. The significance for enterprise security cannot be overstated for specific use cases. Root CA private keys, long-term encryption keys for archived data, code-signing keys, and master key encryption keys (MKEKs) for key management systems represent the highest-value targets for HNDL attacks. These are exactly the keys that should be stored in HSMs — and the upgrade to Luna 7.9 firmware means organizations can migrate these critical keys to ML-KEM and ML-DSA protection without leaving the hardware security boundary. Thales Luna HSM 7.9 supports ML-KEM-768 and ML-KEM-1024 for key encapsulation, and ML-DSA-44, ML-DSA-65, and ML-DSA-87 for digital signatures, all within the hardware. The FIPS 140-3 Level 3 validation application for the PQC firmware was submitted in 2025 and was in active evaluation with NIST's CMVP program as of mid-2026. Level 3 validation requires physical tamper-evidence and identity-based authentication, making it the appropriate standard for government and financial industry applications. The Luna HSM integrates with Thales' broader CipherTrust platform for key lifecycle management, enabling enterprises to manage PQC keys alongside classical keys in a unified dashboard. This is important for the hybrid deployment period when both RSA/ECC and PQC keys coexist. Thales also provides a firmware upgrade path for existing Luna 7.x hardware in the field, allowing organizations to extend their HSM investment rather than replacing hardware.

OpenSSL is not a new entrant in this list — it is the foundational TLS and cryptographic library that underpins an estimated 70 to 80 percent of internet-facing HTTPS servers. For decades, every OpenSSL release has been a global infrastructure event. OpenSSL 3.5, released in 2025, is the most significant security release in the project's history: it ships native support for ML-KEM, ML-DSA, and SLH-DSA across all FIPS 203, FIPS 204, and FIPS 205 parameter sets, without requiring the separate oqs-provider plugin. This is a paradigm shift in the PQC deployment landscape. Previously, enabling PQC in OpenSSL required installing and configuring the oqs-provider, which was appropriate for testing and enterprise POC deployments but added operational complexity for production systems. With OpenSSL 3.5, any Linux distribution or server application that updates its OpenSSL dependency gains PQC support as a built-in capability. nginx, Apache, HAProxy, PostgreSQL, Python's ssl module, Go's crypto/tls (which links to BoringSSL but tracks OpenSSL conventions), and thousands of other server applications inherit PQC capability through a simple package update. OpenSSL 3.5 supports X25519MLKEM768 as a hybrid TLS key exchange group — the same hybrid construction used by Chrome and negotiated by Cloudflare's edge. This means an nginx server updated to link against OpenSSL 3.5 will automatically negotiate hybrid PQC with Chrome 124+ clients, with no nginx configuration changes required beyond enabling the new cipher group. The performance overhead is minimal: benchmark data published by the OpenSSL project shows hybrid ML-KEM-768 TLS handshakes adding 1.2ms at the median versus classical X25519 on modern x86-64 hardware. OpenSSL's FIPS module — the subset of the library that has undergone NIST CMVP validation — is maintained separately from the main library. The FIPS 3.5 module validation was in progress with CMVP as of mid-2026; organizations requiring a FIPS-validated implementation should track that validation status or use AWS-LC or SymCrypt in the interim.

PQShield is a specialized cryptography company spun out of Oxford University in 2018, and its UltraPQ Suite represents the most complete full-stack PQC offering from a dedicated post-quantum vendor. Unlike the hyperscaler offerings, which focus on specific services or protocols, UltraPQ covers the entire deployment spectrum: from a 5-kilobyte embedded implementation designed for 32-bit microcontrollers with as little as 64KB of RAM, through mobile SDKs for iOS and Android, to a full enterprise TLS library with hardware acceleration. The embedded tier (PQShield Embedded) is arguably the most technically impressive component: it achieves FIPS 203-compliant ML-KEM-768 in 5KB of code size with 4.8KB stack usage on ARM Cortex-M4, making it viable for IoT devices, automotive ECUs, smart cards, and secure elements that simply cannot accommodate the 50-200KB footprint of typical PQC implementations. This positions PQShield as the only credible option for enterprises with IoT fleets or embedded device supply chains that need end-to-end quantum resistance. For enterprise TLS deployments, PQShield TLS provides a complete ML-KEM and ML-DSA implementation with optional hardware acceleration support. FIPS 140-3 certification — achieved in 2025 — is a critical differentiator; PQShield is among the first dedicated PQC vendors to achieve CMVP certification for post-quantum algorithms, enabling deployment in regulated environments that require a validated module without waiting for OpenSSL's FIPS 3.5 process to complete. PQShield's hardware IP (PQSoC) is licensed to semiconductor manufacturers for integration directly into SoCs, FPGAs, and ASICs. Several ARM-based processor vendors have licensed PQShield's ML-KEM accelerator IP, meaning future enterprise server and network hardware will ship with hardware-accelerated PQC as a built-in feature. PQShield provides commercial support contracts with named cryptographers, which matters to organizations that need expert human escalation paths for cryptographic edge cases.

Keyfactor is the market leader in enterprise PKI lifecycle management, and its 2024-2025 acquisitions of InfoSec Global and CipherInsights transformed it from a certificate management platform into a comprehensive post-quantum migration platform. The combined offering addresses the most underserved part of the enterprise PQC challenge: not algorithm deployment, but certificate lifecycle management at scale across heterogeneous environments. EJBCA (Enterprise Java Beans Certificate Authority) is the world's most widely deployed open-source CA software, used by thousands of enterprises and government agencies to issue and manage digital certificates. EJBCA 8.3 and later support hybrid certificate issuance — X.509 certificates that contain both a classical signature (RSA or ECDSA) and a parallel ML-DSA signature in the same certificate, enabling relying parties that support hybrid verification to validate the PQC signature while older clients fall back to the classical one. This is the practical migration path for enterprises that cannot update all certificate consumers simultaneously. Keyfactor Command is the SaaS-based certificate lifecycle management platform that manages certificate inventory, automated renewal, and policy enforcement across multi-CA environments. The integration of CipherInsights' cryptographic discovery capabilities means Command can now scan enterprise networks to detect all certificates in use, identify their cryptographic parameters (key sizes, signature algorithms, expiration dates), and flag certificates that need quantum-safe remediation. This is the enterprise-grade version of what IBM Quantum Safe Explorer does for code — applied to the live certificate estate. The acquired InfoSec Global (now Keyfactor Agility) contributes a broader crypto-agility layer: scanning applications, protocols, and libraries for cryptographic dependencies beyond just certificates, and providing a unified risk dashboard. Keyfactor now offers an end-to-end workflow from crypto discovery → CBOM generation → hybrid certificate issuance → renewal automation, all managed through a single platform. For enterprises with complex multi-CA environments — a common scenario in financial services, healthcare, and manufacturing — this unified lifecycle management is the most operationally practical PQC migration path available.

Cloudflare has achieved something remarkable: it has made post-quantum cryptography the default for the majority of its global TLS traffic, covering over six million internet-facing domains, without requiring customers to do anything. As of early 2026, more than 60 percent of TLS connections terminating at Cloudflare's global network use hybrid X25519 + ML-KEM-768 key exchange, making Cloudflare the operator of the world's largest deployed PQC-protected network by connection volume. The mechanism is straightforward. Cloudflare's edge infrastructure negotiates hybrid ML-KEM with any client that supports it — Chrome 124 and later, Firefox, and modern versions of Safari all do — while falling back gracefully to classical X25519 for older clients. This means that for any organization with their DNS and TLS termination running through Cloudflare, post-quantum protection on the client-to-edge leg of every HTTPS connection is already active. Zero configuration required. Cloudflare's Zero Trust and SASE offerings extend this protection further. Cloudflare Access, Gateway, and WARP (the enterprise VPN replacement) all support hybrid PQC tunnels, meaning enterprise employees accessing internal applications through Cloudflare's network are protected against HNDL attacks on their session traffic. Cloudflare claims to be the first vendor to deliver a complete SASE stack with end-to-end PQC support — a significant milestone for enterprises replacing legacy VPN infrastructure. For the edge-to-origin leg (Cloudflare to the customer's own servers), Cloudflare supports PQC via its Argo Smart Routing and Tunnels products when the origin server supports ML-KEM. This requires updating origin-side TLS configuration, which Cloudflare provides documentation and tooling to support. The company also publishes detailed cryptographic telemetry showing cipher suite distribution across its network, giving security researchers and enterprise customers visibility into real-world PQC adoption rates at scale.

Microsoft's post-quantum cryptography deployment is the most significant for enterprises running Microsoft-centric infrastructure, which remains the majority of Fortune 500 organizations. The cryptographic foundation is SymCrypt, Microsoft's open-source cross-platform cryptography library written in C, and the Windows Cryptography Next Generation (CNG) API layer that exposes PQC primitives to applications through a stable, documented interface. As of early 2026, SymCrypt and CNG provide generally available support for ML-KEM (all three parameter sets: 512, 768, 1024 per FIPS 203), ML-DSA (all parameter sets per FIPS 204), and SLH-DSA (selected parameter sets per FIPS 205) across Windows 11, Windows Server 2022 and later, and Azure's TLS infrastructure. This is not a preview or beta — it is production-grade, shipping in the OS. The most consequential development for enterprise PKI teams arrived in May 2026: Active Directory Certificate Services gained support for ML-DSA certificate issuance and enrollment. This means enterprise Certificate Authorities built on Windows Server can issue ML-DSA digital certificates to domain-joined devices, service accounts, and users through the existing ADCS infrastructure — without replacing the CA software or migrating away from Active Directory. For organizations that have spent years building out ADCS-based PKI, this is the migration path that requires the least architectural disruption. Microsoft 365 services, Azure Key Vault, and Azure TLS termination all negotiate hybrid PQC with compatible clients. The Azure SDK across .NET, Java, Python, JavaScript, and Go has been updated to negotiate ML-KEM hybrid TLS, meaning applications built on Azure SDKs inherit PQC protection with a dependency version bump. Microsoft has also published a detailed PQC readiness guide for hybrid Azure AD and on-premises deployments, addressing the complex certificate chain scenarios that enterprise architects typically encounter during migrations.

Google's post-quantum cryptography strategy operates across three distinct layers: the Chrome browser (the world's most-used TLS client), Google Cloud infrastructure, and the open-source Tink cryptographic library. Together, these layers give Google an outsized influence on the overall pace of PQC adoption across the internet — and give enterprises building on Google Cloud a well-documented, developer-friendly path to quantum-resistant systems. At the browser layer, Chrome 124 shipped with hybrid X25519 + ML-KEM-768 as the default key exchange mechanism for TLS 1.3 connections. This made Chrome the first major browser to ship PQC by default, and because Chrome accounts for roughly 65 percent of global browser market share, Google's decision effectively made hybrid ML-KEM the predominant key exchange for a majority of HTTPS traffic worldwide. Any server negotiating TLS with Chrome users — including every enterprise application accessed through a browser — is already running PQC on the client-to-server leg when the server supports it. At the cloud infrastructure layer, Google Cloud KMS supports PQC key types for asymmetric signing and key wrapping operations. Google's production infrastructure uses X-Wing, a formally specified hybrid KEM that combines X25519 with ML-KEM-768 under a single, auditable construction. X-Wing has an IETF draft specification (draft-connolly-cfrg-xwing-kem) and has been formally analyzed for security, which gives it stronger provable security properties than informal hybrid concatenations. For developers, Tink is Google's highest-value contribution to the PQC ecosystem. This open-source multi-language cryptographic library (Java, C++, Python, Go, JavaScript) provides high-level, hard-to-misuse PQC APIs that abstract away algorithm parameter selection and implementation complexity. Tink's design philosophy — making it harder to do cryptography wrong than right — makes it the most accessible path to PQC for application development teams who are not cryptographic experts. The library is widely used outside Google: Tink processes hundreds of billions of operations per day across Google's production systems.

IBM's Quantum Safe Suite takes a fundamentally different approach from the cloud-native PQC deployments of AWS, Cloudflare, and Microsoft. Rather than focusing primarily on algorithm deployment, IBM has built the most comprehensive enterprise migration tooling available — centered on the concept of the Cryptographic Bill of Materials (CBOM), an inventory of every cryptographic asset in an organization's software supply chain. The suite has three primary components. IBM Quantum Safe Explorer performs automated scanning of source code, binaries, and running applications to identify cryptographic dependencies — which algorithms are in use, in which library versions, in which codepaths. This is not limited to TLS; it covers key derivation functions, block cipher modes, hash functions, digital signature schemes, and certificate chains throughout the codebase. Explorer produces machine-readable CBOM output compatible with the CycloneDX standard, enabling integration with existing SBOM tooling and vulnerability management platforms. IBM Quantum Safe Advisor ingests the CBOM output and maps each cryptographic usage against the CNSA 2.0 requirements, NIST migration guidance, and the organization's own risk policies. It produces a prioritized remediation roadmap, identifying which vulnerabilities are highest risk (long-lived data, external interfaces, NSS-adjacent workloads) and sequencing the migration to minimize operational disruption. This advisory function is what distinguishes IBM's offering from purely technical libraries. IBM Quantum Safe Remediator provides guided remediation, including pre-built migration recipes for common IBM technology components (Db2, MQ, WebSphere, z/OS, OpenShift) and integration with IBM's mainframe stack. The z16 processor includes dedicated hardware acceleration for ML-KEM and ML-DSA operations — a critical capability for financial institutions and telcos running transaction processing on IBM mainframes. IBM has documented deployments with multiple Fortune 500 financial institutions, including full CBOM generation across legacy COBOL and Java codebases exceeding ten million lines of code.

The Open Quantum Safe project, maintained by the University of Waterloo's Institute for Quantum Computing and stewarded by the Linux Foundation, is the most important open-source infrastructure project in the post-quantum cryptography ecosystem. If you are running any PQC implementation that is not a direct cloud-native service, there is a significant probability it either uses liboqs directly or was validated against it. liboqs is a C library implementing more than 30 post-quantum cryptographic schemes, including all three NIST-finalized algorithms (ML-KEM in all parameter sets, ML-DSA in all parameter sets, SLH-DSA in selected parameter sets), plus NIST-standardized alternatives like HQC, and additional schemes under ongoing evaluation. The library is designed for research, prototyping, and integration — not as a standalone TLS endpoint, but as the algorithmic foundation that other software builds on top of. The oqs-provider is the integration layer that connects liboqs to OpenSSL 3.x via the OpenSSL provider API. This is the piece that enables real-world TLS testing: any OpenSSL-based application (nginx, Apache, curl, OpenVPN, and thousands of others) can be recompiled or configured to use PQC key exchange and authentication via oqs-provider, without modifying the application itself. This has made OQS the de facto standard for enterprise PQC compatibility testing — security teams use it to verify that their existing TLS infrastructure can negotiate hybrid PQC before migrating production systems. OQS also maintains forks of OpenSSH and other widely deployed protocols with PQC support, and provides language bindings for Python, Java, Go, Rust, and Node.js through liboqs-python, liboqs-java, and similar wrapper projects. The project runs an OQS demo TLS server and maintains compatibility matrices against every major TLS client, which is used extensively by enterprise architects validating migration readiness. Android and embedded platform support is documented and tested.

Hardware Security Modules represent the highest-assurance tier of cryptographic infrastructure, storing private keys in tamper-evident, tamper-resistant physical devices that resist both logical attacks and physical extraction attempts. Thales Luna HSM version 7.9, released in 2025, is the first commercially available HSM with native firmware support for ML-KEM and ML-DSA — meaning PQC key generation, key wrapping, and digital signature operations occur entirely within the secure hardware boundary, never exposing private key material to the host system. The significance for enterprise security cannot be overstated for specific use cases. Root CA private keys, long-term encryption keys for archived data, code-signing keys, and master key encryption keys (MKEKs) for key management systems represent the highest-value targets for HNDL attacks. These are exactly the keys that should be stored in HSMs — and the upgrade to Luna 7.9 firmware means organizations can migrate these critical keys to ML-KEM and ML-DSA protection without leaving the hardware security boundary. Thales Luna HSM 7.9 supports ML-KEM-768 and ML-KEM-1024 for key encapsulation, and ML-DSA-44, ML-DSA-65, and ML-DSA-87 for digital signatures, all within the hardware. The FIPS 140-3 Level 3 validation application for the PQC firmware was submitted in 2025 and was in active evaluation with NIST's CMVP program as of mid-2026. Level 3 validation requires physical tamper-evidence and identity-based authentication, making it the appropriate standard for government and financial industry applications. The Luna HSM integrates with Thales' broader CipherTrust platform for key lifecycle management, enabling enterprises to manage PQC keys alongside classical keys in a unified dashboard. This is important for the hybrid deployment period when both RSA/ECC and PQC keys coexist. Thales also provides a firmware upgrade path for existing Luna 7.x hardware in the field, allowing organizations to extend their HSM investment rather than replacing hardware.

OpenSSL is not a new entrant in this list — it is the foundational TLS and cryptographic library that underpins an estimated 70 to 80 percent of internet-facing HTTPS servers. For decades, every OpenSSL release has been a global infrastructure event. OpenSSL 3.5, released in 2025, is the most significant security release in the project's history: it ships native support for ML-KEM, ML-DSA, and SLH-DSA across all FIPS 203, FIPS 204, and FIPS 205 parameter sets, without requiring the separate oqs-provider plugin. This is a paradigm shift in the PQC deployment landscape. Previously, enabling PQC in OpenSSL required installing and configuring the oqs-provider, which was appropriate for testing and enterprise POC deployments but added operational complexity for production systems. With OpenSSL 3.5, any Linux distribution or server application that updates its OpenSSL dependency gains PQC support as a built-in capability. nginx, Apache, HAProxy, PostgreSQL, Python's ssl module, Go's crypto/tls (which links to BoringSSL but tracks OpenSSL conventions), and thousands of other server applications inherit PQC capability through a simple package update. OpenSSL 3.5 supports X25519MLKEM768 as a hybrid TLS key exchange group — the same hybrid construction used by Chrome and negotiated by Cloudflare's edge. This means an nginx server updated to link against OpenSSL 3.5 will automatically negotiate hybrid PQC with Chrome 124+ clients, with no nginx configuration changes required beyond enabling the new cipher group. The performance overhead is minimal: benchmark data published by the OpenSSL project shows hybrid ML-KEM-768 TLS handshakes adding 1.2ms at the median versus classical X25519 on modern x86-64 hardware. OpenSSL's FIPS module — the subset of the library that has undergone NIST CMVP validation — is maintained separately from the main library. The FIPS 3.5 module validation was in progress with CMVP as of mid-2026; organizations requiring a FIPS-validated implementation should track that validation status or use AWS-LC or SymCrypt in the interim.

PQShield is a specialized cryptography company spun out of Oxford University in 2018, and its UltraPQ Suite represents the most complete full-stack PQC offering from a dedicated post-quantum vendor. Unlike the hyperscaler offerings, which focus on specific services or protocols, UltraPQ covers the entire deployment spectrum: from a 5-kilobyte embedded implementation designed for 32-bit microcontrollers with as little as 64KB of RAM, through mobile SDKs for iOS and Android, to a full enterprise TLS library with hardware acceleration. The embedded tier (PQShield Embedded) is arguably the most technically impressive component: it achieves FIPS 203-compliant ML-KEM-768 in 5KB of code size with 4.8KB stack usage on ARM Cortex-M4, making it viable for IoT devices, automotive ECUs, smart cards, and secure elements that simply cannot accommodate the 50-200KB footprint of typical PQC implementations. This positions PQShield as the only credible option for enterprises with IoT fleets or embedded device supply chains that need end-to-end quantum resistance. For enterprise TLS deployments, PQShield TLS provides a complete ML-KEM and ML-DSA implementation with optional hardware acceleration support. FIPS 140-3 certification — achieved in 2025 — is a critical differentiator; PQShield is among the first dedicated PQC vendors to achieve CMVP certification for post-quantum algorithms, enabling deployment in regulated environments that require a validated module without waiting for OpenSSL's FIPS 3.5 process to complete. PQShield's hardware IP (PQSoC) is licensed to semiconductor manufacturers for integration directly into SoCs, FPGAs, and ASICs. Several ARM-based processor vendors have licensed PQShield's ML-KEM accelerator IP, meaning future enterprise server and network hardware will ship with hardware-accelerated PQC as a built-in feature. PQShield provides commercial support contracts with named cryptographers, which matters to organizations that need expert human escalation paths for cryptographic edge cases.

Keyfactor is the market leader in enterprise PKI lifecycle management, and its 2024-2025 acquisitions of InfoSec Global and CipherInsights transformed it from a certificate management platform into a comprehensive post-quantum migration platform. The combined offering addresses the most underserved part of the enterprise PQC challenge: not algorithm deployment, but certificate lifecycle management at scale across heterogeneous environments. EJBCA (Enterprise Java Beans Certificate Authority) is the world's most widely deployed open-source CA software, used by thousands of enterprises and government agencies to issue and manage digital certificates. EJBCA 8.3 and later support hybrid certificate issuance — X.509 certificates that contain both a classical signature (RSA or ECDSA) and a parallel ML-DSA signature in the same certificate, enabling relying parties that support hybrid verification to validate the PQC signature while older clients fall back to the classical one. This is the practical migration path for enterprises that cannot update all certificate consumers simultaneously. Keyfactor Command is the SaaS-based certificate lifecycle management platform that manages certificate inventory, automated renewal, and policy enforcement across multi-CA environments. The integration of CipherInsights' cryptographic discovery capabilities means Command can now scan enterprise networks to detect all certificates in use, identify their cryptographic parameters (key sizes, signature algorithms, expiration dates), and flag certificates that need quantum-safe remediation. This is the enterprise-grade version of what IBM Quantum Safe Explorer does for code — applied to the live certificate estate. The acquired InfoSec Global (now Keyfactor Agility) contributes a broader crypto-agility layer: scanning applications, protocols, and libraries for cryptographic dependencies beyond just certificates, and providing a unified risk dashboard. Keyfactor now offers an end-to-end workflow from crypto discovery → CBOM generation → hybrid certificate issuance → renewal automation, all managed through a single platform. For enterprises with complex multi-CA environments — a common scenario in financial services, healthcare, and manufacturing — this unified lifecycle management is the most operationally practical PQC migration path available.