PQRi Methodology

AI + PQC Risk Index: Composite Executive KPI

Version 1.0 | Last Updated: October 2025 | Framework Aligned: NIST CSF 2.0, CNSA 2.0

What is PQRi?

PQRi (AI + PQC Risk Index) is a weighted composite risk metric that synthesizes four critical security dimensions into a single executive-grade KPI. It provides CISOs and security leaders with an at-a-glance view of organizational AI and post-quantum cryptography exposure.

Unlike traditional risk scores that focus on a single domain, PQRi integrates:

  • KEV Exposure — Unpatched known exploited vulnerabilities weighted by EPSS and in-the-wild activity
  • PQC Surface — Quantum-susceptible cryptography footprint (RSA-2048, ECC-256, legacy certs)
  • AI Threat — LLM abuse vectors, data exfiltration, prompt injection exposure
  • Config/Shadow IT — Misconfigurations and unapproved cloud resources

Calculation Formula

PQRi = (0.35 × KEV_exposure) + (0.30 × PQC_surface) + (0.25 × AI_threat) + (0.10 × Config_shadow)

Each component is normalized to a 0.0–1.0 scale, where 0.0 = minimal risk and 1.0 = critical exposure.

Module Weights & Rationale
KEV Exposure 35%
Highest weight reflects immediate exploitability. Based on CISA KEV catalog with EPSS ≥0.5 indicating active exploitation.
PQC Surface 30%
Quantum-susceptible algorithms (RSA-2048, ECC-256) pose strategic risk as quantum computing advances. NSA CNSA 2.0 mandates migration.
AI Threat 25%
LLM-based phishing, data exfiltration, and prompt injection attacks are rising. Tracks daily AI abuse incidents and adversarial techniques.
Config/Shadow IT 10%
Misconfigurations and unauthorized cloud resources create lateral movement opportunities. Lower weight but high remediation priority.

Component Methodology

1. KEV Exposure (35%)

Data Sources:

  • CISA Known Exploited Vulnerabilities (KEV) catalog
  • FIRST EPSS (Exploit Prediction Scoring System) scores
  • In-the-wild exploitation telemetry

Scoring Logic:

high_risk_kev_count = COUNT(KEV entries WHERE epss_score ≥ 0.5)
kev_exposure_score = MIN(high_risk_kev_count / 100, 1.0)

Baseline: 100 high-risk KEVs = 1.0 score (critical exposure). Lower counts scale proportionally.

2. PQC Surface (30%)

Data Sources:

  • Certificate inventory (TLS/SSL scans)
  • Cryptographic library usage (OpenSSL, BouncyCastle, etc.)
  • Key exchange algorithm enumeration

Scoring Logic:

quantum_susceptible_algos = COUNT(RSA-2048, RSA-3072, ECC-256, etc.)
total_crypto_footprint = COUNT(all cryptographic assets)
pqc_surface_score = quantum_susceptible_algos / total_crypto_footprint

NIST FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA) count as PQ-ready and reduce score.

3. AI Threat (25%)

Data Sources:

  • Daily AI Status tracking (RSS/Atom feeds, GDELT)
  • LLM abuse incident reports (prompt injection, jailbreaks)
  • Data exfiltration and model theft vectors

Scoring Logic:

ai_incidents_today = COUNT(AI Status incidents for current day)
ai_threat_score = MIN(ai_incidents_today / 10, 1.0)

Baseline: 10+ incidents/day = 1.0 score (high exposure). Tracks prompt injection, adversarial attacks, and supply chain exploits.

4. Config/Shadow IT (10%)

Data Sources:

  • Cloud security posture management (CSPM) findings
  • Shadow IT discovery (unapproved SaaS, unauthorized cloud resources)
  • Policy violation tracking

Scoring Logic:

critical_misconfig_count = COUNT(S3 public buckets, open security groups, etc.)
config_shadow_score = MIN(critical_misconfig_count / 50, 1.0)

Baseline: 50 critical misconfigurations = 1.0 score. Includes open S3 buckets, overly permissive IAM policies, and unauthorized cloud resources.

Framework Alignment

NIST Cybersecurity Framework (CSF) 2.0
PQRi Module CSF 2.0 Function CSF 2.0 Category
KEV Exposure IDENTIFY, PROTECT ID.RA (Risk Assessment), PR.IP (Information Protection)
PQC Surface PROTECT, RESPOND PR.DS (Data Security), RS.MI (Mitigation)
AI Threat DETECT, RESPOND DE.CM (Continuous Monitoring), RS.AN (Analysis)
Config/Shadow IT IDENTIFY, GOVERN GV.RM (Risk Management), ID.AM (Asset Management)
NSA Commercial National Security Algorithm Suite (CNSA) 2.0

CNSA 2.0 Mandate: All NSS (National Security Systems) must transition to quantum-resistant algorithms by 2030.

PQRi's PQC Surface module directly tracks organizational readiness for this mandate by measuring quantum-susceptible algorithm usage and migration progress.

Week-over-Week (WoW) Tracking

PQRi includes a WoW delta to track risk velocity and identify emerging trends:

WoW = (PQRi_current - PQRi_previous) / PQRi_previous × 100

Driver Contribution Analysis shows which module(s) caused the largest WoW change, enabling prioritized remediation:

Example Driver Analysis:
1. KEV Exposure: +4.2% contribution (12 new KEVs with EPSS ≥0.7)
2. AI Threat: +1.8% contribution (spike in prompt injection incidents)
3. PQC Surface: -0.5% contribution (5 legacy certs replaced with PQ-ready algorithms)

Ownership & Remediation

Each PQRi module maps to specific organizational owners for accountability:

KEV Exposure
Owner: AppSec / Vulnerability Management
Action: Patch prioritization based on EPSS + KEV status
PQC Surface
Owner: PKI / Cryptography Team
Action: Cert replacement, crypto library upgrades
AI Threat
Owner: Threat Intelligence / SOC
Action: LLM guardrails, prompt injection defenses
Config/Shadow IT
Owner: Cloud Security / IAM
Action: CSPM remediation, shadow IT discovery

API Access

PQRi data is available via JSON API for integration with SIEM, SOAR, and BI tools:

Endpoint Description Response
/api/pqri/latest Latest PQRi value, WoW, drivers JSON object with module scores & metadata
/api/pqri/history 12-week historical series JSON array of weekly PQRi values

Note: API responses include methodology URL for transparency and auditability.

Back to Global Dashboard Trust Center
Core Features
Get Started
Support & Info

© 2025 AI PQC Audit. Advanced multi-AI powered post-quantum cryptography security platform.

Powered by Proprietary Multi-AI Technology