No matter your industry, it’s time to prepare for the quantum computing threat. Think of all the encrypted systems in use today: banking apps, healthcare records, government communications. Every one of them is potentially breakable by quantum computers—and the risk isn’t as far off as it seems.
The real danger isn’t a future hack. It’s the “harvest now, decrypt later” strategy already in play. Malicious actors can capture encrypted data today and hold onto it, waiting until quantum capabilities mature enough to crack it.
That’s why post-quantum cryptography (PQC) is no longer theoretical. Designed to withstand both classical and quantum attacks, PQC is the path forward. But getting there requires a massive first step: finding quantum-vulnerable code across sprawling, interconnected systems.
What’s your level of readiness for quantum-era threats?
Moderne co-founder and OpenRewrite creator Jonathan Schneider recently partnered with a global banking leader actively working to address this very question. The organization had identified a set of cryptographic anti-patterns they knew were risky—but had no clear path to find them across billions of lines of code. What followed was a breakthrough in both speed and scale of crypto detection—setting the foundation for PQC readiness at enterprise scale.
The first step in PQC: Know where you’re exposed
Many large organizations—especially in finance and government—have already launched post-quantum initiatives. They have research teams mapping the threat landscape, staying close to the National Institute of Standards and Technology (NIST) algorithm standardization process, and contributing to working groups like Evolution @ Scale from FINOS alongside their peers.
The main challenges of implementing post-quantum cryptography often lie in deeply embedded, legacy code structures and defaults. Vulnerable patterns are buried in shared libraries, infrastructure configs, and cross-repo code—and often obscured by abstraction layers.
Even if you have identified the problematic patterns, how do you find them throughout your large and complex codebases?
That was exactly the challenge the global bank brought to Moderne. Even with a well-researched list of cryptographic anti-patterns in hand, finding those patterns across their codebase had proven difficult—if not elusive. Two previous attempts working with other partners had failed. What they needed was a way to turn their PQC readiness strategy into an executable, repeatable engineering process.
“Right now, organizations are trying to figure out what PQC readiness really means for their systems. Moderne is built to collaborate in exactly this moment. We’re helping teams accurately identify where they’re exposed, and working with them to define scalable ways to move forward to secure their codebases.”
—Jonathan Schneider, CEO of Moderne
From zero to insight in under 12 hours
Jonathan and the Moderne team responded with urgency. Within 12 hours of receiving the bank’s requirements, Moderne had:
- Built a suite of OpenRewrite recipes tailored to the bank’s anti-patterns
- Validated the recipes by running them across tens of millions of lines of open source code
- Delivered recipes to run across the bank’s code to highlight exactly where vulnerable cryptographic logic was located
These weren’t simple regex scans. Moderne used Lossless Semantic Trees (LSTs)—a structural, semantic representation of code that captures full syntactic fidelity and deep contextual understanding (like symbol resolution, type info, and config propagation). LSTs enable:
- Accurate detection across massive codebases
- Cross-repo visibility—even into shared libraries
- Version-aware scanning that accounts for library or JDK behavior
- Semantic accuracy that minimizes false positives
The result? The bank was able to see their exposure clearly across a set of repositories. They now have tools in place to plan their next steps.
While today’s work often focuses on detecting the use of classical encryption algorithms (e.g., RSA or ECC usage), the future will evolve to support remediation with specific PQC algorithms—like code-based post-quantum cryptography and lattice-based implementations. These transformations must reflect not only NIST selections but practical migration paths for enterprise systems.
10 vulnerable encryption algorithms open to quantum attack
Moderne’s recipes now support detection of more than 10 cryptographic anti-patterns that can create enterprise risk from quantum computing. These anti-patterns reveal vulnerable encryption algorithms that are no longer considered safe in the post-quantum era. Identifying them is the first step toward scalable mitigation:
Why PQC remediation demands semantic depth, not surface scans
Most legacy code analysis tools simply weren’t built for the scale and complexity of post-quantum cryptography readiness. For example, regex-based scanning lacks the context to distinguish between meaningful patterns and harmless strings, and local development with wide context windows fails to scale effectively.
The Abstract Syntax Tree (AST) code representation is called abstract for a reason. It does not represent every detail appearing in the actual code syntax. For example, ASTs don’t preserve formatting and do not have type awareness. This lack of detail and context in these abstract models delivers a lossy code representation for search purposes, creating false positives and over reporting.
These tools also miss transitive relationships—tracing symbolic or semantic flow across boundaries. This means they can’t see how a vulnerability in a shared library might ripple across dozens of services.
That’s why modern remediation efforts, such as solving for PQC issues, demand a more intelligent, semantically aware layer of analysis, one that can reveal how insecure logic flows through your systems.
Moderne’s serialized LSTs provide the depth and scale needed to analyze entire codebases with speed and precision. By applying advanced static analysis techniques—such as control flow and data flow analysis—Moderne can trace how values like hardcoded keys, insecure defaults, or outdated algorithm selections move through function calls, class hierarchies, and even across repository boundaries. This is critical for tracking taint and context propagation, especially when vulnerabilities span multiple layers of the application stack.
This enables organizations not just to locate vulnerabilities, but to understand their impact—what calls them, what they influence, and how they can be remediated safely, without introducing regressions.
Is your code ready for the quantum era?
Organizations don’t have the luxury of waiting for quantum machines to arrive. Several forces are driving the urgency:
- Data with a long shelf life is already vulnerable. Medical records, legal contracts, government communications—data stolen today may be decrypted years from now.
- Regulatory momentum is building. Government agencies are beginning to issue PQC readiness mandates for critical infrastructure, defense contractors, and financial institutions.
- PQC is rapidly maturing. NIST is finalizing standards, with algorithms selected and implementation recommendations available.
Preparing critical systems for the quantum era is more than new algorithms. It requires a coordinated, code-level migration strategy. Now is the time to research, collaborate, and plan. The sooner you assess and reduce your quantum exposure, the more futureproof your systems become.
Contact Moderne to learn how we can help you prepare your codebase for the quantum era—even if it’s still 10+ years away.
