2026 China Cybersecurity Industry Deep Report: Xinchuang, AI Security, Critical Infrastructure & Data Security in the Era of Domestic Substitution

In an internal estimate published by China's Ministry of Industry and Information Technology in 2025, the domestic cybersecurity market surpassed RMB 120 billion for the first time in a single year. The number itself was not a surprise. What is striking is the structure behind it: growth is not driven by a single force, but by four simultaneous threads—compliance-driven upgrades to the Classified Protection framework, the Xinchuang substitution wave deepening national product replacement, AI large-model deployment creating unprecedented attack surfaces, and the comprehensive rollout of Critical Information Infrastructure (CII) protection policy.

These four threads are interwoven and mutually reinforcing. CP 2.0 (Classified Protection 2.0) requires all Tier 3-and-above information systems to complete annual assessments, directly driving the assessment, consulting, and security operations markets. Xinchuang substitution requires domestic cryptographic algorithms, domestic OS, and domestically produced security hardware to enter the spaces once occupied by Check Point, Palo Alto, and Fortinet. The rapid spread of AI large models has created attack surfaces—prompt injection, model poisoning, privacy exfiltration—that enterprise security teams had never encountered before. And since the CII Protection Regulations took effect in 2021, cybersecurity investment across the five sectors of energy, finance, telecom, government, and transportation has been elevated to a matter of political priority.

Viewed historically, China's cybersecurity industry has passed through four development phases. Phase 1 (1994–2005): nascent stage dominated by antivirus software; the foundational legal instrument was the 1994 Computer Information System Security Protection Regulations. Phase 2 (2006–2016): Classified Protection 1.0 drove compliance-led market growth from single-digit billions to hundreds of billions of CNY; incumbents like Venustech, TopsecSec, NSFOCUS, and TOPSEC established their market positions. Phase 3 (2017–2022): a dense policy superposition—CP 2.0, DSL, PIPL, and CIIP Regulations—within five years; capital markets surged and new vendors (QIANXIN, Chaitin, Knownsec) rose rapidly. Phase 4 (2023–present): valuation normalization, profitability emphasis, Xinchuang and AI security as the new growth engines; the commercial model is migrating from project-based to subscription.

Understanding these four phases is the key to understanding why the 2025–2030 window is special: it is the genuine fruition of the dense policy investment from Phase 3, combined with the historic simultaneous resonance of AI disruption and domestic substitution.

Chapter 1　Definitions, Classification, and the Full Industry Chain

Six-Layer Technical Architecture

Network-layer security covers traffic filtering, intrusion detection and prevention (IDS/IPS), DDoS mitigation, and Next-Generation Firewalls (NGFW). The firewall is the cornerstone product; in China, Huawei, Sangfor, Hillstone Networks, TopsecSec, and Alibaba Cloud offer hardware or cloud-native firewall products. The fundamental distinction of NGFW over legacy firewalls is application-layer awareness—it can identify application types within HTTP traffic, not merely ports and protocols.

Endpoint security focuses on protecting every workstation, server, and mobile device. Core products include antivirus, EDR (Endpoint Detection and Response), and XDR (Extended Detection and Response). CrowdStrike has established leadership through its cloud-native Falcon EDR platform; domestically, Rimini Street, Sangfor, and QIANXIN hold significant enterprise shares. As Windows 11 proliferates and Zero Trust architecture advances, endpoint security is converging with identity management.

Data-layer security covers database security, data masking, data classification, digital watermarking, DLP, and privacy computing. Since the Data Security Law took effect in 2021, data classification and grading have become compliance mandates, boosting market shares for specialists such as Dbappsecurity and Zhongfu Information.

Application-layer security encompasses WAF, API security, mobile security, code security, and vulnerability scanning. Chaitin's WAF product Yanchi is widely deployed among leading internet enterprises; Knownsec's cloud security platform covers government websites and mid-sized enterprises.

Identity-layer security addresses IAM, PAM, MFA, and SSO. CyberArk leads globally in PAM; domestically, QIANXIN's IAM platform and XinAn Century's PKI/national cryptography system are representative. Under Xinchuang, IAM systems must integrate with domestic directory services (replacing Active Directory) and SM-algorithm certificate authorities, accelerating domestic substitution.

Physical and industrial control security protects ICS/SCADA/OT systems, industrial internet platforms, and smart-city infrastructure. Since the CIIP Regulations took effect, OT security for power grids, water utilities, transportation, and energy has become mandatory; specialists Weinu Networks, Kuang En, and Zhongfu Tai entered rapid growth.

Three Economic Categories of Cybersecurity Products

Compliance-driven: security equipment required to pass CP assessments (firewalls, IDS, log auditing). Market scale is large and stable, but pricing pressure compresses margins toward average. Typical vendors: Venustech IDS, TopsecSec firewalls, Hillstone NGFW.

Threat-driven: products purchased because a real incident (ransomware, data breach, APT) triggered the need. Penetration is lower but unit values are higher; these products carry the industry's thickest margins. Typical vendors: QIANXIN APT defense, CrowdStrike EDR, Palo Alto Cortex.

Capability-driven: enterprises proactively building security maturity rather than chasing compliance—AI SOC, threat intelligence subscriptions, attack surface management. Penetration is lowest today but growth is fastest; this is the dominant growth space for the next five years. Typical vendors: Sangfor XDR, Dbappsecurity MSS, NSFOCUS threat intelligence.

In China, compliance-driven products account for roughly 55% of the total market, threat-driven 25%, and capability-driven 20%. Their respective CAGRs are approximately 10%, 18%, and 30%, making capability-driven the key driver of the industry's structural upgrade.

Security-as-a-Service (SECaaS): The Irreversible Trend

SECaaS transforms security functions formerly requiring hardware procurement, installation, and maintenance into cloud-delivered, on-demand subscriptions. Firewalls become FWaaS; DDoS mitigation becomes cloud scrubbing; WAF becomes cloud WAF; SIEM becomes cloud SIEM (e.g., Microsoft Sentinel, Alibaba Cloud Log Service Security Center).

SECaaS's impact on the ecosystem is profound: it lowers the security threshold for SMEs, blurs the boundary between security vendors and cloud providers, and accelerates the commercial model shift from project-based to subscription. In 2025, China's SECaaS market is roughly RMB 20 billion (approximately 15% of the total), forecast to exceed RMB 50 billion by 2028 with penetration surpassing 25%.

Zero Trust and SASE: Paradigm Shifts

Zero Trust is not a single product but a security architecture philosophy: never trust by default, continuously verify. NIST SP 800-207 defines Zero Trust Architecture requiring all access requests—regardless of origin—to undergo identity authentication, device health assessment, and least-privilege authorization.

SASE (Secure Access Service Edge) is Zero Trust's realization in the wide-area network context, integrating SD-WAN, ZTNA, CASB, and SWG into a unified cloud-delivered security service. Zscaler (ZS) is the largest global beneficiary, with FY2025 revenue of USD 2.67 billion and ARR exceeding USD 3 billion. In China, Sangfor, QIANXIN, and China Telecom Cloud Pulse are advancing SASE; penetration only recently surpassed 5%, with explosive growth expected in 2026.

The Industry Chain: Five Layers

Upstream: security chips and core hardware—national-algorithm crypto accelerators on domestic CPUs (Loongson, Hygon, Zhaoxin), HSMs, SmartNICs, TPM security chips. Venustech subsidiary Westone (002268) focuses on domestic-algorithm hardware; XinAn Century (688201) specializes in PKI and national crypto. This is Xinchuang's critical battleground: replacing Intel/AMD means rebuilding the security-chip ecosystem.

Midstream: security products and platforms—firewall hardware, security gateways, encryption devices, security software platforms, cloud security platforms, data security management systems. Venustech, QIANXIN, 360, Sangfor, TopsecSec, NSFOCUS, and Dbappsecurity are the core midstream participants.

Midstream–downstream: security operations and services—SOC construction and management, threat intelligence subscriptions, MSS (Managed Security Services), penetration testing, red-team/blue-team exercises, incident response. As in-house security talent shortages worsen, the MSS market is growing significantly faster than the product market.

Downstream: vertical applications—finance (banking, insurance, securities), government, energy (power grids, oil and gas), telecom, transportation, healthcare, education, and the industrial internet. Finance and government together contribute roughly 45% of market share.

Supporting layer: standards, assessments, training—approximately 300 licensed CP assessment firms, cryptographic inspection and certification organizations, and the CISP professional certification system.

Chapter 2　Global Competitive Landscape and International Benchmarks

Global Market: Key FY2025 Data

The global cybersecurity market reached approximately USD 250 billion in 2025, up roughly 14% year-on-year. The United States holds approximately 40% of global share, Europe 25%, Asia-Pacific 20%. The top five vendors (Palo Alto Networks, Microsoft Security, CrowdStrike, Fortinet, Check Point) together account for approximately 35% of the market; the long tail exceeds 3,000 vendors.

Palo Alto Networks (PANW): FY2025 (ending July 2025) revenue of USD 9.2 billion, +15% YoY; the largest pure-play cybersecurity vendor globally. Platformization strategy restructuring the competitive rules—pivoting from "sell individual products" to "sell annual subscription platforms." Three growth engines: Cortex XSIAM (AI-driven SOC), Prisma Cloud, Prisma SASE. China business has been materially impacted by U.S.-China tensions; some government clients have switched to domestic alternatives.

CrowdStrike (CRWD): FY2025 (ending January 2025) revenue USD 3.95 billion, +29%; ARR USD 4.24 billion. Cloud-native EDR Falcon holds approximately 20% of the global endpoint security market. The July 2024 global outage impacted reputation, but customer retention remained above 97%, demonstrating extreme platform stickiness. Charlotte AI assistant is materially improving SOC analyst efficiency.

Fortinet (FTNT): FY2025 billings of USD 6.8 billion, +16%. Hardware-plus-software-plus-service vertical integration, with FortiGate maintaining absolute leadership in the mid-market. SASE billings grew 40% in Q4 2025.

Zscaler (ZS): FY2025 revenue USD 2.67 billion, +23%; ARR above USD 3 billion. The cloud-native Zero Trust architecture positions Zscaler as the top choice for enterprises migrating from "castle-and-moat" to Zero Trust.

Microsoft Security: FY2025 estimated revenue exceeding USD 20 billion—the world's largest single cybersecurity revenue source—though Microsoft does not disclose the security segment separately. Defender for Endpoint, Microsoft Sentinel, and Entra ID form the security triad. For enterprises already on Microsoft 365 E5, the "bundled" advantage is nearly impossible to dislodge.

Check Point (CHKP): FY2025 revenue approximately USD 2.5 billion; growth decelerated to single digits, but non-GAAP operating margin near 42% is the highest in the industry.

SentinelOne (S): FY2025 revenue approximately USD 850 million, +33%; ARR crossed the USD 1 billion milestone. The Singularity Data Lake architecture is winning traction among large enterprise clients.

Cloudflare (NET): 2025 revenue approximately USD 2.2 billion, +27%. Product portfolio spans CDN, WAF, DDoS, ZTNA, and email security, evolving toward full SASE. Enterprise Zero Trust suite grew strongly; large customers (>USD 100K annual contract) exceeded 3,500.

Three Structural Trends in the Global Market

Trend 1: Platformization. Single-point tools are being replaced by integrated platforms, driven by uncontrolled enterprise security operations cost (headcount + tool count + integration complexity). IDC data shows the average enterprise deployed 45 security tools in 2024, yet 70% of CISOs reported that too many tools actually impaired response speed.

Trend 2: AI rewriting attack-defense logic. LLMs enable more convincing phishing emails and more automated exploit generation; AI SOC demand for automated analysis and response has surged in response. CrowdStrike Charlotte AI, Palo Alto Cortex XSIAM, and Microsoft Copilot for Security are all racing in this direction.

Trend 3: Accelerating domestic substitution in China. U.S. export controls and entity-list additions have created supply-chain risk for some critical security products; combined with CP 2.0 and Xinchuang policy, the pace of replacement of foreign security products in Chinese government and state-owned enterprises accelerated materially in 2024–2025.

Geopolitical Dimension

Cybersecurity is among the technology industries most directly affected by geopolitical competition. The Five Eyes alliance (U.S., U.K., Canada, Australia, New Zealand) has created a de facto "Western-led zone" for standards and intelligence sharing, effectively bifurcating the global market. China's response is the construction of a parallel ecosystem: an independent CP standards framework, a domestic cryptographic algorithm family (SM2/SM3/SM4), and a separate threat-intelligence-sharing mechanism under MPS.

For multinationals, this "technology bifurcation" presents a dual-compliance challenge: Chinese operations must satisfy CP 2.0 + DSL (potentially requiring domestic security products), while European operations must satisfy GDPR + NIS2—with minimal overlap between the two frameworks. This friction is creating a niche "cross-border compliance security consulting" market, where vendors such as QIANXIN and Anhua Jinhe are beginning to compete.

Chapter 3　Policy Environment: CP 2.0, Data Security Law, and CIIP Regulations

Policy Timeline: From 1994 to the Four-Law Framework

China's cybersecurity policy architecture evolved over four decades:

1994: The Computer Information System Security Protection Regulations established the foundational concept of classified protection.

2003: State Council Document 27 elevated information security to a national strategic issue and confirmed Classified Protection as the "basic system."

2007: MPS jointly issued the Classified Protection Administration Measures, requiring all information systems to register and undergo graded assessment—this became CP 1.0.

2016: The Cybersecurity Law became China's first dedicated cybersecurity statute, elevating CP, CII protection, security incident reporting, and data localization to statutory obligations.

2019–2022: CP 2.0 standards published; Data Security Law (DSL) and Personal Information Protection Law (PIPL) enacted in 2021; CIIP Regulations enacted in September 2021—forming the "four-law framework" with the Cybersecurity Law as the legal foundation.

Classified Protection 2.0 (CP 2.0): The Compliance Backbone

CP 2.0 (GB/T 22239-2019, published May 2019) differs from CP 1.0 in four critical ways: (1) the scope of protected objects expands to cover cloud computing, mobile internet, IoT, ICS, and big-data platforms; (2) new security dimensions added: "secure communications network," "secure zone boundary," "secure computing environment," "security management center"; (3) significantly elevated legal force—non-compliance may lead to remediation orders, fines, or criminal liability; (4) dynamic evaluation mechanisms introduced, requiring annual assessments supplemented by real-world exercises (National Cyber Exercise "Huwan").

By 2026, the number of Tier 3-and-above systems nationwide is projected to exceed 100,000; the annual assessment market alone is estimated at RMB 8–10 billion, with assessment, remediation, and consulting together totaling RMB 30–40 billion.

Data Security Law and PIPL: The Twin Data Governance Pillars

DSL (effective September 2021): establishes data classification and grading protection; designates "important data" and "core data" as priority protection objects; creates mandatory security obligations for data processing activities.

PIPL (effective November 2021): China's "GDPR equivalent," establishing the "minimal necessary" principle for personal data collection, cross-border transfer rules, and informed consent mechanisms.

The direct market effect: data classification and grading tools, data asset catalogs, data flow monitoring, and personal-information protection management platforms have become compliance mandates for large enterprises. Dbappsecurity holds the top market share in data security management platforms.

CIIP Regulations: Security at the Highest Priority

The Critical Information Infrastructure Security Protection Regulations (effective September 2021) designate eight sectors—telecom, energy, finance, transportation, water, healthcare, education, and technology—as critical infrastructure.

CII Operators must: establish a dedicated security management organization with a named security officer; develop security plans; conduct annual security assessments; report major security incidents within 24 hours. Article 23 explicitly requires CII operators to prefer secure and trusted products and services when procuring—the legal basis for the "Xinchuang + security" dual-compliance requirement.

Xinchuang National Substitution: The Strategic Opportunity

The Xinchuang (信创) program drives substitution of all core IT infrastructure with domestic alternatives. In cybersecurity, this means security products must run on domestic CPUs (Phytium, Kunpeng, Loongson) and domestic OS (Kylin OS, UOS)—not just carry a domestic brand.

Per policy planning, state-owned enterprises must complete Xinchuang substitution by end-2027. Approximately 30% was completed by end-2024; 2025–2026 is the acceleration phase (targeting 40–50%); 2027 is the mopping-up phase. This positions 2025–2026 as the peak release period for Xinchuang security market demand.

Chapter 4　China Market Scale: RMB 120 Billion, 15% CAGR, and Structural Divergence

Total Market Size

The China cybersecurity market in 2025 is approximately RMB 120–150 billion (different methodologies yield different figures: IDC approximately USD 18.8 billion ≈ RMB 135 billion; CAICT approximately RMB 120 billion; industry association approximately RMB 150 billion). The midpoint of approximately RMB 135 billion is a reasonable reference.

The 2020–2025 CAGR of approximately 15–18% significantly exceeds the global average of about 14%. The three-dimensional growth driver: compliance (CP 2.0), domestic substitution (Xinchuang), and threat (ransomware and APT frequency rising).

Segment Scale and Growth

Segment	2025E Scale	CAGR	Key Drivers
Security hardware (firewalls/gateways/encryption)	~RMB 30B	10–12%	Xinchuang replacement, CP compliance
Security software platforms	~RMB 35B	15–18%	Cloud migration, AI capability upgrade
Cloud security services	~RMB 20B	25–30%	Public cloud penetration, SECaaS shift
Security operations/MSS	~RMB 12B	30–35%	Talent shortage, SOC outsourcing
Data security	~RMB 15B	25–30%	DSL/PIPL enforcement deepening
Industrial/OT security	~RMB 8B	20–25%	CIIP regulations, manufacturing digitization

Vertical Market Structure

The cybersecurity market's vertical distribution mirrors each sector's digitization intensity and compliance pressure:

Finance: The most stringent regulatory cybersecurity environment. PBOC's Financial CP Implementation Guidelines require core systems to reach CP Level 4. Banking and securities IT security budgets are essentially uncuttable regardless of macro conditions.

Government: Compliance procurement dominates. Security projects are characterized by long cycles (6–12 months), high standardization (CP checklist-driven), extreme switching costs, and low price sensitivity relative to qualification and credibility sensitivity.

Energy: Power grids (State Grid, Southern Grid) and oil and gas are designated CII; OT security investment has surged following the CIIP Regulations. Specialist vendors Weinu Networks and Kuang En have been among the fastest-growing companies.

Manufacturing and industrial internet: Factory digitization is creating entirely new security surfaces; ransomware attacks on manufacturing enterprises in 2025 significantly raised OT security awareness among factory operators.

Chapter 5　Industry Chain Breakdown: Chip–Device–Software–Service–Intelligence–Operations

Upstream: Security Chips and National Cryptography Hardware

Domestic cryptographic chips are the highest-barrier segment. China's commercial cryptography standard (GM/T) specifies SM2 (asymmetric), SM3 (hash), SM4 (symmetric), and SM9 (identity-based) as mandated algorithms; security chips implementing these must obtain OSCCA certification.

Westone (002268) has obtained OSCCA certification for its cryptographic security chip series; XinAn Century (688201)'s CA servers and PKI systems lead the national PKI market, covering approximately 40% of commercial CA organizations. Huada Electronics holds large market shares in SIM cards and financial IC cards and is expanding into network security applications.

In the HSM segment, dominant international products (Thales Luna, nCipher) face domestic substitution pressure; vendors such as Westone, Three-Inno Security, and HT SafeNet are gaining share through national-algorithm support and local service capabilities.

Security Hardware: Firewalls as the Highest-Margin Product

Firewall hardware is the largest category within China's security hardware market, with a 2025 scale of approximately RMB 18 billion (+8% YoY). NGFW commands a significant average-selling-price premium over legacy stateful firewalls due to its integrated IPS, application identification, and SSL decryption functionality.

Hillstone Networks (688030) holds the top domestic NGFW market share, with self-developed ASIC chips providing clear performance advantages at high throughputs (100 Gbps+). TopsecSec (002212) firewalls maintain a stable position in the government market. Under Xinchuang, firewall replacement cycles have shortened materially—from five years to under three—as compliance mandates require domestically produced hardware.

Encryption device market scale is approximately RMB 5 billion, covering SSL/IPSec VPN gateways, secure routers, encryptors, and digital signature servers. In CII contexts, government mandates require OSCCA-certified encryption hardware, creating near-monopoly positions for Westone, XinAn Century, and Three-Inno Security.

Security Software Platforms: Dual Upgrade—Cloud and AI

Cloud-native security platforms (cloud WAF, cloud SIEM, cloud IAM) are replacing legacy on-premises appliances. The migration has been accelerated by enterprise cloud adoption, the DevSecOps movement (integrating security into development pipelines), and the rise of containerization (Docker/Kubernetes security).

AI large models are directly transforming security software: AI-driven log analysis can compress 10,000 raw security events to 20 true anomalies, radically reducing the SOC analyst workload. Sangfor's AI SOC, QIANXIN's Q-GPT security assistant, and NSFOCUS's intelligent threat analysis engine are early commercial deployments of this capability.

Chapter 6　Key Company Analysis: Domestic Leaders and Global Benchmarks

Venustech (002439)

Positioning: Integrated security platform, IDS, and situational awareness
Key figures: FY2025 revenue approximately RMB 23.38 billion; net profit approximately RMB –570 million (transitional period loss)
Strategic context: Venustech's FY2025 financial report reflects the pain of commercial model transition—from project-based to subscription. When recognized revenue declines while contract signings stabilize, the accounting discrepancy is temporary but creates shareholder anxiety. The Q4 2025 performance warrants close attention: if Q4 revenue reflects a substantial release of subscription contracts, it will signal that the transition is approaching inflection.

Venustech's core competitive moat is its leading position in the government and military-industrial security market: the first domestic IDS vendor to obtain classified government project qualifications; long-term relationships with MPS, MND, and NDRC; the situational awareness platform covering the core cybersecurity operations rooms of more than 30 provinces. These relationships are not replaceable by product capability alone, giving Venustech structural protection in the government market even as it faces competitive pressure in commercial segments.

QIANXIN (688561)

Positioning: Critical infrastructure protection, enterprise security platform
Key figures: FY2025 revenue approximately RMB 60 billion; loss-narrowing trajectory; Q3 2025 quarterly profit achieved
Strategic context: QIANXIN is China's cybersecurity firm with the widest attack-defense capability coverage. Its five major product lines—advanced threat protection, endpoint security, cloud security, data security, and security operations—form an integrated defense ecosystem. The APT defense platform (Tianyan) tracks over 60 APT organizations, with threat intelligence data exceeding 50 billion items—among the deepest in Asia-Pacific.

QIANXIN's most important 2025 development is achieving quarterly profitability while cutting R&D redundancies (approximately 20% reduction in R&D headcount, focusing on core product lines). This is "R&D efficiency improvement" rather than capability reduction—the correct path forward.

Sangfor Technologies (300454)

Positioning: Hybrid cloud security + SD-WAN, mid-market leader
Key figures: FY2025 revenue approximately RMB 62 billion; net profit approximately RMB 1.6 billion; operating cash flow RMB 1.342 billion (the healthiest cash flow among domestic listed security vendors)
Strategic context: Sangfor is the most commercially successful story among China's cybersecurity companies to date. Its channel system—3,000+ certified partners nationwide—is the deepest in the industry. Its SASE platform is one of the closest China-side approximations to Zscaler's global architecture. Most importantly, subscription revenue (hyper-converged infrastructure annual subscription, network security subscription service) contributes a stable, growing ARR base—in sharp contrast to the Q4-weighted project-based revenue recognition of competitors.

Dbappsecurity (688023)

Positioning: Data security specialist, MSS leader
Key figures: FY2025 revenue approximately RMB 21.51 billion; net profit approximately RMB –200 million
Strategic context: Dbappsecurity holds the top market share in data security management platforms, directly benefiting from DSL/PIPL enforcement. MSS service revenue grew over 35% in 2025, confirming the structural demand for security operations outsourcing.

Hillstone Networks (688030)

Positioning: NGFW specialist, self-developed ASIC chip
Key figures: FY2025 revenue approximately RMB 12 billion; net profit approximately RMB 50 million
Strategic context: Hillstone's self-developed ASIC chips for NGFW provide clear advantages in high-performance data center firewall applications where CPU-based firewalls hit throughput ceilings. AI computing infrastructure build-out in 2025 drove large-scale AI cluster network security demand, creating a new incremental market.

DKC Networks / China Electronics Corporation (002417)

Positioning: State-owned-enterprise-backed security vendor, classified government deployments
Core advantage: The state-owned enterprise background provides unmatched trust credentials in classified information systems—virtually the only acceptable vendor for government and military security. Xinchuang acceleration in government and defense is expected to drive strong growth in 2026–2028.

Westone (002268)

Positioning: Cryptographic security specialist, national-algorithm hardware
Core advantage: Dominant domestic supplier of SM2/SM3/SM4 cryptographic hardware and devices; serves power, finance, and government critical applications. As the RSA-to-SM algorithm migration accelerates and post-quantum cryptography deployment approaches, Westone is positioned as a direct beneficiary.

XinAn Century (688201)

Positioning: PKI, CA, and national cryptography
Core advantage: PKI network effects create near-zero switching cost—CA certificates once issued are embedded in downstream infrastructure. XinAn Century holds approximately 40% of the commercial CA market with a near-monopoly position in national-algorithm certificate issuance.

Chaitin Technology: Emerging WAF Leader

Chaitin's WAF product Yanchi and its cloud WAF have achieved leading deployment among China's top internet enterprises, including major e-commerce, fintech, and video platforms. Chaitin's strength lies in its deep offensive research capability—its team includes former CTF champions with real-world vulnerability discovery records—and its ability to convert that offense research directly into defensive product intelligence.

Chapter 7　Geographic Distribution: Beijing–Shanghai–Shenzhen–Silicon Valley–Israel Global Security Map

Beijing: The Absolute Hub of Chinese Cybersecurity

Beijing is China's unquestioned cybersecurity center of gravity. Venustech, QIANXIN, 360, Rimini Street, Knownsec, Topstec, and SafeDog are all headquartered in the capital; Zhongguancun Science City and Haidian Software Park are the primary clusters. CNITSEC (China National Information Technology Security Evaluation Center), MPS Third Research Institute, and OSCCA are located in Beijing, forming a product-regulation-policy triangular resonance.

From a supply-chain perspective, Beijing hosts a dense concentration of manufacturers of firewall hardware, security gateways, encryption devices, and related security hardware, supporting the upstream supply chains of leading software vendors.

天下工厂's platform data shows that in security vendors' overseas expansion to the Middle East, Southeast Asia, and South Asia, nearly 40% of core technical personnel are recruited from Beijing—underscoring the capital's position as the talent hub for China's cybersecurity internationalization.

Shanghai: International Finance Security and R&D Gateway

Shanghai is China's cybersecurity center for international finance and R&D. The concentration of financial institutions (banks, securities firms, exchanges, insurers) makes Shanghai one of the most demanding cybersecurity end-user markets in the country. Shell entities of global security vendors (Palo Alto China HQ, Check Point China, IBM Security Greater China) are based in Shanghai, providing dual-language security jobs and creating a pool of bilingual security professionals.

Data security equipment and industrial control security hardware manufacturers are present in Shanghai and surrounding cities; the broader Yangtze Delta manufacturing belt supplies security hardware components nationwide.

Shenzhen: Hardware-Native and Internationalization Gateway

Shenzhen's cybersecurity industry has a hardware DNA. Sangfor (HQ Shenzhen) and Hillstone Networks are products of Shenzhen's deep manufacturing heritage. Shenzhen's proximity to Hong Kong makes it the primary gateway for Chinese cybersecurity vendors' Southeast Asia expansion.

Industrial control security devices and data center security hardware manufacturers are densely clustered in Shenzhen, supplying the South China and national markets. Tencent Security (Shenzhen HQ) is channeling AI-driven security capabilities bidirectionally—toward internal products and external enterprise clients.

Silicon Valley: The Global Security Innovation Engine

Silicon Valley remains the global innovation engine for cybersecurity. The most aggressive product strategy innovations—Palo Alto's Platformization, CrowdStrike's single-agent-everything model, Zscaler's firewall-elimination thesis—all originated in and were refined through Silicon Valley's competitive cauldron. Silicon Valley's venture capital ecosystem provides the fuel: 2024 global cybersecurity VC activity was approximately USD 12 billion; U.S. startups received roughly 60% of that.

Israel: The Security Superpower per Capita

Israel produces more cybersecurity innovations per capita than any other country. The structural reasons are clear: mandatory military service funnels large numbers of graduates through elite signals intelligence units (8200, Talpiot, Mamram), providing world-class offensive and defensive experience that translates directly into startup formation upon service completion. Check Point (Israeli-founded), CyberArk (IAM/PAM leader), Team8 (venture studio), Cybereason, Claroty (OT security), and Armis (asset intelligence) are among the most visible Israeli contributions to global cybersecurity.

Chapter 8　Deep Dives: Xinchuang, AI Security, Data Security, ICS, Zero Trust, and MSS

Xinchuang Security: The Market Opportunity of a Forced Transition

Technical challenges: rebuilding security functions—firewall drivers, EDR agents, database encryption plugins—on domestic CPUs (Phytium, Kunpeng, Loongson) and domestic OS (Kylin, UOS). This is systems engineering, not simple porting. DKC Networks, Rimini Street, and TopsecSec lead in Xinchuang compatibility certifications; QIANXIN and Venustech are accelerating primary product-line Xinchuang certifications, targeting completion in 2026.

Xinchuang security market scale: approximately RMB 27 billion in 2025, forecast to exceed RMB 50 billion by 2027, CAGR over 35%. Central and state-owned enterprises are the primary Xinchuang clients; local governments and public institutions represent the next wave.

AI Security: Attack-Defense Symmetry Upgrade

AI security covers two parallel dimensions: (1) using AI to enhance security defense (AI SOC, AI-driven threat detection, AI-powered vulnerability analysis); (2) defending against AI-enabled attacks (detecting AI-generated phishing, defending against model poisoning, securing enterprise large-model deployments).

Using AI for defense: The core capability of the AI SOC is reducing false alert noise. A traditional enterprise SIEM generates 50,000–100,000 daily alerts, of which 95%+ are false positives. When an AI SOC compresses 10,000 alerts to 20 real anomalies requiring human review, the SOC analyst's effective coverage expands by an order of magnitude. Palo Alto's Cortex XSIAM and CrowdStrike's Charlotte AI are the global commercial leaders; domestically, QIANXIN's Intelligent SOC and Sangfor's AI Security Brain are the closest approximations.

Defending AI-native applications: Large-model security encompasses prompt injection defense (filtering malicious inputs), training data poisoning detection, model output watermarking (content traceability), API security (securing LLM-calling interfaces), and privacy protection (preventing models from memorizing and leaking personal information). In China, the Generative AI Management Interim Measures (effective July 2023) require large-model providers to complete security assessments before launch. This creates a dedicated "AI security assessment" market where Venustech, QIANXIN, and NSFOCUS are competing for early-mover positions.

Data Security: Seven Technology Layers

Data security is the fastest-growing cybersecurity segment. Scale: approximately RMB 15 billion in 2025, forecast to exceed RMB 50 billion by 2030 (CAGR ~27%).

Seven technical layers: (1) Data discovery and classification—automated scanning, identification, and tagging of personal information, important data, and core data; (2) Database Activity Monitoring (DAM)—monitoring all database access operations, detecting anomalous behavior; (3) Data masking—replacing sensitive fields (names, ID numbers, phone numbers) with format-consistent synthetic data; (4) Digital Rights Management (DRM)—file-level access permissions; (5) Data Loss Prevention (DLP)—real-time monitoring of data transmission behavior; (6) Privacy computing—enabling "data usable but not visible" through federated learning, secure multi-party computation, and confidential computing; (7) Data governance—comprehensive management framework spanning policy, culture, training, and incident response.

Industrial Control Security (ICS/OT Security)

ICS security differs fundamentally from IT security. In IT, the CIA triad typically prioritizes confidentiality; in OT, availability is paramount—production lines cannot stop, and any security measure that causes business disruption will be circumvented. This design philosophy determines that ICS security products must be built on "transparent monitoring, non-intrusive deployment"—not the IT security default of "detect threat, block immediately."

Key vendors: Weinu Networks (manufacturing, energy ICS), Kuang En Networks (power, transportation), Zhongfu Tai (airport, rail OT). The ICS security market totals approximately RMB 8 billion in 2025, with CAGR approximately 20%, one of the fastest-growing sub-segments following CIIP Regulations enforcement.

Zero Trust: From Architecture to Product

Zero Trust implementation in China centers on five product categories: (1) ZTNA (Zero Trust Network Access)—secure access to enterprise applications regardless of network origin; (2) PAM (Privileged Access Management)—strict controls on administrator account usage; (3) IAM upgrades—from LDAP/AD to context-aware access control; (4) SASE (Secure Access Service Edge)—cloud-delivered integrated network security; (5) Microsegmentation—east-west traffic control within data centers.

By end-2025, China's Zero Trust market is approximately RMB 8–10 billion; forecast CAGR 30%+. The leading driver is financial institutions' adoption, followed by large internet enterprises, followed by progressive infiltration into government and manufacturing.

MSS: Structural Growth from Talent Shortages

MSS market scale: approximately RMB 12 billion in 2025, nearly doubling from 2023; the fastest-growing segment with CAGR approximately 35%. Forecast to exceed RMB 50 billion by 2030, accounting for over 50% of security services.

The economic logic: in-house SOC annual cost for a properly staffed team (24×7 Tier 2/3 analysts) is at minimum RMB 4–8 million; MSS annual fees typically range RMB 300K–1.5 million, offering compelling ROI for enterprises unable to staff a full security team internally.

Chapter 9　Technology Evolution: AI Defense–Zero Trust–Quantum Cryptography–Active Immunity–National Algorithms

AI-Driven Security: Four Technology Branches

AI detection: Large models (LLM fine-tuned for security) automatically process security logs, correlate alert chains, identify attack patterns, and output structured threat analysis reports—compressing analyst review time from hours to minutes for routine events.

AI-generated attack defense: AI-assisted phishing email generation (no grammar errors, contextually targeted), AI vulnerability discovery (automated fuzzing + exploit generation), AI social engineering (mimicking personal communication styles). The "AI attack → AI defense" cat-and-mouse dynamic is reshaping the economics of offensive and defensive capabilities simultaneously.

Model security: Securing enterprise deployments of AI models, covering: prompt injection (malicious user input manipulating model behavior), training data poisoning (corrupting training data to induce model bias), model inversion (reconstructing private information from model outputs), adversarial samples (carefully crafted inputs inducing misclassification).

AI safety evaluation: The regulatory requirement for large-model providers to conduct security assessments before launch is creating a dedicated market estimated at approximately RMB 3 billion in 2025.

Post-Quantum Cryptography Migration

NIST published three post-quantum cryptography standards in August 2024 (FIPS 203/204/205, based on CRYSTALS-Kyber and CRYSTALS-Dilithium), signaling that PQC migration has entered the engineering implementation phase.

China's national cryptographic administration is promoting quantum-safe upgrades to the SM algorithm family. Migration implications: RSA→SM2 certificate replacement (1,000–5,000 certificates for a large bank, 6–12 months, estimated cost RMB 3–5 million); database encryption field replacement (SM4 for AES, months of hot migration); VPN and encrypted tunnels (SM-based IPSec/SSL VPN replacing legacy products). A large bank's full-stack migration totals an estimated RMB 30–80 million over 2–3 years. Aggregated across all commercial banks, government agencies, and central enterprises, the national migration program is expected to release hundreds of billions of CNY in market opportunity through 2030.

Trusted Computing 2.0: China's Distinctive Security Architecture

Trusted Computing 2.0 (TC 2.0) is a domestically developed security architecture proposed by Shen Changxiang (Chinese Academy of Engineering). Unlike the Western Trusted Platform Module (TPM) approach, TC 2.0 places a "trusted security module" (TSM) alongside the CPU as a "safety supervisor" that independently monitors all operations of the main CPU from outside, providing active immune protection—it is proactive monitoring, not passive scanning.

TC 2.0 has been formally mandated in China's "Party and government machine" Xinchuang systems; Lenovo's Kunlun server line and Huawei's KunPeng servers integrate TC 2.0 support in their latest generations.

Chapter 10　Risks and Challenges: Sanctions, Regulation, Concentration, and Commoditization

U.S. Sanctions: A Double-Edged Sword

Positive effect: Accelerates switching of government and SOE clients from foreign security products to domestic alternatives, generating large replacement orders for QIANXIN, Venustech, and others.

Negative effect: Vendors relying on NVIDIA GPUs for AI security R&D face compute supply uncertainty; platforms relying on commercial licenses (Elasticsearch, Splunk) face potential licensing risks; overseas expansion may be impeded by "Chinese national security tool" political labeling in Western markets.

Large-Client Concentration Risk

China's leading security vendors face excessive large-client concentration. QIANXIN's top-five client revenue share is approximately 20%; Venustech's government-segment revenue is approximately 55% of total. This creates volatility when government budgets are cut, slow and unpredictable contract cycles, and strengthened client negotiating leverage in renewal discussions.

Industry Commoditization

More than ten vendors offer near-identical firewall, WAF, and SIEM products; differentiation is primarily on price, service response time, and government relationships rather than genuine technical capability. This drives: sustained price warfare in the low-to-mid market; competitive focus shifting from product technology to marketing and channel; client difficulty distinguishing genuine technical differentiation, defaulting to government certification results and brand recognition.

Paths out of commoditization: (1) establish absolute technical dominance in one sub-segment (Hillstone NGFW self-developed ASIC); (2) reduce client integration costs through platform consolidation (Sangfor SASE); (3) build genuine experience differentiation through AI capability upgrades (QIANXIN AI SOC).

Xinchuang Timeline Uncertainty

Actual Xinchuang substitution pace varies enormously across provinces, SOE groups, and agencies; some domestic alternatives lack maturity, causing project delays; ecosystem compatibility (security software on domestic OS takes extensive adaptation time) creates further friction.

Fragmented Regulatory Landscape

Multiple ministries hold overlapping cybersecurity authority: MPS (CP, CII), CAC (internet data security, AI regulation), MIIT (telecom security, industrial internet), OSCCA (commercial cryptography), SAC (national standards). The same information system may simultaneously need to satisfy CP 2.0 (MPS), DSL (CAC), and national-algorithm requirements (OSCCA)—with different inspection cycles, focal points, and even conflicting standards. Compliance costs increase; security consulting vendors (who help enterprises map multiple frameworks) gain incremental market space.

Chapter 11　2026–2030 Outlook: CAGR 15–18%, Xinchuang 50%+, and Accelerating Overseas Expansion

Market Size Forecast

Year	Market Size (RMB B)	YoY Growth	Core Driver
2025	~135	~15%	CP 2.0 + Xinchuang
2026	~155	~15%	Xinchuang ramp + AI security
2027	~180	~16%	Xinchuang completion + data security
2028	~210	~17%	SASE/XDR + overseas expansion
2029	~245	~17%	Quantum security migration
2030	~285	~16%	ICS security major expansion

By 2030, China's cybersecurity market total scale is approximately RMB 285 billion, approaching 15% of the global market; CAGR approximately 16%.

Structural Forecast: Xinchuang Share Exceeding 50%

Xinchuang security market forecast to exceed RMB 50 billion by 2027 (approximately 28% of total market); by 2030, Xinchuang-related security (products, services, national-algorithm infrastructure) is forecast to account for over 50% of the market.

AI Security: From RMB 6 Billion to RMB 30 Billion

AI security market: approximately RMB 6 billion in 2025, forecast to exceed RMB 30 billion by 2030, CAGR approximately 38%. Drivers: enterprise-wide LLM adoption (forecast 80%+ of enterprises using some form of generative AI by 2028); AI-driven attack proliferation; large-model security assessment becoming a statutory requirement.

CR10 Breaking 60%: Irreversible Concentration

CR10 is forecast to rise from approximately 45% in 2025 to approximately 60% by 2030; CR5 from 30% to approximately 42%. Mid-tier and small vendors face two paths: acquisition by a leading vendor (strategic M&A expected to cluster in 2026–2028), or specialization in high-barrier niches (ICS, quantum cryptography, AI safety assessment).

2026 Key Events: Forward Calendar

Q1 2026: FY2025 annual reports released; Q4 2025 Xinchuang security orders are the critical data point for assessing whether Xinchuang is accelerating.

H1 2026: If the Cybersecurity CP Regulations (the statutory upgrade) is enacted, assessment market rigidity and penalties will strengthen, expanding market scale.

Mid-2026: Detailed AI regulations—if large-model security assessment standards land in 2026, vendors holding assessment qualifications gain first-mover advantage.

End-2026: Mid-checkpoint of Xinchuang substitution (one year before the 2027 deadline); central enterprise groups expected to complete security asset inventory by end-2026, with concentrated procurement waves in Q3–Q4 2026.

Quantum Security Migration: 2028–2033 Next Growth Cycle

Quantum computers are expected to reach practical threshold capability in 2028–2033, at which point RSA/ECC-based public-key cryptography will face real-world threat. Financial institutions, government, and critical infrastructure's quantum-safe migration program is expected to become a new growth engine, driving a specialized market exceeding RMB 30 billion. SM-algorithm family designs have considered quantum resistance; Westone and XinAn Century are positioned as early beneficiaries.

Chapter 12　Conclusion: The Five-Year Narrative of the Domestic-Substitution Leap

China's cybersecurity market is experiencing a structural opportunity that may reshape the competitive landscape for a decade. The compliance rigidity of CP 2.0, the policy certainty of Xinchuang substitution, the symmetric AI-driven upgrade of attack and defense, and the national will behind critical infrastructure protection—four threads simultaneously reaching peak force in 2025–2027—constitute the densest growth impulse the industry has seen.

From a base of approximately RMB 135 billion in 2025 to a potential RMB 285 billion by 2030, a five-fold increase in fifteen years is extraordinarily rare among China's industrial software sectors. What drives this is not purely autonomous market demand, but the superposition of national will (Xinchuang + CII protection) and commercial necessity (AI threat defense + data compliance)—historically the most favorable configuration for China's industrial policy to generate large markets.

Three coordinates for tracking this industry's trajectory:

Coordinate 1: Xinchuang pace and policy implementation quality. End-2027 is the hard policy deadline; actual progress faces constraints from technical maturity, ecosystem compatibility, and procurement budgets. Tracking Kylin OS and UOS commercial deployment is the best leading indicator for Xinchuang security market timing: by end-2025, combined installations exceeded 8 million units across central and state-owned enterprises; new deployments in 2026 expected to exceed 5 million, laying the foundation for parallel security product deployment.

Coordinate 2: AI security from RMB 6 billion to the tens-of-billions scale. This segment is at the "large-vendor positioning, standards formation" early stage. The 2026–2028 window is the critical transition from "first movers" to "standards dominators." Vendors who secure leadership in AI security assessment standards, AI SOC scale deployment, and large-model security guardrail commercialization will enjoy brand premium after 2028.

Coordinate 3: Systematic investment in overseas capability building. China's security vendors' window in Southeast Asia and the Middle East overlaps with current digital infrastructure build-out cycles, but local capability building requires at least three years. Vendors establishing branch offices, partner networks, and local compliance certifications now will be positioned to compete for the hundred-billion-scale opportunity by 2028–2030.

天下工厂 platform covers a supply-chain database of 4.8 million verified active factories, continuously tracking upstream hardware for cybersecurity (firewall devices, security gateways, encryption devices, industrial control security equipment, security hardware) in terms of production capacity, geographic distribution, and order flows, providing the manufacturing-lens data support uniquely suited to this industry's supply chain analysis.

Three Key Insights from the Institute

Insight 1: The "internalization of negative externalities" of security is irreversible. Enterprises have long externalized the costs of security incidents (social impact of data breaches, supply-chain contagion). As DSL enforcement raises penalties (single data-breach fines up to 5% of revenue), cyber insurance spreads, and shareholder accountability cases emerge, the model of externalizing security costs is ending. When enterprises truly bear the full cost of security negligence, the investment decision logic changes fundamentally—from "spend the minimum to satisfy compliance floors" to "invest rationally to build genuinely effective defense."

Insight 2: Technology-generation transitions create larger incremental opportunities than installed-base replacement. Xinchuang substitution (installed-base domestication) is important, but the largest opportunities lie in incremental demand from technology-generation transitions: cloud-native architecture proliferation, enterprise LLM deployment, factory digitization, smart-city construction—all representing entirely new security requirements not covered by existing security architectures. Even if Xinchuang pace is slower than expected, the cybersecurity industry has continuous incremental opportunities from new technology scenarios. This dual-engine structure of "new-scenario increment + installed-base domestication" gives China's cybersecurity market growth visibility far superior to cyclical industries through 2026–2030.

Insight 3: Ecosystem integration capability determines the competitive landscape of the next decade. Cybersecurity is not competition among individual products but competition among ecosystems. Vendors that can integrate firewall, EDR, SIEM, threat intelligence, and SOC into a coherent security operations platform—with a unified data model, unified policy management, unified alert interface, and open APIs—will build irreversible ecosystem advantages over the next decade. The global success of Palo Alto's Cortex and CrowdStrike's Falcon are both ecosystem integration victories. Domestically, Sangfor's Security Cloud Map and QIANXIN's security platform are the closest attempts, but ecosystem completeness and third-party integration depth remain gaps. Vendors that achieve an ecosystem integration inflection point in 2026–2028 will enjoy market positions in 2030 analogous to Palo Alto's today.

Supplementary Topic: Financing, Talent, and Ecosystem

Financing: From Capital Feast to Rational Return

After the 2021–2022 peak (VC investments approximately RMB 200 billion), the primary market has cooled substantially. Post-2023, the investment community has pivoted from "narrative companies" to businesses with genuine revenue, clear profitability paths, and strong regulatory-demand drivers. Sectors most favored: data security infrastructure, commercial cryptography migration services, AI security detection tools, and External Attack Surface Management (EASM) platforms. Strategic M&A is expected to intensify in 2026–2028, with QIANXIN, Sangfor, and Venustech as the most probable acquirers.

Talent: 1.5 Million Gap and Structural Mismatch

China's cybersecurity talent gap exceeds 1.5 million, representing the industry's most significant long-term constraint. The gap is structural: world-class APT analysts and exploit developers are globally scarce; university graduates have theoretical backgrounds but weak engineering proficiency; China's CISO supply is severely insufficient (most SMEs have no dedicated CISO). These structural deficits are the fundamental demand driver for MSS—clients prefer to pay for services rather than bear the cost of recruiting and retaining elite security teams.

The AI path to talent leverage: when AI SOC matures enough to compress 80% of routine alerts automatically, a 3-analyst SOC can achieve the coverage of a traditional 20-analyst team. This is the strategic value of AI SOC beyond pure technology—it is a response to an intractable supply constraint.

Key Security Industry Milestones (2024–2025)

The July 2024 CrowdStrike global outage (850 million Windows devices blue-screened worldwide, USD 10+ billion in direct losses) accelerated Chinese SOE re-evaluation of deep-kernel foreign security tools, benefiting domestic Xinchuang substitution.

A major domestic internet platform data breach in 2025 (hundreds of millions of personal records affected) triggered CAC targeted enforcement; data security management platform inquiries surged 50% in the three months after the event.

APT attacks targeting Chinese energy and telecom infrastructure rose approximately 35% in 2024–2025 (Venustech and QIANXIN annual threat reports), driving SOC capacity investment and APT defense specialized procurement.

Industrial Security Meets the Manufacturing Supply Chain

Industrial internet security is one of the fastest-growing segments, with a 2025 market of approximately RMB 8 billion (CAGR ~25%), forecast to exceed RMB 25 billion by 2030. The simultaneous resonance of three forces: IIoT platform scale deployments expanding the OT attack surface; MIIT's industrial internet security standards creating compliance mandates; ransomware attacks on manufacturing enterprises raising OT security awareness.

Industrial control security equipment supply chain: industrial-version firewall devices, OT security sensors, and industrial Ethernet switches are primarily manufactured domestically by hardware producers in Shenzhen, Ningbo, and Suzhou. Understanding these hardware supply chains' capacity and lead times is an important early signal for forecasting OT security market supply constraints.

Data Sources

Sources and references for this report:

TXG Industrial Research Institute (https://www.faxiangongchang.com) proprietary database and field research
Venustech (002439) FY2025 Annual Report (published April 2026)
QIANXIN (688561) FY2025 H1 and Q3 Reports (August–October 2025)
Sangfor (300454) FY2025 Annual Report (March 2026)
Dbappsecurity (688023) FY2025 Annual Report (March 2026)
TopsecSec (002212), NSFOCUS (300369), Rimini Street (300352) historical filings
Palo Alto Networks FY2025 Annual Report (July 2025)
CrowdStrike FY2025 Annual Report (March 2025, ending January 2025)
Fortinet FY2025 Annual Report (FY2025 billings USD 6.8 billion)
Zscaler FY2025 Annual Report (revenue USD 2.67 billion)
IDC China Cybersecurity Total Market Forecast 2025
CAICT Cybersecurity Industry White Paper (2025 Edition)
NIST Post-Quantum Cryptography Standards (FIPS 203/204/205, August 2024)
GB/T 22239-2019 Cybersecurity Classified Protection Basic Requirements
Data Security Law of the People's Republic of China (effective September 2021)
Personal Information Protection Law (effective November 2021)
Critical Information Infrastructure Security Protection Regulations (effective September 2021)
Interim Measures for the Management of Generative AI Services (effective August 2023)
NIST SP 800-207 Zero Trust Architecture
Gartner Top Cybersecurity Trends 2025 (published 2025)