Defend Post-Quantum Cryptography's “Harvest Now, Decrypt Later” with WAAP

Quantum computing may feel like tomorrow’s problem, but its shadow is already falling across today’s security decisions. A fully capable cryptographically relevant quantum computer could break the asymmetric cryptography that underpins the web. 

Governments and regulators are moving quickly, urging organizations to adopt post-quantum cryptography (PQC) roadmaps. 

Although PQC adoption may take years, one quantum-related risk is already active — and it’s not theoretical.

Security professionals' top concern today regarding PQC is the threat of “harvest now, decrypt later” (HNDL). This strategy is simple but dangerous: Attackers steal and store encrypted data today, betting that they’ll be able to decrypt it once quantum computing matures. The data they exfiltrate now — including sensitive intellectual property, credentials, or personal information — could become readable and exploitable later.

This is not science fiction. Adversaries are already stockpiling encrypted datasets obtained through application and API breaches, bot-driven credential abuse, and data exfiltration campaigns. They don’t need quantum computers today. They just need your data before PQC protections are in place.

So, while most of the conversation about PQC centers on TLS handshakes, hybrid key exchanges, and digital certificates, the story doesn’t end there for anyone running applications and APIs. 

Today’s concern over HNDL makes PQC an application security issue — and it’s one that organizations need to verify they are prepared for now.

Ask any business today where their pain points are, and the answer probably won’t be “post-quantum cryptography.” It will likely be bots that are draining revenue through credential stuffing, API abuse that is leaking sensitive data, or distributed denial-of-service (DDoS) campaigns that are disrupting services.

These types of attacks are keeping teams awake at night, and they have an immediate impact on customer trust and business outcomes.

Think about a healthcare provider facing constant probing of patient-facing APIs. Or a retailer dealing with automated scalper bots that ruin the customer experience. These are real-life scenarios in which the right web application and API protection (WAAP) solution makes the difference between resilience and disruption.

Every exposed API and every successful injection or credential replay attack increases the risk to the business.

PQC standards have been adopted within the last year, and today a significant portion of TLS traffic relies on hybrid key exchanges, which blend classical algorithms like X25519 with quantum-safe ones such as ML-KEM 768. This shift protects against the HNDL threat — with Akamai already rolling out PQC support at scale.

But as encryption grows stronger, attackers keep innovating. And the performance overhead of PQC — larger keys, bigger messages, more compute cycles — will raise the stakes for application efficiency (as we discussed in our TLS implementation blog post).

The result? Even as TLS evolves, applications and APIs remain the most targeted attack surface. That makes application protection more critical than ever — not just to stop the attacks of today, but to carry resilience into the post-quantum future.

Akamai App & API Protector provides a layered, adaptive defense designed to complement PQC protections to defend your data against the HNDL threat. Built on Akamai Adaptive Security Engine, App & API Protector continuously applies machine learning, global threat intelligence, and automation to protect against:

• Application vulnerabilities – Web application firewall (WAF) protections tuned against the latest Open Worldwide Application Security Project (OWASP) Top 10 threats
• DDoS and volumetric attacks – Rate controls and mitigation at the edge to preserve availability
• Bot-driven abuse – Detection and management of credential stuffing, scraping, and scalping
• API abuse and discovery risks – Identification of exposed endpoints, schema validation, and personally identifiable information monitoring

By defending applications and APIs against active exploitation, App & API Protector helps organizations reduce the likelihood of data exposure today, minimizing the material that could be harvested for future quantum-powered decryption.

The reality for most organizations is that they have to manage two security timelines at once.

Defend against the active threats that are hammering apps and APIs every day, including DDoS attacks, bots, SQL injections, data leakage. This provides protection from currently known and expanding exploits.

Prepare for PQC adoption — in TLS, identity frameworks, and across their cryptographic inventory — with an eye on future operational, performance, and interoperability hurdles to protect against the HNDL threat.

App & API Protector secures organizations against today’s most pressing threats, from zero-day exploits to bot abuse and API attacks, with its Adaptive Security Engine delivering continuous, automated updates. 

This always-on protection gives security teams the confidence to focus on preparing for the next track of quantum-safe adoption, knowing their applications and APIs are resilient against both today’s and tomorrow’s attacks.

Akamai customers don’t have to choose between these timelines. Customers with App & API Protector safeguarding the application layer and PQC securing the transport layer are equipped to face both the threats of today and the challenges of tomorrow.

Quantum computing will reshape cryptography. But it won’t change this fact: Applications and APIs are where attackers strike first and most often. 

The organizations best prepared for the future are the ones securing both ends of the journey by adopting PQC at the cryptographic core while reinforcing their application defenses with WAAP at the edge.

That’s what it means to future-proof application security. And that’s why Akamai App & API Protector is such an important part of the roadmap to a quantum-safe internet.

For future readiness, take a deeper look at how Akamai is approaching PQC by reading Taking Steps to Prepare for Quantum Advantage and Building a Quantum-Safe Internet: The IETF's Plan for TLS.

Explore how Akamai App & API Protector helps you protect your web applications and APIs today while building resilience for what’s next. Learn more or start a free trial.