Harvest now, decrypt later is a cyberattack strategy in which adversaries collect encrypted data today and store it until future quantum computers can decrypt it. Also known as store now, decrypt later, HNDL creates immediate risk for sensitive data that must remain confidential for years or decades.
The threat matters now because the data being stolen today may still be valuable when quantum decryption becomes practical. Organizations cannot wait for Q-Day to begin preparing. They need cryptographic visibility, data prioritization, crypto-agility, and post-quantum migration planning before quantum-capable attacks become operationally viable.
Key Points
Harvest now, decrypt later is a present-day risk: Attackers can collect encrypted data now and wait for future quantum computers to decrypt it.
Long-lived sensitive data is most exposed: Government records, financial data, healthcare information, intellectual property, and defense data may remain valuable for decades.
Public-key cryptography creates the biggest concern: RSA and elliptic-curve cryptography are expected to be vulnerable to sufficiently powerful quantum computers.
Q-Day does not need to arrive for the risk to begin: The risk starts when encrypted data is intercepted, copied, or stolen.
Post-quantum migration should begin now: Organizations need cryptographic inventories, crypto-agility, vendor readiness, and migration roadmaps to reduce future exposure.
A harvest now, decrypt later attack happens in three stages:
The attack does not require adversaries to break encryption immediately. Instead, they steal or intercept encrypted data, preserve it, and wait until quantum computing can make decryption feasible.
This delayed attack model is what makes HNDL difficult to detect and hard to reverse. Once encrypted data has been collected, organizations cannot “unharvest” it.
Attackers collect encrypted information through methods that already exist today. This may include intercepting network traffic, compromising endpoints, exploiting servers, accessing cloud storage, or collecting data from exposed systems.
The data may still be unreadable at the time of theft. That does not make it safe. For an attacker, encrypted data can become a future asset if it has long-term value.
After collection, attackers archive the encrypted data for future use.
This phase may last years or decades. The data may sit in private repositories, criminal infrastructure, state-backed archives, or long-term intelligence stores until quantum decryption becomes possible.
This is why HNDL is so dangerous: the storage phase is passive. There may be no ongoing activity for defenders to detect.
When cryptographically relevant quantum computers become capable of breaking vulnerable public-key algorithms, adversaries may be able to decrypt stored data.
A sufficiently powerful quantum computer could use algorithms such as Shor’s algorithm to threaten RSA and elliptic-curve cryptography. At that point, data that was previously protected by classical public-key encryption could become readable.
The result is not a new breach. It is the delayed impact of data stolen earlier.
Unit 42 insight: Attackers do not need quantum computers to create quantum-era risk. They only need access to encrypted data that will still be valuable when quantum decryption becomes practical.
Unit 42 research shows why harvest-now, decrypt-later risk cannot be treated as a future-only problem. In the 2026 Unit 42 Global Incident Response Report, the fastest quartile of intrusions reached data exfiltration in 72 minutes in 2025, compared with 285 minutes in 2024. The share of incidents reaching exfiltration in under one hour also increased from 19% in 2024 to 22% in 2025.
This acceleration matters for quantum security because HNDL begins at the moment encrypted data is collected, not when quantum computers become capable of decrypting it. Once sensitive encrypted data is stolen, organizations may not be able to reduce its future exposure retroactively.
Unit 42 has also observed attackers exfiltrating data earlier in the attack process and rapidly collecting large volumes of information before sorting through it later. That behavior aligns with the HNDL risk model: collect now, preserve value, and exploit later.
"Encrypted data remains at risk because of the 'harvest now, decrypt later' threat in which adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures. Since sensitive data often retains its value for many years, starting the transition to post-quantum cryptography now is critical to preventing these future breaches. This threat model is one of the main reasons why the transition to post-quantum cryptography is urgent."
- NIST, Transition to Post-Quantum Cryptography Standards
The HNDL threat matters because data and encryption have different lifespans.
Sensitive data may need to remain confidential for 10, 20, or 30 years. But the cryptography protecting that data may not remain strong for the same length of time. If encrypted data is collected today and the algorithm protecting it becomes breakable later, the data becomes exposed.
That mismatch is the core of HNDL risk.
Examples of long-lived data include:
Organizations should not measure risk only by whether quantum computers can break encryption today. They should measure risk by how long the data must remain protected.
If the data’s confidentiality lifespan extends beyond the expected strength of the cryptography protecting it, the organization has quantum-era exposure.
Further reading: 8 Quantum Computing Cybersecurity Risks [+ Protection Tips]
Organizations with long data retention requirements and high-value confidential information face the greatest harvest-now, decrypt-later exposure.
| Sector | Data Most at Risk | Why It Matters |
|---|---|---|
| Government | Diplomatic communications, census data, classified archives | Diplomatic communications, census data, classified archives |
| Defense and aerospace | R&D, supply chain data, schematics, operational intelligence | Long-term strategic value makes stored data attractive to nation-state actors. |
| Financial services | Transaction records, customer PII, contracts, payment data | Financial data can support fraud, intelligence gathering, and regulatory exposure. |
| Healthcare and life sciences | Medical records, genetic data, clinical research | Health data has a long confidentiality lifespan and high personal impact. |
| Cloud and service providers | Customer data stores, encrypted traffic, cross-border transfers | Providers often process or store sensitive data across many sectors. |
| Critical infrastructure | Operational data, system designs, vendor dependencies | Exposure could affect national resilience and future operational security. |
The risk increases in distributed environments. Multi-cloud architecture, global data sharing, remote access, SaaS adoption, and third-party integrations create more places where encrypted traffic or stored data can be intercepted, copied, or retained.
Attackers do not need to wait for quantum computers to act. They can collect encrypted data now while organizations are still using classical cryptography.
State-backed groups, advanced persistent threat actors, and well-resourced criminal groups may view encrypted data as a long-term investment. Even if the data cannot be read today, it may become valuable later.
Some encrypted data may also be useful before decryption. Metadata can reveal relationships, communication patterns, business priorities, infrastructure dependencies, and operational behavior.
This makes HNDL a low-risk, high-reward strategy for adversaries. They can collect now, store quietly, and wait for technology to catch up.
Q-Day is the point when quantum computers become powerful enough to break widely used public-key cryptography, such as RSA and elliptic-curve cryptography.
No one knows the exact date Q-Day will occur. Most expert projections place cryptographically relevant quantum computers in the 2030s or later, but timelines vary because quantum hardware, error correction, scalability, and algorithmic progress remain uncertain.
For HNDL, the exact date matters less than the preparation window.
If attackers collect encrypted data today, organizations cannot protect that stolen data retroactively once Q-Day arrives. That means preparation must begin before quantum decryption becomes practical.
The goal is not to predict Q-Day perfectly. The goal is to reduce what adversaries can harvest before Q-Day happens.
Defending against HNDL requires a practical post-quantum readiness strategy. Organizations should focus first on visibility, prioritization, and cryptographic agility.
Identify where encryption, keys, certificates, cryptographic libraries, algorithms, and protocols are used across the environment.
A cryptographic inventory should cover:
This inventory gives teams the baseline needed to assess exposure and prioritize migration.
Not all data carries the same HNDL risk.
Focus first on data that must remain confidential for years or decades. This includes regulated records, intellectual property, government information, classified data, healthcare data, and long-term identity information.
If the data will still matter when quantum decryption becomes feasible, it should be treated as high priority.
Begin testing post-quantum cryptography and hybrid models where appropriate.
NIST finalized its first post-quantum cryptography standards in 2024, including FIPS 203 for ML-KEM, FIPS 204 for ML-DSA, and FIPS 205 for SLH-DSA. These standards provide a foundation for quantum-resistant key encapsulation and digital signatures.
Hybrid cryptography can help organizations combine classical and post-quantum approaches during transition periods. This can reduce migration risk while standards, products, and interoperability mature.
Crypto-agility is the ability to replace cryptographic algorithms, keys, certificates, and protocols without redesigning entire systems.
For HNDL defense, crypto-agility helps organizations respond as standards evolve, vulnerabilities are discovered, or migration requirements change.
Crypto-agility should apply to:
Data that no longer exists cannot be decrypted later.
Organizations should review retention policies and delete data that is no longer needed for business, legal, or compliance purposes. Reducing unnecessary archives lowers the volume of sensitive data that attackers can harvest.
This is especially important for old backups, unmanaged data stores, legacy archives, and duplicated records.
Many cryptographic dependencies sit outside internal systems.
Organizations should ask vendors whether their products support post-quantum cryptography, crypto-agility, certificate updates, key rotation, and NIST-aligned migration roadmaps.
Vendor readiness should become part of procurement, renewal, and security review processes.
A quantum readiness roadmap should define ownership, milestones, dependencies, high-risk systems, vendor requirements, and migration timelines.
The roadmap should answer:
The objective is to make post-quantum migration planned, governed, and measurable.
Harvest-now, decrypt-later is one part of the broader quantum security challenge.
Quantum security includes identifying vulnerable cryptography, preparing for post-quantum standards, reducing exposure to Q-Day, securing long-lived data, and building crypto-agility across the enterprise.
HNDL should be treated as the urgency driver. It explains why quantum readiness matters before quantum computers are fully mature.
Organizations that begin preparing now can reduce the amount of valuable data exposed to future decryption. Organizations that wait may discover that the most sensitive data was already collected years earlier.
