Cryptographic Visibility
Why Most Organizations Don't Know Where Cryptography Lives — And Why It Matters
Most organizations discover 3-10x more cryptographic assets than expected when they start inventorying. Learn why the visibility gap exists and how to close it before PQC migration.
Why Most Organizations Don't Know Where Cryptography Lives — And Why It Matters Ask a CISO at a mid market company: "Do you know where RSA is used in your infrastructure?" The honest answer is almost always no. Not because they are negligent. Because cryptography is everywhere — embedded in TLS certificates, SSH keys, VPN configurations, cloud KMS policies, database encryption settings, application code, third party APIs, and vendor managed services. Most of it was deployed over years by different teams with different tools, and no one has ever compiled a unified inventory. This is the cryptographic visibility gap — and it is the single biggest blocker to PQC readiness. This article explains why the gap exists, what it costs, and how to close it. For related context, see healthcare and financial PQC readiness programs. Why the Visibility Gap Exists Cryptography is invisible infrastructure. Unlike a server you can SSH into, or a firewall rule you can query, cryptographic configurations are buried in: For related context, see NIST PQC standards guidance. TLS termination points: Load balancers, CDNs, reverse proxies — configured by infrastructure teams who may not document certificate details. Application code: crypto.createHmac('sha256', key) buried in a module maintained by a developer who left two years ago. Cloud consoles: ACM certificates auto renewed by AWS with default settings chosen at setup time and never reviewed. Vendor platforms: SaaS tools that manage their own certificates. Your procurement team signed the contract. Your security team never saw the cryptographic configuration. Legacy systems: Internal applications deployed before certificate lifecycle management tools existed, running with self signed certificates no one has touched since 2018. The gap is not a failure of any one team. It is a structural problem: cryptography crosses every domain boundary — infrastructure, application, cloud, vendor, legacy — and no single tool or team has visibility across all of them. For related context, see healthcare PQC readiness planning. What Organizations Discover When They Start Looking When organizations run their first cryptographic discovery, the results are consistently surprising: 3 10x more certificates than expected. A company that thought it had 50 certificates discovers 300. A company that thought it had 500 discovers 2,000+. Expired certificates still in use. 5 15% of discovered certificates are expired — some by years — and still actively serving traffic. Forgotten subdomains. Test environments, staging servers, and decommissioned services still have valid TLS certificates pointing to active endpoints. Weak algorithms in unexpected places. RSA 1024, SHA 1 signatures, TLS 1.0 — in test environments that accidentally became production dependencies. Vendor managed certificates with no documentation. The marketing website was moved to a new platform, and no one recorded the new TLS configuration. The Cost of the Visibility Gap Not knowing where cryptography lives has direct consequences: Compliance failures: PCI DSS 4.0 requires cryptographic inventory. HIPAA requires encryption risk assessment. DORA requires operational resilience documentation including cryptographic dependencies. Without an inventory, you cannot prove compliance. Migration paralysis: When NIST or CNSA mandates algorithm migration, you cannot prioritize what you cannot see. Every migration deadline becomes a scramble to discover what needs to change. Incid