Blog

DEEP RESEARCH · KOREA INFOSEC INDUSTRY (2025-2027)

Korea cybersecurity — 2025-2027 deep dive on policy reset and tech paradigm winners

K-Security KRW 30T target, network separation → MLS, zero-trust mandate, punitive privacy fines — the four pillars driving a bang

Published: 2025-12-10 · InfoSec / policy-market causality view · Original Naver Blog post

You are responsible for your own investment decisions. This material is research and is not a buy or sell recommendation.

0. Bottom line first

Korea's infosec market has graduated from "compliance cost" to "investment in national security and corporate survival." Four pillars — the K-Security Strategy (KRW 30T by 2027), the Multi-Level Security (MLS) shift, zero-trust mandate, and punitive privacy fines (up to 3–10% of revenue) — simultaneously expand the TAM. Listed Top Picks combining policy tailwind and tech moat: Genians (Zero Trust), AhnLab (integrated / OT), Softcamp (CDR / MLS), Igloo Corp (AI SOC), MonitorApp (CSAP SaaS), Sands Lab (CTI data). Unlisted key players: SK Shieldus (convergence giant), S2W (dark-web AI), Theori (offensive / Web3), AI Spera (ASM), Naonworks (OT), Tilon (public DaaS).

1. Introduction — why security, why now

Korean infosec sits at an unprecedented inflection point. AI and cloud have broken perimeter-based defense; policy ("K-Security" + relaxed network separation) is expanding the addressable market.

Three triggers for market expansion

Regulation

Physical separation → MLS

Public-sector access to SaaS and generative AI is unlocked — cloud security, CDR, browser isolation surge.

Coercion

Punitive fines

Privacy breaches now face fines up to 3% → 10% of total revenue. Security investment moves from "optional" to "existential."

Convergence

Convergence security

Cyber threats now reach physical space (smart factories, autonomous driving, IoT). OT and CPS become new blue oceans.

2. Policy backdrop — the mechanics of expansion

2.1 3rd InfoSec Industry Promotion Plan and "K-Security Strategy"

The Ministry of Science and ICT targets a KRW 30T infosec market by 2027 (vs ~KRW 16T in 2022, ~1.9×).

  1. KRW 130B Cybersecurity Fund: public-private blend supporting unlisted hopefuls (S2W, Theori, Sands Lab) and enabling listed M&A (AhnLab, Genians).
  2. K-Security Alliance / Cluster: joint public-private bid teams for emerging B2G markets (Middle East, SEA). Genians' Middle East wins build on this.
  3. Physical security as export industry: KRW 20T target with KRW 10T of exports by 2027 — AI CCTV and biometrics (Suprema, Union Community) benefit.

2.2 Network-separation easing and Multi-Level Security (MLS)

The 2024 "Public Sector Network Separation Improvement Roadmap" retires physical separation in favor of MLS, based on data importance.

GradeData definitionNetwork styleRequired tech / beneficiaries
C (Classified)National security, defense, diplomatic secretsPhysical separation retainedAdvanced cryptography, access control, physical security gear
S (Sensitive)Personal data, non-public administrative infoLogical separation allowedVDI/DaaS (Tilon), ZTNA (Genians), virtualization security
O (Open)Pseudonymized / public infoInternet connection allowedSaaS security (CASB), CDR (Softcamp), RBI

Official fact: The introduction of "O" and "S" grades is the key change. Generative AI and commercial SaaS are now allowed for "O" — opening up VDI/DaaS (Tilon), CDR (Softcamp), CSAP (MonitorApp / Genians).

2.3 Mandatory zero-trust

"Never trust, always verify." MSIT and KISA's Zero-Trust Guideline 1.0 plus pilot programs are pushing real deployments. Legacy VPNs are being replaced by ZTNA — micro-segmentation at the application level. NAC leader Genians and platform vendor AhnLab lead the field.

2.4 Tougher PIPA — punitive fines

Up to 3% of total revenue, with up to 10% for willful/gross negligence under discussion. The cost of a breach now dwarfs security investment — forcing not just platforms but mid-cap and SMB to deploy encryption, access control, and DLP.

3. Sector trends and competition

3.1 Network security — NAC to ZTNA

NAC is the visibility foundation; ZTNA replaces VPNs. Genians (60%+ NAC share) is the de-facto standard; AhnLab pursues with integrated ZTNA.

3.2 Endpoint and document security — CDR / EDR rising

  • EDR: Now essential alongside AV. AhnLab, Genians, ESTsecurity compete.
  • CDR: Critical as MLS "O" expands — Softcamp, Jiransecurity lead.
  • Document DRM: Fasoo and Softcamp dominate.

3.3 Cloud security (SECaaS) and CSAP

CSAP is the entry pass into public cloud. MonitorApp's "AIonCloud" WAF and Genians' "Cloud NAC" both certified — early movers in public SaaS.

3.4 OT / ICS — the shield of smart factories

OT availability is non-negotiable, so security must never disrupt. Nozomi Networks and Claroty are global entrants; AhnLab (Naonworks acquisition) and SK Shieldus defend with local protocol support and on-site responsiveness.

3.5 Threat intel (CTI) and AI security

Dark-web monitoring, ASM, AI anomaly detection are central. Sands Lab (30B+ malware samples), S2W (DarkBERT) are globally recognized.

4. Listed companies — deep dives

4.1 Genians (263860) — from NAC standard to global ZTNA

  • Moat: 60%+ NAC share domestically; proprietary DPI engine for precise endpoint identification.
  • Transition: First domestic Cloud NAC + CSAP — successful subscription pivot.
  • Policy tailwind: Public-sector ZTNA mandate. Existing NAC customers upgrade to ZTNA as the path of least resistance.
  • Global: 50+ customers in the Middle East and US as of 2024.
  • Financials: 2024E revenue ≈ KRW 49.6B, OP ≈ KRW 10.9B (OPM 20%+). Top Pick.

4.2 AhnLab (053800) — Korea's flagship, evolving into a unified platform

  • Moat: V3 + "AhnLab Plus" integrated platform; IT-OT convergence via Naonworks delivers factory-office-cloud continuity.
  • MDR: Best-in-class domestic managed detection and response.
  • Policy tailwind: Smart-factory security (AhnLab CPS Plus); AI XDR for managed-services scale.
  • Financials: 2024 revenue KRW 260.6B, OP KRW 27.7B — record.

4.3 Igloo Corp (067920) — pioneer of AI security operations

  • Moat: #1 in Korea's managed security operations. 20+ years of high-quality labeled data fuels its AI.
  • XAI: Explainable AI productized for analysts.
  • Policy tailwind: AI-driven public SOC modernization + smart-city convergence ops.
  • Financials: 2024 revenue KRW 111.2B. Heavy AI R&D weighs on near-term margin; long-term setup improving.

4.4 Softcamp (258790) — MLS key player, CDR leader

  • CDR: Original tech that strips macros / scripts from incoming files and reassembles safe text and images.
  • ShieldGate (RBI): Server-side virtual containers stream pixels to users — logical equivalent of internet separation.
  • Policy tailwind: Indispensable for the MLS "O" grade; supply-chain security (GateScanner) demand growing.

4.5 Sands Lab (411080) — at the center of data intelligence

  • malwares.com: 2M samples / day, 30B+ cumulative samples and analyses.
  • Data business: Sells curated security datasets for training security-specialized LLMs.
  • Policy tailwind: Beneficiary of the cybersecurity fund and R&D (K-Cloud etc.); MS partnership opens global access.

4.6 MonitorApp (434480) — strong in public SaaS security

  • Full-stack SECaaS: Proprietary platform "AIonCloud" combines WAF and SWG.
  • Proxy tech: Handles heavy traffic with minimal latency.
  • Policy tailwind: CSAP-certified, ready for public cloud adoption; supplier on SMB voucher programs.

5. Unlisted contenders

5.1 SK Shieldus — convergence security giant

  • SK Telecom subsidiary (majority EQT Partners). Merger of ADT Caps and SK Infosec → Korea's largest security firm.
  • 2024 revenue exceeded KRW 2T.
  • SUMA scenario: Factory fire → auto-open doors + CCTV stream + production-network shutdown/backup, all on one platform.
  • Wins large manufacturer contracts (Samsung Electronics, SK Hynix) and intelligent buildings. Targeting 2025–2026 relisting, multi-trillion-KRW market cap likely.

5.2 S2W — the AI eyes that read the dark web

  • Founded by KAIST security researchers. Dark-web, crypto, CTI specialist.
  • DarkBERT: Specialized LLM trained on dark-web slang and hacker marketplace text (recognized at ACL).
  • Interpol official partner; customers include Korean National Police, Prosecutors' Office, and financial institutions. Series B 12M+ USD raised.

5.3 Theori — "you must attack to defend"

  • Founded by Park Sejun, core of PPP (DEFCON CTF most-wins record).
  • Zero-day discovery prowess; Web3 smart-contract auditing leader (Dunamu investment).
  • DREAMHACK: Korea's largest security education platform.
  • Reached finals at DARPA AIxCC 2024 — proven AI-driven vulnerability discovery.

5.4 AI Spera — global cyber-threat search engine

  • Founded by Prof. Kim Huy Kang's lab at Korea Univ. Operates "Criminal IP".
  • ASM: Auto-detects forgotten servers, open ports, expired certificates.
  • Users in 150 countries; data integrations with Google VirusTotal, Cisco. 2024 Series B KRW 12B.

5.5 Naonworks — OT protocol "translator"

  • 50% owned by AhnLab. Specializes in OT/ICS.
  • DPI & protocol translation: Deep analysis of Modbus / BACnet / OPC UA + conversion to standards.
  • Data diode: Localized one-way transmission tech.
  • Stable growth via AhnLab CPS Plus.

5.6 Tilon — hidden champion of public DaaS

  • KONEX-listed; VDI / DaaS specialist.
  • Dominant share in large public DaaS contracts (Korea Post, MOIS).
  • Proprietary ATC protocol supports domestic OSes (Tmax-Gooroom, Gooroom OS) — cost / compatibility edge vs Citrix / VMware.
  • Biggest beneficiary of MLS "S" grade workplace rollout.

6. Conclusion — sorting the gems and strategy

6.1 Outlook — necessity, not cost

K-Security + MLS + Zero Trust + punitive fines — together they propel the market toward KRW 30T by 2027. The industry shifts from box sales to a data / SaaS / intelligence-led high-margin industry.

6.2 Sector Top Picks and watchlist

ThemeCore techTop Pick (Listed)WatchlistWhy it matters
Zero TrustZTNA, NACGeniansAhnLab, McLoudBridgePublic ZT mandate, global references
MLS easingCDR, RBI, DaaSSoftcampTilon, Jiransecurity"O" sanitization, "S" VDI demand
OT / convergenceCPS, fused SOCAhnLabSK Shieldus, NaonworksSmart factory rollout, infra protection
AI & CTIAI SIEM, ASMIgloo CorpSands Lab, S2W, AI SperaAutomated detection, high-quality data value
Cloud (SaaS)WAF, CASBMonitorAppPIOLINK, TrinityCSAP-driven public SaaS lock-in
OffensivePentest, bug bounty-Theori, StealienProactive testing, Web3 security

6.3 Implications

  • Investors: Look beyond the legacy hardware-box framing — focus on names with high subscription mix (Genians, MonitorApp) or unique data assets (Sands Lab, S2W) that should re-rate.
  • Companies: Move from single-product competition to open platform ecosystems (AhnLab) or vertical-specific moats (Naonworks, S2W).
  • Policy leverage: MLS and zero-trust are multi-year, large-budget programs. Become a Trusted Advisor from the consulting phase, not just a vendor.

Korea's security market sits at a "pre-bang" energy condensation, where political will and technological progress converge. The next three years could be a breakout for prepared technology and capital combinations.

Sources

Naver original