Full-Stack Knowledge Graph and LLM Framework for Post-Quantum Cyber Readiness

TL;DR

This paper introduces a knowledge graph and LLM-based framework to assess enterprise post-quantum cryptographic readiness, enabling scalable, explainable, and quantitative risk analysis for cybersecurity in the quantum era.

Contribution

It presents a novel, integrated framework combining knowledge graphs and large language models for scalable, explainable post-quantum readiness assessment in complex enterprise environments.

Findings

Unified PQ readiness score computed from enterprise cryptographic assets.

Explicit modeling of dependency-driven risk propagation using heterogeneous graphs.

Integration of LLMs with human validation improves data quality and risk attribution.

Abstract

The emergence of large-scale quantum computing threatens widely deployed public-key cryptographic systems, creating an urgent need for enterprise-level methods to assess post-quantum (PQ) readiness. While PQ standards are under development, organizations lack scalable and quantitative frameworks for measuring cryptographic exposure and prioritizing migration across complex infrastructures. This paper presents a knowledge graph based framework that models enterprise cryptographic assets, dependencies, and vulnerabilities to compute a unified PQ readiness score. Infrastructure components, cryptographic primitives, certificates, and services are represented as a heterogeneous graph, enabling explicit modeling of dependency-driven risk propagation. PQ exposure is quantified using graph-theoretic risk functionals and attributed across cryptographic domains via Shapley value decomposition. To support scalability and data quality, the framework integrates large language models with human-in-the-loop validation for asset classification and risk attribution. The resulting approach produces explainable, normalized readiness metrics that support continuous monitoring, comparative analysis, and remediation prioritization.