Why We’re Launching Certes v7: Closing the Most Dangerous Gap in Cybersecurity

By Paul German, CEO, Certes

Having spent alot of time speaking with CEOs, not just CISOs, and over the past year one question has started to dominate every conversation:

“If we are breached tomorrow, what happens to our business?”

That change reflects experience. Leaders have seen the consequences play out in real terms – operational disruption, regulatory scrutiny, loss of revenue, and, in some cases, accountability that extends well beyond the IT function.

Quantum Risk Has Moved Up to the Board

At the same time, quantum risk has moved out of the realm of future concern and into present exposure. Across conversations with CISOs in financial services and large enterprises, there is a consistent theme: while awareness is high, there is still no reliable, sovereign, quantum-safe way to protect critical data as it moves between systems, across clouds, into AI environments and out to the edge.

For CISOs, the challenge is how to apply that level of protection across complex infrastructure and legacy applications without adding further complexity. For CEOs, the issue is broader. This is no longer a technical risk discussion, it is an enterprise risk discussion, shaped by increasing regulatory pressure, more informed boards and consequences that are measurable in financial terms. Fines under GDPR and DORA can reach up to four percent of global revenue, market value can fall sharply after a breach and trust rarely returns to its previous level.

The Quantum Threat Timeline Won’t Wait

Compounding this is that the threat timeline is not waiting. Many strategies still assume there is time to plan and transition (which in itself raises a bigger question on transition versus transformation), but that assumption no longer holds. Harvest Now, Decrypt Later attacks are already in play, with sensitive data being captured today for future decryption. At the same time, attackers are increasingly logging in with valid credentials and moving through environments that were assumed to be secure. A breach is no longer a contained event – it can persist and resurface years later with greater impact.

Despite heavy investment in identity, perimeter and infrastructure security, the industry still has a fundamental gap. Most architectures assume infrastructure can be trusted if configured correctly, but in practice no organisation can guarantee that across every cloud, partner and integration point. Data does not stay within those boundaries. It moves, often through the most complex and least controlled parts of the estate, and it is within those flows that the majority of risk sits.

This is where breaches stop being technical incidents and become business events, with financial, legal, operational, and possible personal consequences that escalate quickly.

The industry’s response has largely been to focus on infrastructure – upgrading networks, replacing (transitioning) algorithms, or planning large-scale migration programmes. While necessary, this is not sufficient, because it does not address the core issue: once data moves beyond infrastructure boundaries, those controls lose their effectiveness. The only effective approach here is to choose transformation over transition.

This is Why We Built Certes v7

Certes v7 was built to address that gap, but in a way that reflects reality. Most organisations cannot undertake multi-year transition programmes that delay the protection of their most critical data while risk continues to grow, nor can they disrupt operations or replace legacy systems to achieve a new model. What is required instead is the ability to apply protection quickly and consistently, without adding operational burden.

v7 can be deployed across existing environments in months rather than years, without infrastructure change or application refactoring, and applies protection directly to the data flows that matter most. This allows organisations to move immediately, rather than waiting for ideal conditions.

Fundamentally, this represents a shift away from trusting infrastructure to protecting data itself. Certes v7 enforces quantum-safe protection at the level of the data flow, with policy governing each flow and cryptographic keys remaining under the customer’s control at all times. Protection persists wherever the data travels, without reliance on vendor-managed keys or assumptions about the underlying environment.

The practical implication is simple: even if an attacker gains access, the data they obtain has no usable value, now or in the future. That changes the outcome of a breach from something that can escalate into a major business event into something that can be contained.

Is Your Most Valuable Asset Truly Protected? 

From a business perspective, this is not just a security improvement, it’s a transformation. A control that reduces the likelihood of financial impact, simplifying how protection of data is applied across complex estates, and strengthens an organisation’s position with regulators, auditors and boards.

It also provides a clear answer to a critical question: “Are we genuinely protecting our most valuable asset?”

The industry will continue to focus on infrastructure-led approaches, with new standards, new algorithms, and long transition timelines. Those will play a role, but they do not solve the underlying problem that data moves beyond the environments those controls were designed for.

The organisations that succeed in the post-quantum era will not be the ones that transition, upgrading infrastructure first. They will be the ones that transform. Recognising where their true risk sits, protecting their most critical data flows, retaining control of their cryptography in a Crypto-agile fashion allowing adaptations as standards evolve without starting again.

That is not a future migration strategy. It is a foundation that needs to be in place now.

That is what Certes v7 enables.

PQC for any app, any infrastructure, anywhere.