Kill-chain on quantum hardware: Four stages of a single attack
A research team led by Cedric Brügmann did what no one had done before — they combined four separate attack techniques into one uninterrupted chain and ran it on a quantum computer with trapped-ion technology. The result is the first end-to-end demonstration of a so-called "kill-chain" against a quantum neural network (QNN).
The term kill-chain comes from classical cybersecurity and refers to a sequence of steps an attacker follows — from reconnaissance through infiltration to the actual attack. The researchers transferred this methodology to the quantum world and aligned it with the MITRE ATLAS framework, which is the counterpart of the more familiar MITRE ATT&CK but focused specifically on threats against artificial intelligence systems.
Their attack took place in four phases:
- Side-channel reconnaissance — the attacker analyzes, for instance, power consumption or timing of operations on the quantum chip. From this "eavesdropping," they can retroactively reconstruct what quantum circuit is running on the device.
- Crosstalk characterization — based on information from the first phase, the attacker maps how operations on one qubit unintentionally affect neighboring qubits. This phenomenon, known as crosstalk, is common in today's quantum processors.
- Adversarial example generation — using knowledge of the circuit architecture and crosstalk maps, the attacker creates a specially crafted input that tricks the neural network.
- Physical attack via crosstalk — the final phase, where the adversarial perturbation is actually carried out on the quantum hardware through targeted noise injection using crosstalk channels.
The key point is that each phase is not isolated — the information obtained in the first phase directly makes subsequent phases more effective. This is a fundamental difference from earlier studies that examined individual vulnerabilities separately.
Why it matters: Quantum clouds and shared hardware
Most of today's quantum computers operate in a quantum cloud (Quantum-as-a-Service, QaaS) model. Companies like IBM, IonQ, and Quantinuum offer access to their quantum processors over the internet, similar to how AWS rents out classical servers. Computations from different customers alternate on a single physical chip.
It is precisely in this multi-tenant environment that the scenario described by Brügmann's team is exceptionally dangerous. An attacker who legally purchases access to the same quantum processor as the victim can, during their "legitimate" task, collect data from side channels and subsequently exploit crosstalk to influence other computations.
"This work shows that the security of quantum neural networks cannot be addressed one-dimensionally. It is an interconnected ecosystem where a weakness in hardware opens the door to manipulation of algorithms," the authors state in the study.
NISQ era: Attacks that work today
Particularly concerning is that the demonstrated attack vectors work on current NISQ devices (Noisy Intermediate-Scale Quantum). They do not require the existence of error-free, fully error-corrected quantum computers, which are still music of the distant future. In other words — the threat is current, not hypothetical.
The NISQ era refers to the period we are currently in: quantum processors have tens to hundreds of qubits but suffer from high error rates. It is precisely this "imperfection" that attackers exploit — crosstalk and noise are not obstacles to them, but weapons.
The study also reports, in its appendix, experiments on superconducting quantum chips, confirming that the described techniques are not limited to just one type of hardware. The vulnerability is broader than it might seem.
What this means for Czechia and Europe
The Czech Republic is not an outsider in quantum research. In June 2026, the Czech AI Factory launched in Ostrava, which includes quantum hardware. The European Union is massively investing in quantum technologies through the Quantum Flagship program and is building 35 new AI supercomputers across the continent.
With the growing deployment of quantum clouds and multi-tenant environments in Europe, the relevance of security research like that demonstrated by Brügmann's team will also grow. For European QaaS providers, this means that they must build protection against side channels and crosstalk attacks from the outset — waiting for the first incident would be a mistake.
The EU AI Act does not yet directly address quantum neural networks, but as quantum machine learning approaches practical deployment, regulation can be expected to cover this area sooner or later.
Defense strategies: Defence-in-depth for the quantum age
The study's authors emphasize that their work is not meant to be merely a catalog of threats. The main goal is to enable the design of proactive, layered defense (defence-in-depth) for quantum systems. If security experts understand how individual attack vectors relate to each other, they can build defenses that address not just isolated vulnerabilities but entire chains.
Recommended directions include:
- Hardware crosstalk mitigation — physical separation of sensitive qubits or active compensation of crosstalk
- Side-channel monitoring — detection of anomalies in power consumption and timing that could signal the reconnaissance phase of an attack
- Tenant isolation in QaaS environments — stricter separation of computations from different customers at both hardware and software levels
- Adversarial training of QNNs — strengthening the resilience of quantum neural networks against manipulated inputs
The study, with 19 pages and 33 figures, is freely available on arXiv:2607.03337 and represents, according to experts, a significant milestone in understanding the security risks of quantum machine learning.
What is a quantum neural network (QNN)?
A quantum neural network is a variant of a classical neural network that uses principles of quantum mechanics for computation — superposition and entanglement of qubits. Theoretically, it can solve certain problems more efficiently than classical neural networks, especially in areas such as molecular simulation, optimization, or classification of quantum data. In practice, however, it currently runs on imperfect NISQ devices with high error rates.
Are today's quantum computers really at risk, or is this an academic exercise?
The study demonstrates a real, practically feasible threat — the attack was carried out on actual quantum hardware, not just in simulation. The researchers prove that current quantum processors are vulnerable to side channels and crosstalk. For quantum clouds, where multiple customers share a single chip, the risk is particularly high. This is therefore not a purely academic exercise.
How does MITRE ATLAS relate to quantum neural networks?
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a security framework that maps known threats and attack techniques against artificial intelligence systems — similar to how MITRE ATT&CK works for classical cybersecurity. The study's authors aligned their attack vectors with this framework to show that quantum neural networks share many vulnerabilities with classical AI systems, but also add hardware-specific threats unique to quantum computing.