5G, core network and edge with post-quantum handshake at massive scale

European Tier-1 operator with 78k gNBs, IPsec backhaul terminating at regional UPF. 20 years of state-adversary-harvestable traffic.

IKEv2 + ECDSA-P256 at tunnel setup. User-plane traffic (subscriber data) encrypted with AES but session key derived from classical DH.

PQSL Secure Channel as overlay above IPsec (dual-wrap) OR direct kernel-module replacement with hybrid handshake X25519 + ML-KEM-768. Crypto-Agility Hub enables per-geography rollout with instant rollback.

European CDN operator with 340 PoPs. 12M requests/second peak. Sensitive clients (banking, healthcare, gov) require PQC readiness evidence.

TLS 1.3 with X25519. Even with ECDSA cert, session key is harvestable. Chrome already supports ML-KEM-768 hybrid — browsers move faster than servers.

PQSL Enterprise at edge with X25519MLKEM768 (RFC draft) support. Per-cert migration via Crypto-Agility Hub. PQ handshake metrics exposed in Prometheus for client validation.

MNO with 8M M2M/IoT lines on LTE-M/NB-IoT. 2.3B MQTT messages/day. Clients in critical sectors (automotive OEM, city smart-meters, logistics fleets).

MQTT over TLS 1.2 with ECDHE. Messages contain IoT commands — if an adversary decrypts retroactively, they learn operational patterns + can replay future commands.

PQSL MQTT Handler on operator's Mosquitto/HiveMQ broker. Client Embedded-C SDKs compatible with NB-IoT (footprint < 100 KB). Migration Scanner validates per-client compatibility before forcing upgrade.