H33.ai, Inc. has published H33-PQ Verified, a new standard designed to move beyond self-reported claims of security and establish independently verifiable proof of post-quantum cryptographic readiness. Finalized post-quantum cryptography standards from NIST signaled a critical shift in preparation for quantum computing threats, yet organizations struggle to demonstrate their progress beyond questionnaires and outdated screenshots. H33-PQ Verified addresses this gap by providing a way for organizations to prove their cryptographic posture and enabling clients to independently verify that protection. “H33-PQ-Verify is a live proof system that allows organizations to prove they are protecting their clients, and allows those clients to independently verify that protection,” said Eric Beans, CEO of H33.ai, Inc.; the standard focuses on portable, machine-verifiable evidence to assess an organization’s overall cryptographic maturity.
H33-PQ Verified Standard Enables Post-Quantum Cryptographic Readiness
The accelerating threat posed by quantum computing has spurred a change in cryptographic preparedness, culminating in NIST’s finalized post-quantum cryptography standards. Verifying actual implementation of these standards remained a significant hurdle until the emergence of H33-PQ Verified. Published by H33.ai, Inc., this new standard moves beyond simple self-reporting by establishing a framework for independently verifiable evidence of post-quantum cryptographic readiness. Unlike typical cybersecurity badges, H33-PQ Verified functions as “a continuously updated signal” that organizations can prove and clients can independently verify, according to Eric Beans, CEO of H33.ai, Inc. The core innovation lies in its emphasis on portable, machine-verifiable evidence. H33-PQ Verified evaluates an organization’s cryptographic posture, governance maturity, privacy protections, and evidence preservation capabilities, all without relying on trust in the organization itself. This is achieved by assessing whether complex cryptographic states can be distilled into independently verifiable artifacts, usable for years to come.
The standard examines operational artifacts like TLS configurations, certificate inventories, and software bills of materials, ensuring every measurement produces evidence that can be reproduced by a third party. H33-PQ Verified evaluates organizations across five pillars: Cryptography, Evidence, Governance, Privacy, and Verification, each representing a measurable property and corresponding operational outcome. This approach addresses a critical gap in current security assessments, which often rely on questionnaires, spreadsheets, and screenshots, data easily outdated and difficult to validate. H33 has deliberately separated the standard from its runtime implementation, with HATS (H33 AI Trust Standard) serving as a reference implementation, but any compliant implementation can participate. The open-source “h33-verify” command-line tool is an open-source tool that allows independent replay of an attestation, confirming results without relying on H33 or the assessed organization, ensuring the same evidence yields the same conclusion regardless of who performs the verification.
H33.ai has applied the standard to itself, publishing downloadable evidence bundles for independent review, demonstrating a commitment to transparency and accountability.
Five Pillars Define H33-PQ Verified Organizational Evaluation
Following the finalization of NIST’s first post-quantum cryptography standards, a clear need emerged for robust methods to verify organizational preparedness beyond simple declarations of compliance. H33-PQ Verified addresses this challenge not by issuing a typical cybersecurity badge, but by establishing “a continuously updated signal” of an organization’s cryptographic posture, allowing clients to independently verify their data protection. The first pillar, Cryptography, demands demonstrable deployment of quantum-resistant cryptography across essential functions like signing, verification, and key exchange, ensuring resilience against future cryptographic transitions. Beyond simply adopting new algorithms, H33-PQ Verified scrutinizes Evidence; organizations must produce portable artifacts preserving critical decisions and outcomes in a format independently verifiable over extended periods. This moves beyond the limitations of audit records trapped within specific platforms or databases, ensuring long-term usability. Governance forms the third pillar, requiring verifiable records of authority, approvals, and accountability to maintain explainability and traceability of key decisions.
Privacy is also central, demanding organizations demonstrate the ability to protect sensitive information throughout processing, analysis, and verification, rather than solely at rest. Finally, Verification itself is assessed; organizations must enable independent validation of results by third parties, ensuring consistent conclusions regardless of the evaluator. “Organizations that invest in protecting their customers, data, and operations should be able to prove it. Organizations that do not should not be able to hide behind marketing claims,” states Eric Beans, CEO of H33.ai, Inc. H33 encourages this by offering an open-source command-line tool, h33-verify, for independent attestation replay, ensuring verification doesn’t rely on proprietary services or trust in the issuing organization.
H33-PQ Verified is a live proof system that allows organizations to prove they are protecting their clients, and allows those clients to independently verify that protection” – -Eric Beans – CEO – H33.
Benefits of H33-PQ Verified Across Stakeholder Groups
Procurement teams at financial institutions are increasingly focused on post-quantum readiness, and H33.ai is responding with a new verification standard designed to move beyond self-reported security assessments. While major technology providers like Google have publicly stated that organizations should complete migration away from vulnerable cryptographic systems by a certain date, many remain unsure of their current standing. The benefits extend across multiple stakeholder groups. For insurers, H33-PQ Verified offers a means to move beyond reliance on self-reported questionnaires. Regulators can similarly verify evidence without direct access to production systems. Customers, perhaps the most critical beneficiaries, gain the ability to “evaluate supplier cryptographic readiness” and reduce vendor lock-in risk and bolster confidence during technology migrations. The open h33-verify command-line tool allows for independent replay of an attestation, ensuring verification remains impartial and transparent.
Operational Artifacts and Controls Under H33-PQ Verified Assessment
The emergence of post-quantum cryptography standards necessitates more than just algorithmic upgrades; it demands a robust system for verifying their practical implementation, and H33-PQ Verified addresses this need by focusing on demonstrable operational controls. Unlike traditional cybersecurity assessments reliant on self-reporting, this standard evaluates a broad set of artifacts, moving beyond assurances to verifiable evidence of cryptographic readiness. Central to H33-PQ Verified is the principle that verification should remain portable, allowing independent parties to assess cryptographic states without relying on the organization making the claim. Every measurement generates evidence, and every artifact is designed to be independently verifiable, enabling reconstruction of cryptographic posture years after initial assessment. This focus on long-term usability distinguishes it from point-in-time reporting, offering a view of an organization’s commitment to security. The evaluation isn’t limited to technical controls; governance and authority records are also scrutinized, ensuring decisions are traceable and accountable.
Privacy protections are assessed not just at rest, but during active computation and analysis, a critical consideration for modern data processing. This tiered system allows for granular tracking of progress and provides a clear signal of an organization’s commitment. The standard itself is deliberately implementation-neutral; H33’s HATS (H33 AI Trust Standard) serves as a reference implementation, but any system meeting the verification requirements can participate, preventing vendor lock-in and fostering broader adoption.
