SQOUT: A Risk-Based Threat Analysis Framework for Quantum Communication Systems

Abstract

Quantum communication systems, despite their theoretical security guarantees, face practical vulnerabilities across physical infrastructure, protocols, and classical subsystems that existing cybersecurity frameworks do not cover. We propose a kill-chain-based threat model that organises quantum and classical Tactics, Techniques, and Procedures (TTPs) into end-to-end attack sequences, combined with an ISO/IEC 27005-compatible risk scoring methodology. SQOUT, a threat-intelligence platform for quantum technologies, implements this approach and is used to analyse two concrete attack scenarios: Photon-Number Splitting (PNS) and detector-blinding attacks as case studies. The risk assessment uses technique-level likelihood scoring with attack-tree product aggregation across kill-chain steps, producing governance-ready risk ratings for quantum-specific threat scenarios.