Deploy Now, Exploit Later (DNEL): The Quantum Threat Hidden Inside Today’s Devices

Over the last few years, conversations around quantum risk have been dominated by Harvest Now, Decrypt Later (HNDL) and more recently around Trust Now, Forge Later (TNFL). These scenarios have rightfully gained attention because they directly endanger the confidentiality and integrity of our digital systems. Yet a third, quieter threat needs a serious consideration — one that may ultimately prove very disruptive because it doesn’t target the data we store or the signatures we trust. Instead, it targets the very devices and infrastructure we deploy today.

This threat is called Deploy Now, Exploit Later (DNEL), and it represents a growing, long-term vulnerability created by our own technology choices.

The Silent Risk Embedded into Today’s Deployments

Every day, organizations install millions of IoT sensors, medical devices, SCADA controllers, telecom components, smart meters, and industrial machines. These systems often remain in service for a decade or more. Once deployed, many of them may never again be physically or remotely updated. They are built with limited compute power, fixed-function firmware, and cryptography, if available, that cannot be easily replaced. And most of them still rely on RSA and ECC—algorithms that will fail once quantum computers mature.

DNEL is not limited to these new deployments—it already exists across as a threat to the millions of IoT and OT devices currently operating in the field. These legacy systems were designed long before quantum risk was a design consideration, and their trust anchors, bootloaders, and authentication mechanisms are rooted in classical cryptography. Even organizations with structured update programs discover that many deployed devices cannot adopt modern cryptographic standards without significant redesign. As a result, a large portion of existing infrastructure is locked into pre-quantum security assumptions, creating inherited risk embedded in devices and systems already shaping daily operations.

While some modern devices technically support remote updates, operational constraints—downtime requirements, regulatory restrictions, safety certifications, low-bandwidth environments, and high on-site maintenance costs—often make updates impractical. This means even "update-capable" devices behave like un-patchable ones in critical environments.

Compounding this, manufacturers frequently rely on low-cost microcontrollers and minimal memory to keep device prices, power consumption, and battery requirements low—design choices that make crypto-agility difficult or impossible.

This creates a situation where the devices we deploy today may become insecure by design tomorrow. DNEL threat does not arise from attackers stealing anything today. Rather, we ourselves deploy the future vulnerability every time we ship a quantum-weak device into the field.

Why DNEL Is Fundamentally Different

What makes DNEL especially dangerous is that it accumulates quietly. While HNDL and TNFL are adversary-driven, DNEL is self-inflicted. It is the consequence of deploying long-lifecycle systems that will remain operational long after quantum cryptanalysis becomes practical. These devices may continue sending data, controlling machinery, and managing infrastructure—but the cryptography that protects them will have expired.

And unlike servers or enterprise software, many of these devices are difficult to patch or simply cannot be patched. They cannot be taken offline for upgrades, cannot accept new cryptographic libraries, and often cannot even be physically reached without significant cost. In some environments—utility grids, offshore facilities, remote pipelines, underground sensors, defense systems—replacement may be impossible. Once deployed, these devices become static and inflexible, even as the cryptographic world around them evolves.

The result is a form of future vulnerability debt that grows with every new IoT and OT deployment.

The Real-World Consequences of DNEL

The impact of DNEL is not theoretical. Once classical cryptography breaks, attackers will not need to compromise enterprise networks; they will simply impersonate devices, inject commands, manipulate sensor readings, or load unauthorized firmware. Critical infrastructure could be disrupted not because of IT failures, but because tens of thousands of devices are suddenly open to exploitation.

Imagine a scenario where a quantum-enabled adversary can:

• Impersonate field sensors and feed false values into grid controllers

• Install malicious firmware on medical monitoring devices by forging signatures

• Manipulate traffic systems by impersonating trusted roadside units

• Compromise drones or industrial robots by spoofing device authentication

These are not data breaches—they are cyber-physical risks. And unlike traditional vulnerabilities, which can be patched or mitigated, DNEL creates persistent, embedded weaknesses that cannot be easily fixed once quantum capability arrives.

Industries Facing the Highest Exposure

DNEL is especially problematic for sectors that depend heavily on long-lifecycle devices. Smart grids, manufacturing lines, industrial automation, smart cities, medical devices, automotive systems, telecom networks, and aerospace platforms all deploy equipment that remains active for 10–30 years. These environments are filled with components that were never designed with cryptographic agility in mind.

The deeper the device is embedded into physical infrastructure, the harder it is to update—and the more severe the potential consequences of compromise. As a result, DNEL can become a critical national-level concern for countries modernizing their infrastructure or rolling out next-generation devices without considering quantum-safe requirements.

The Path Forward: Designing for the Quantum Future Today

Addressing DNEL requires a shift in mindset. Organizations must recognize that post-quantum security is no longer just about protecting data in transit or ensuring trust in digital signatures. It is about building agility and resilience into the devices and systems we are deploying right now.

This means designing IoT and OT devices that are crypto-agile and capable of adopting quantum-safe algorithms when needed. It means embedding secure update mechanisms into devices instead of treating them as static appliances. It means establishing procurement policies that require vendors to demonstrate quantum-safe readiness rather than relying on outdated cryptographic assumptions.

Achieving the required agility and resilience is not an easy task. Fortunately, the transition path is becoming clearer as NIST standardizes post-quantum algorithms such as ML-KEM (for key establishment) and ML-DSA (for signatures), giving manufacturers options to build into next-generation devices.

It also means understanding that DNEL cannot be solved retroactively. The decisions made during the next few years—especially by industries rolling out millions of long-lifecycle devices—will determine the cyber-physical resilience of infrastructure in the 2030s and beyond.

The Urgency Is Real

DNEL is not a future risk—it is a deployment-time risk. Every non-agile, classical-crypto device installed today becomes a potential quantum exploitation point tomorrow. The earlier organizations begin adopting quantum-safe and agile architectures, the smaller this future vulnerability will be.

Ignoring DNEL means allowing tomorrow’s attackers to exploit the devices we deploy today. Addressing it means building a migration path long before it becomes a crisis.

Quantum-safe readiness is not just about data confidentiality or digital trust anymore. It is about ensuring that the physical systems defining our world—our grids, our factories, our vehicles, our hospitals, our cities—remain secure even as quantum computing reshapes the threat landscape.

The devices we deploy today will define the security of the coming decades. DNEL reminds us that the future exploitation window is being created right now—it is being deployed into our infrastructure today.

At AvinyaSQ, we help organizations understand, prioritize, and mitigate quantum risks across data, trust, and long-lifecycle systems, enabling a structured, risk-driven transition to quantum-safe security.