“I’ve been working on quantum security since 2017—almost nine years now,” says Prasanna Ravi, CEO of PQStation. It was the same year the United States announced its intention to standardize new quantum‑secure cryptographic algorithms, launching what would become a six‑year global process involving researchers, standards bodies, and governments. For Ravi, then a PhD student at Nanyang Technological University (NTU), this aligned neatly with his research trajectory.
From 2017 to 2023, quantum security lived in a transitional phase—highly active in academic circles, deeply technical, but still distant from everyday enterprise systems. Ravi and his research group at NTU were observing this process and contributing to it, studying how post‑quantum cryptographic algorithms behave when implemented on real devices, discovering vulnerabilities in how those algorithms are deployed.
“Standardization is extremely important,” Ravi explains. “Without it, technologies don’t get adopted. Everyone needs to follow the same rules.”
By the time Ravi finished his PhD in 2023, the standardization process had concluded almost simultaneously. Governments began pushing organizations to move quickly; vendors started announcing post‑quantum cryptography (PQC) support. What had once felt theoretical began converting into procurement discussions, regulatory language, and proofs of concept.
“It’s very rare for research to translate into industry so fast,” Ravi says. “And we realized we were sitting on a lot of deep knowledge and research IP around quantum security—especially secure implementations that could actually run on real devices.”
From research IP to reality
PQStation’s founding story is inseparable from NTU’s entrepreneurial ecosystem. Ravi credits his supervisor, Professor Anupam Chattopadhyay, with pushing him out of the lab and into the real world. “He always tells his PhD students—don’t just write more papers. Take this to the real world,” Ravi recalls. His other PhD supervisor Dr. Shivam Bhasin has consistently encouraged industrial collaborations, which positively fuelled ambitions towards commercialization of research IPs.
The first major validation came from NTUitive, NTU’s commercialization arm, which awarded the team a Proof of Concept grant of S$250,000 after a competitive internal pitching process. This helped assemble a solid founding team: Dr. Martianus Frederic Ezerman from NTU, who provides a technical foundation along with business experience of selling cyber-security solutions, and an execution team consisting of his CTO and COO, Aarav and Arryaan. They began building tools focused on one question most organizations had not yet learned how to ask properly: How do you actually migrate cryptography safely?
Early conversations with banks and government agencies made it clear that this was not a future problem, but an immediate one. The Cyber Security Agency of Singapore (CSA), through its Cyber Security R&D Program Office (established at NTU in 2023 with S$62 million in funding), soon became a major partner. “Their whole goal is to translate research IP into deployable products,” Ravi says. “And we aligned perfectly.”
CSA’s support came in the form of a second grant of approximately S$750,000 and access to industrial partners willing to test PQStation’s early work. Today, PQStation remains deeply embedded in Singapore’s innovation ecosystem, operating largely as a grant‑backed deep‑tech company while validating its products through pilots with enterprises and established institutions.
Becoming a CEO without leaving the science behind
PQStation today has about five team members in Singapore supported by grants, alongside engineers in India, many of whom are contributors to open‑source projects such as OpenSSL and the PQC Alliance. Sales, however, remains founder‑led.
“For the first two or three years, founders have to sell,” Ravi says plainly. “If the founders don’t know how to sell, you can’t have anyone else selling your product.”
Ravi and his co-founder Arryaan handle most customer interactions themselves, supported by technical co‑founders and advisors. NTU’s existing research MoUs have opened doors to innovation teams at large institutions, including OCBC. Additional support comes from Singapore’s National Graduate Research Innovation Programme (NGRIP), where PQStation is in its final phase, receiving founder stipends and access to fractional sales consultants.
Despite growing interest from channel partners, PQStation’s strategy remains deliberate. The market is still forming, and even sophisticated end users are unsure of concrete use cases. “Right now, we need to validate our solutions directly with end users—banks, government agencies, payment operators,” Ravi explains. “That confidence matters before scaling.”
The real problem no one sees: Cryptographic sprawl
PQStation’s product philosophy is anchored in a diagnosis that Ravi believes most organizations underestimate: cryptographic sprawl. Cryptography, he explains, is everywhere—inside browsers, mobile applications, backend servers, databases, networks. Yet it is almost never treated as a managed technology.
“Organizations don’t know what cryptography is used, where it’s used, or how deeply embedded it is,” Ravi says. “There’s very limited visibility, and almost no ownership or governance.”
This invisibility creates paralysis. You cannot change what you cannot see. When changing cryptography in one system risks breaking ten other dependencies, the safest option becomes doing nothing. That is why quantum‑safe migration feels so daunting. “There are no tools purpose‑built for quantum‑safe migration,” Ravi says. “So we started focusing on cryptographic management instead.”
PQStation’s core product is a platform designed to make cryptography visible, governable, and operationally manageable. Once organizations can see where cryptography lives, migration becomes a controlled process rather than a leap of faith. “You know the system owners. You know the escalation paths. You know how to roll back,” Ravi explains. “And that’s what security actually is—preparing for realistic scenarios.”
Why vendor claims are not enough
One of the most common misconceptions Ravi encounters comes from senior security leaders who believe vendor PQC support solves the problem. He explains that simply having vendor support is not the same as operationalizing PQC. Turning on a new cryptographic algorithm is a production decision, not a checkbox. Performance impacts must be tested and backward compatibility must be ensured. Both sides of every connection must support the algorithm. Even more critically, cryptographic algorithms are never permanently secure.
Ravi points to the recent episode involving Module-Lattice-Based Key-Encapsulation Mechanism (ML‑KEM, formerly known as CRYSTALS-Kyber, a NIST-standardized FIPS 203 post-quantum cryptographic algorithm). A paper claiming to break it sent shockwaves through the cryptographic community, only for researchers to later discover a flaw in the proof. “That was a close shave,” Ravi says. “But what if someone finds a real break next time?”
Organizations that migrate wholesale without cryptographic management may find themselves unable to roll back safely. Ravi draws parallels to high‑profile outages caused by poorly controlled technology migrations, emphasizing that cryptography deserves the same operational discipline as any core infrastructure change.
If vendors are not quantum‑safe, organizations face uncomfortable choices: switch vendors or apply interim solutions such as cryptographic proxies and gateways. Ravi is blunt about the risks of the latter. “You’re not solving the problem,” he says. “You’re increasing cryptographic debt and cryptographic depth.”
Each additional layer increases complexity without increasing understanding. Over time, organizations accumulate unsustainable cryptographic debt, making future migrations even harder. Vendor support matters, Ravi emphasizes, but it cannot replace internal cryptographic governance.
Sandboxes, testbeds, and international work
Perhaps the most telling signal of where the market is heading comes from regulators themselves. Agencies in Singapore and India are actively asking for sandbox environments where organizations can experiment with PQC before touching production systems. “They want to see it. Touch it. Feel it,” Ravi says.
In response, PQStation is developing a quantum security testbed—a sandbox environment comprising multiple cryptographic stacks, hardware security modules, key management systems, and certificate managers. It is not yet a commercial offering, but Ravi sees it as a crucial enabler. “How do you validate a vendor’s claim?” he asks. “You need somewhere safe to test it.”
PQStation’s work now spans Singapore, India, and Indonesia.
In Singapore, CSA treats quantum security as a national concern, consulting vendors like PQStation while shaping policies for critical infrastructure. PQStation co‑authored CSA’s Quantum‑Safe Handbook and supports training and workshop initiatives.
In India, PQStation works closely with the Data Security Council of India (DSCI), which helped publish India’s quantum‑safe migration roadmap under the Department of Science and Technology. Ravi and his team participate in national training programs and sector‑specific security events. A particularly significant milestone is PQStation’s Memorandum of Understanding with the Amaravati Quantum Valley initiative, where the company received a government order and grant to build a quantum‑safe testbed. This project now serves as a strategic anchor for PQStation’s Indian operations.
In Indonesia, government agencies are actively assessing their quantum readiness. Using PQStation’s cryptographic management platform, Q‑Vision, agencies are gaining visibility into their cryptographic posture across multiple environments, identifying quantum risks that were previously invisible.
Preparing for a future that is no longer abstract
As quantum computing inches closer to operational reality, PQStation positions itself not as an alarmist vendor but as an enabler of preparedness. Ravi’s message is consistent throughout his story: the hardest part of quantum‑safe migration is visibility, governance, and operational discipline.
“Security has always been about scenario preparation,” he says. “And this scenario is very realistic.”
For organizations that can learn to see their cryptography clearly, the post‑quantum future may not arrive as a crisis—but as a managed transition.
