Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

Harvest Now, Decrypt Later (HNDL): The Quantum-Era Threat

5 min. read
Table of contents

Harvest now, decrypt later is a cybersecurity threat in which encrypted data is collected and stored today so it can be decrypted in the future when quantum computers can break current encryption.

It's a present-day risk because data protected by classical encryption can be captured now and later exposed once quantum decryption becomes feasible.

 

How does a harvest now, decrypt later attack work?

A harvest now, decrypt later (HNDL) attack happens in stages. It starts with data collection and ends years later with decryption.

The entire process is built on patience: steal what's valuable now, wait until technology can unlock it.

Note:
Quantum security terminology is still evolving, and usage varies across disciplines. Harvest now, decrypt later (HNDL) is also referred to as store now, decrypt later (SNDL) or, less commonly, a retrospective decryption attack.
Horizontal process diagram titled 'Harvest now, decrypt later (HNDL)' showing five sequential steps connected by arrows. Step 1, in a blue square, reads 'Data exfiltration' with subtext 'Steals encrypted traffic or files.' Step 2, in a lighter blue square, reads 'Cold storage' with subtext 'Keeps ciphertext for years.' Step 3, in an orange square, reads 'Advances in quantum computing' with subtext 'Waits for quantum systems.' Step 4, in a white square with a blue lock icon, reads 'Decrypt later' with subtext 'Shor's breaks RSA/ECC.' Step 5, in a purple square, reads 'Use the plaintext' with subtext 'Read, sell, or forge identities.' Small text under several steps notes 'Years can pass' to indicate elapsed time between stages.

Understanding these phases helps show why this is not a future concern but a risk already in motion.

Phase 1 — Harvest

Attackers begin by collecting encrypted information through familiar means. That includes intercepting network traffic, exploiting endpoints, or stealing data from compromised servers.

Because the information is encrypted, the operation doesn't need to break it immediately. The goal is to quietly gather as much as possible while classical encryption still protects it.

Every intercepted file or transmission becomes a potential future target once quantum computing matures.

Phase 2 — Store

Next comes long-term storage.

The harvested data is archived—sometimes for years, sometimes for decades. It may sit in government repositories, data centers, or private cloud environments, waiting for quantum decryption to become practical.

Nothing active happens here, which makes this phase nearly impossible to detect. The simplicity is what makes it dangerous: once the data is collected, time does the rest.

Phase 3 — Decrypt

Finally, when quantum computers are capable of running algorithms like Shor's, that stored data can be decrypted. Information that was once secure becomes readable.

Financial records, state communications, intellectual property, and medical data are all at risk if still protected by classical public-key encryption.

The end result isn't a sudden breach. It's the delayed payoff of data stolen long ago. This is why long-lived records encrypted by classical algorithms remain a present-day exposure.

 

Why does the threat matter today if quantum computers don't exist yet?

The previous section explained how attackers carry out harvest now, decrypt later collection. But understanding why it matters today requires looking at how long data needs to stay protected.

The risk doesn't start when quantum computers arrive. It starts the moment encrypted data is collected.

"Encrypted data remains at risk because of the 'harvest now, decrypt later' threat in which adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures. Since sensitive data often retains its value for many years, starting the transition to post-quantum cryptography now is critical to preventing these future breaches. This threat model is one of the main reasons why the transition to post-quantum cryptography is urgent."
- NIST, Transition to Post-Quantum Cryptography Standards

That's because some information has to stay confidential for decades. Government records. Intellectual property. Personal identifiers. If that data is intercepted today, it can still be decrypted later once quantum computing matures.

The quantum threat is deferred. Not distant.

Organizations can't wait for quantum computers to exist before acting. For those that do, the damage will likely already be in motion. Which is why preparing early isn't optional. It's foundational to maintaining confidentiality over time.

Here's the core issue.

Encryption and secrecy don't last equally long.

Data has a required secrecy lifetime. Encryption has an effective lifetime. If the encryption expires first, the data becomes vulnerable. That mismatch is called data lifespan risk.

In other words, if you're still using classical cryptography to protect long-lived data, it's already exposed to harvest-now-decrypt-later collection.

The key takeaway: defending against this risk starts now. The focus isn't on stopping quantum computers. It's on reducing what adversaries can harvest before they arrive.

| Further reading: Quantum Computing and Cybersecurity: Breaking Down the Risks

 

What types of organizations and data are most exposed?

Some types of organizations face higher exposure than others because their data must remain confidential far longer.

And some organizations can't afford for their data to ever be public.

Sectors and data types with highest quantum exposure
Organizations Data most at risk
Financial institutions Transaction records, customer PII, long-term contracts
Government agencies Diplomatic communications, census data, classified archives
Defense contractors R&D, supply chain data, technical schematics
Healthcare providers Medical records, genetic data, research datasets
Cloud providers Encrypted traffic, client data stores, cross-border transfers

Financial institutions. Government agencies. Defense contractors. Healthcare providers.

These sectors handle information that must stay confidential for decades. And cloud providers sit at the center of it all, storing and transmitting vast volumes of encrypted data on behalf of other industries.

In other words, the exposure for these sectors lasts as long as the data itself. If the encryption protecting it expires first, that information becomes vulnerable to harvest-now-decrypt-later collection.

While awareness of this risk is growing—especially in sectors with strict data retention laws—urgency isn't consistent. Many organizations recognize the problem but delay taking action because the quantum timeline feels uncertain.

Be aware: architecture matters as much as policy.

Multi-cloud adoption and global data sharing make the attack surface larger. Encrypted traffic now travels across multiple providers, networks, and jurisdictions. So every new transfer creates another point where it can be intercepted and stored.

Put simply, the more distributed data becomes, the harder it is to ensure that none of it's being quietly collected for later decryption.

 

How are attackers exploiting the window before post-quantum cryptography?

Attackers aren't waiting for quantum computers to arrive. They're preparing now.

State actors and advanced persistent threat (APT) groups are stealthily collecting encrypted data while it's still protected by classical algorithms. Once quantum decryption becomes practical, that data could be unlocked years after it was taken.

Note:
Some intercepted data never needs to be decrypted to be useful. Even encrypted archives can reveal target relationships, communication patterns, and operational priorities through metadata analysis alone.

Why would they do that?

Because the payoff is long-term.

Intelligence services view encrypted information as a strategic asset.

Diplomatic archives. Research data. Proprietary designs. These can all hold lasting value.

Even if they can't be read today, they can reveal political intentions, defense strategies, or scientific breakthroughs later.

Note:
Some intelligence agencies already maintain long-term encrypted data archives as part of routine collection. These repositories don't depend on current decryption methods. Just the expectation that future computing advances, including quantum, will eventually make the data accessible.

The cost is low, too.

Large-scale interception of encrypted network traffic is cheap and simple with today's infrastructure.

Internet backbones, satellite links, and cloud exchanges all move massive volumes of encrypted data every second. Capturing it is easier than ever. And that means adversaries can build vast archives now and wait for the tools to catch up.

Crucially: that window is what makes harvest-now-decrypt-later attractive.

It's a low-risk, high-reward investment. Once quantum computers reach the threshold for breaking modern cryptography, everything stored during this period could suddenly become readable.

 

When will Q-Day actually happen?

Chart titled 'Quantum threat & readiness timeline'. The chart presents a two-track horizontal timeline spanning 2024 through 2035, showing parallel developments in quantum technology progress and cybersecurity readiness milestones. The top track, labeled 'Quantum technology progress', uses light blue background accents and lists milestones by year group. For 2024, it states that industry investment in quantum technology grows by nearly 50 percent to about $2 billion, with research shifting from scaling qubits to improving stability and error correction. The 2025 entry notes expert consensus that a cryptographically relevant quantum computer could emerge within a decade and mentions early hybrid quantum-classical systems demonstrating reliable logical qubits. The 2026–2028 group describes steady progress in qubit coherence and fault-tolerant design with public and private research advancing scalable prototypes. The 2029–2031 group highlights fault-tolerant systems achieving multi-day stability and global discussions on estimating Q-Day and assessing geopolitical implications. The 2032–2035 group shows large-scale quantum computers reaching commercial viability and legacy public-key encryption becoming increasingly vulnerable to quantum attack. The lower track, labeled 'Cybersecurity readiness milestones', uses orange highlights and lists corresponding security responses. For 2024, it cites NIST finalizing the first post-quantum cryptography standards FIPS 203–205 and governments beginning formal cryptographic inventories. The 2025 milestone mentions agencies publishing quantum-readiness roadmaps and hybrid cryptography pilots in cloud and network systems. The 2026–2028 span lists expanding cryptographic agility frameworks and vendor certification programs. The 2029–2031 range shows large-scale migration to quantum-safe cryptography and a growing focus on supply-chain coordination. The 2032–2035 period notes that PQC and hybrid encryption become global standards.

No one knows the exact date of Q-Day—the moment when quantum computers can break today's encryption. But experts agree it's not centuries away.

Most projections estimate a window of roughly 10 to 15 years. Some predict sooner, others later. The disagreement reflects how many variables remain unresolved.

Here's why forecasts differ.

Building a cryptographically relevant quantum computer isn't just about adding more qubits. Those qubits have to stay stable long enough to perform complex operations. And that requires breakthroughs in error correction, scalability, and hardware design.

Funding and national investment also play a role. Countries pouring billions into quantum research could shorten the timeline dramatically.

Remember: uncertainty itself is the risk.

Migration to post-quantum cryptography can't be reactive. Once a quantum computer reaches the threshold to break RSA or elliptic-curve encryption, it will already be too late to protect the data that was stolen years earlier.

To put it another way, waiting for a confirmed date for Q-Day misses the point.

The goal isn't to predict the day quantum decryption becomes possible. It's to make sure encrypted information will still be secure when that day comes.

And it is coming.

 

How to prepare for the post-quantum threat today

Process diagram titled 'How to protect against harvest-now, decrypt-later attacks'. The diagram displays six sequential steps arranged vertically inside rectangular boxes with circular icons to the left of each step number. Step 1, labeled 'Inventory cryptographic assets', includes a network icon and text that reads 'Map where encryption is used across systems, apps, and APIs. Visibility is the foundation of resilience.' Step 2, labeled 'Prioritize long-life data', has a data card icon and text that reads 'Identify information that must stay confidential for years like financial, medical, or classified data.' Step 3, labeled 'Re-encrypt with PQC or hybrid algorithms', features an encryption icon and text that reads 'Begin migration using NIST-approved post-quantum or hybrid schemes to protect critical records.' Step 4, labeled 'Adopt crypto-agility', includes a swirling arrow icon and text that reads 'Design systems that can swap algorithms and keys easily to stay ahead of evolving standards.' Step 5, labeled 'Shorten data retention', uses a file-delete icon and text that reads 'Remove unnecessary archives. Data that doesn't exist can't be decrypted later.' Step 6, labeled 'Engage vendors & regulators', has a government building icon and text that reads 'Coordinate early on migration timelines and NIST transition guidance for consistent implementation.' Each step number is highlighted in blue, and the boxes are connected by a faint vertical line indicating a continuous process.

Governments and industry groups are accelerating post-quantum migration because of harvest-now-decrypt-later exposure. But defense ultimately starts at the organizational level.

The key is to act before quantum decryption becomes possible. Again, once the data is collected, it can't be unharvested.

Here's how to start:

  1. Inventory cryptographic assets and dependencies.

    Map every place encryption is used: applications, APIs, devices, and third-party integrations. Visibility is the foundation of any quantum-resilient strategy.

  2. Prioritize long-life and sensitive data.

    Identify which records must remain confidential for years or decades, such as financial transactions, intellectual property, and classified archives. Those should migrate first.

  3. Re-encrypt or segment data using post-quantum or hybrid algorithms.

    Adopt NIST-approved PQC schemes where possible. Hybrid models let you combine classical and quantum-safe encryption during transition.

    Start with pilot environments or non-critical workloads to validate performance, compatibility, and interoperability before scaling broadly.

  4. Adopt crypto-agility.

    Design systems to change algorithms and keys easily.

    Static cryptography locks you into today's vulnerabilities. Crypto-agility should also extend to certificate management, key rotation, and lifecycle governance.

  5. Shorten data retention.

    Data that no longer exists can't be decrypted later. Review archival policies and delete what you don't need.

  6. Engage vendors and regulators.

    Align migration plans, compliance requirements, and interoperability standards early.

    Follow NIST's post-quantum cryptography transition guidance and monitor emerging timelines in your industry to stay synchronized.

These steps align with broader PQC migration and zero-trust design. Every encrypted record you protect now is one that won't become tomorrow's breach.

Get your quantum readiness assessment
The assessment includes:
  • Overview of your cryptographic landscape
  • Quantum-safe deployment recommendations
  • Guidance for securing legacy apps & infrastructure

Get my assessment

 

HNDL FAQs

Store now, decrypt later—also called harvest now, decrypt later—is a strategy where attackers collect encrypted data today and store it until quantum computers can break the encryption. Once quantum decryption becomes practical, previously secure information can be exposed, making long-lived data vulnerable now.
Q-Day refers to the future point when quantum computers become powerful enough to break widely used public-key cryptographic algorithms such as RSA and ECC. Estimates vary—typically 10–15 years—but uncertainty itself is the risk, since stolen data could be decrypted once quantum capabilities reach that threshold.
Quantum computing threatens sectors that rely on long-term data confidentiality and public-key encryption. These include finance, government, defense, healthcare, and cloud service providers. Encrypted communications, digital identities, and intellectual property are particularly exposed, since their protection depends on algorithms that quantum computers are expected to eventually defeat.
Related content
Blog: Palo Alto Networks Announces New Quantum Security Innovations
Learn about the new crypto inventory tool, quantum-optimized firewalls and PAN-OS 12.1 enabled quantum readiness.
Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think?
Hear how to start your transition to quantum-resistant cryptography now.
Podcast: Packet Pushers | The Why and How of Making Your Infrastructure Quantum-Safe
Get the facts on the right framework for post-quantum cryptography.
Interactive experience: Is Your Organization Ready for a Quantum-Safe Future?
Dive into an immersive overview on quantum threats, PQC, and NIST’s new standards.

Get the latest news, invites to events, and threat alerts