TL;DR
SCANOSS spent three days at Infosecurity Europe 2026 talking about cryptography. Most of the floor wasn’t. The range of awareness we encountered — from organisations mid-way through PQC planning to security teams who had never heard of a CBOM — tells you more about where the industry actually is than any keynote did.
The exhibition floor at Infosecurity Europe does not lie. Whatever the keynote stages say the industry is focused on, the booths tell you what organisations are actually buying, demoing, and asking questions about. This year, those two things pointed in different directions.
What were people actually talking about on the floor?
AI dominated. That was not a surprise. From the moment ExCeL opened on 2 June, the majority of booth conversations, vendor positioning, and delegate questions circled back to the same set of concerns: agentic AI, automation at scale, and what the accelerating capability of adversaries means for security teams that are already stretched.
Post-quantum cryptography received significant keynote attention. It did not receive the same attention on the exhibition floor. Walking the Discovery Zone over three days, SCANOSS was among a small number of exhibitors actually having the cryptography conversation — and the range of what we encountered when we did was striking.
Some visitors were already mid-planning. They had begun scoping a PQC migration, understood the harvest-now-decrypt-later risk, and were looking for practical answers to a specific question: where does cryptography actually live in their codebase. Others were earlier in the process — aware that post-quantum was coming, uncertain where to begin, and unfamiliar with what a structured cryptographic inventory would involve. And some had never encountered the term CBOM at all.
That spread is not a criticism of the people we spoke with. It is an accurate picture of where the industry is in mid-2026: a small leading edge actively preparing, a large middle aware but not yet moving, and a meaningful portion still operating without a clear view of what the transition will require of them.
Why does the inventory question come before everything else?
The conversations at the stand kept returning to the same underlying problem regardless of where a visitor was in their planning. Before any decision about algorithms, timelines, or migration tooling, an organisation needs to know what cryptography it is running and where. That sounds like a straightforward data-gathering step. In practice, for most codebases of any scale, it is not.
Manifest-level tooling tells you what packages a project declares. It does not tell you which cryptographic algorithms are implemented directly in source files, which libraries carry deprecated key exchange protocols, or where cryptographic keys are embedded in code that has not been touched in years. That information only exists at the source level — and most organisations do not have a systematic way to surface it.
This is what Crypto Finder was built to address. It scans source code directly in Java, Python, Go, and C, detecting cryptographic algorithms, protocols, and keys in the files themselves rather than in declared dependencies. The output is a Cryptography Bill of Materials in CycloneDX format — a structured, auditable inventory of what is actually present, not what a manifest says should be there. It runs entirely offline, which matters for teams that cannot route production code through an external service.
The organisations we spoke with who were furthest along in their planning were the ones who were looking to answer the inventory question.
What does the spread of awareness tell us?
Three days of booth conversations at one event are not a definitive dataset. But the range we encountered — from active PQC planners to teams encountering the concept of a cryptographic bill of materials for the first time — reflects something consistent with what we hear across customer conversations throughout the year.
Regulatory deadlines under the Cyber Resilience Act, NIS2, and DORA are not waiting for the industry to reach a uniform level of readiness. The organisations that will be in the strongest position when those obligations sharpen are the ones that have already answered the foundational question: what is in the code, and where.
If that question is still open for your organisation, contact the SCANOSS team to discuss what a source-level cryptographic inventory looks like in practice.
