DEEP RESEARCH · SANDS LAB/AI SECURITY

Sands Lab: The Data Refinery of AI Security and the J-Curve Inflection

A review of 30B threat data points, SANDY, the CTX platform, customer concentration, and DCF valuation.

Published: 2025-12-10 · TMT/cybersecurity/AI software analysis · Naver Blog

Investment decisions are your responsibility. This material is research, not a recommendation to buy or sell.

0. Bottom line first

I view Sands Lab less as a security SI vendor and more as a data-asset company that can refine Asian threat data into AI security models and CTI subscriptions. The source presents BUY, a KRW 12,000 target price, a KRW 7,800 current price example, and +53.8% upside, but the key issue is whether the platform transition can support the assumed 2027 turnaround.

DATA MOAT

30B+ threat data points

Malware and threat-intelligence data are the training and subscription base for SANDY and CTX.

J-CURVE

From SI to platform

The decline in low-margin, one-off SI revenue is interpreted as the early cost of moving toward recurring data subscriptions.

VALUATION

KRW 183.0B equity value

The DCF assumes a KRW 12,000 fair value, about KRW 43.0B of net cash, and 15,267,638 shares outstanding.

1. Investment thesis and security trends

Official fact: The source says the cybersecurity paradigm is shifting from protection to intelligence and prediction, and defines Sands Lab’s core asset as more than 30 billion malware and threat-intelligence data points.

Interpretation: The current operating loss and SI revenue decline look less like business deterioration and more like a change in revenue quality. Still, if platform revenue converts slowly, the J-Curve becomes longer and valuation support weakens.

Sands Lab AI security architectureTurning data assets into products and subscription revenue

Threat data30B+ malware records

SANDYSecurity sLLM/RAG

CTXCTI platform/API

MDX/MNX/MAXDocument, network, endpoint sensors

The goal is not merely selling defense appliances, but embedding threat-judgment data into customer security workflows.

In AI security, attackers can use generative AI to automate polymorphic malware and sophisticated phishing scenarios. Signature-based detection and simple heuristics struggle to explain intent, attribution, and response scenarios. The source therefore sees the market moving from simple malicious/benign classification toward security reasoning.

Sands Lab’s answer is SANDY, its security-specialized sLLM. It starts from the observation that general-purpose LLMs can hallucinate in binary-code analysis, then trains on Sands Lab’s own threat data and fine-tunes the model to understand reverse-engineered assembly code and file metadata. RAG lets it reference current threat intelligence when generating analysis reports.

From detection to reasoning

SANDY is positioned as a model specialized in Korean/Asian threat data and malware analysis.

PLATFORM

Intelligence integration

CTX integrates MNX, MAX, and MDX sensor data and injects it through APIs into firewalls, SIEM, and SOAR systems.

ZERO TRUST

Decision evidence

Sands Lab can provide risk-scoring data to the policy decision point in zero-trust architecture.

CLOUD

Docker-based MDX

MDX is designed for cloud, closed-network, and Kubernetes deployments, with autoscaling support.

2. Competition and economic moat

Sands Lab focuses on the CTI niche, but the competitive field is serious. Domestic references include S2W and Genians; global references include Google/VirusTotal and Recorded Future.

Category	Sands Lab	S2W	Implication
Core data	Binary/file-centered, 30B+	Dark-web/text-centered	Sands Lab is stronger in malware analysis; S2W is stronger in human threat intelligence and financial tracing.
AI model	SANDY, security sLLM	DarkBERT, dark-web LLM	SANDY focuses on reverse engineering and report generation.
Business model	Data subscriptions and deployment-style solutions	SaaS, consulting, investigation support	Sands Lab is closer to supplying data to KISA, defense agencies, and security vendors.
Main customers	Security vendors, public sector, enterprise	Law enforcement, Interpol, exchanges	Sands Lab is closer to technical defense; S2W is closer to investigative intelligence.

Interpretation: If Genians guards the gate with NAC, Sands Lab supplies the guard with the risk list. VirusTotal is the global standard, but uploading sensitive files creates data-leakage concerns; Sands Lab’s private-cloud option can be attractive to public-sector and financial customers that care about data sovereignty.

Official fact: The source says Sands Lab collects an average of 2 million new malware samples per day, and that it would take a new entrant more than 20 years to replicate the 30B dataset. It also cites two NET certifications, including binary reverse-engineering-based attacker profiling, with the validity period extended by three years.

3. Market size and growth

Market	Source figure	Meaning
Global CTI	USD 11.5B in 2021 → USD 15.8B in 2026, 6.5% CAGR	The baseline market grows steadily but not explosively.
Aggressive global estimate	About USD 20.2B by 2027, 19% CAGR	Growth assumptions differ meaningfully by source.
Korean CTI	USD 340M in 2021 → USD 460M in 2026, 6.2% CAGR	Compliance tightening leaves room for growth.
AI training data	Expected 20~30%+ annual growth	Security-model training data is the hidden TAM.

Interpretation: Conventional CTI forecasts do not fully capture the generative-AI boom. If Microsoft, Google, and AWS need legally clean, accurately labeled malware datasets for security LLMs, Sands Lab can become a data vendor rather than only a security solution company.

The source forecasts Sands Lab revenue to grow at an 18.5% CAGR from 2025E to 2030E. For 2025~2026, the drivers are government-led security R&D, KISA datasets, deepfake detection, and CTX paid-subscription conversion. For 2027~2030, the upside comes from big-tech data licensing, Southeast Asia/Japan expansion, and potential monetization of Microsoft partnership discussions.

4. Financials and DCF valuation

Official fact: Cumulative Q3 2025 revenue was KRW 5.22B and operating profit was -KRW 4.3B. The revenue decline is explained as the process of reducing low-margin SI and increasing product revenue. The source mentions SI revenue share moving from 80.7% toward a 30%-range target.

Official fact: Current assets were KRW 35.1B, and cash-like assets including financial assets were about KRW 43.0B. The source describes leverage as extremely low, with net debt negative, and says the current burn can be sustained for more than three to four years.

Variable	Assumption	Basis
Risk-Free Rate	3.5%	Korea 10-year government bond yield
Beta	1.35	KOSDAQ small-cap technology and security-sector average
Equity Risk Premium	6.0%	Korean equity risk premium
Cost of Equity	11.6%	CAPM, 3.5% + 1.35 × 6.0%
Cost of Debt	5.0%	Reflects strong balance sheet
WACC	11.5%	Effectively debt-light capital structure
Terminal Growth	3.0%	Long-term inflation and security-industry growth

Year	Revenue	Operating profit	Key assumption
2025E	KRW 7.5B	-KRW 5.5B	Restructuring and investment phase
2026E	KRW 9.8B, +30% YoY	-KRW 2.0B	CTX subscriptions begin scaling
2027E	KRW 13.7B, +40% YoY	KRW 1.5B	Breakeven and global data revenue recognition
2028E	KRW 18.5B	KRW 5.5B, 30% OPM	Platform leverage expands
2029E	KRW 24.0B	KRW 8.4B, 35% OPM	Maturity phase

The DCF output is straightforward: about KRW 15.0B for the PV of the explicit period, about KRW 220.0B of terminal value, about KRW 125.0B of PV of terminal value, and KRW 140.0B of enterprise value. Adding KRW 43.0B of net cash gives KRW 183.0B of equity value, 15,267,638 shares outstanding, and a KRW 12,000 fair value.

5. Customers and risks

Customer group	Share	Source interpretation
Customer A	45.65%	Identified as KISA and related government institutions, with cited contracts such as a KRW 2.05B cyber-security AI dataset update and KRW 510M generative-AI incident response.
Customer B	20.25%	Estimated to be a large Korean MSSP or partner comparable to SK Shieldus/AhnLab.
Others	34.10%	Small and mid-sized security vendors and enterprise customers.

Interpretation: A 66% top-two customer share is a real risk. Government budget cuts or vendor replacement could pressure half the revenue base. Conversely, if Microsoft-related Asian threat-data supply discussions turn into revenue, the portfolio could shift from domestic public-sector concentration to global private-sector demand.

Key risks

Customer concentration: the top two customers account for 66% of revenue.
Technology commoditization: if big-tech security LLMs become strong at malware analysis, SANDY’s utility could decline.
Delayed profitability: AI talent competition and GPU cloud costs could delay the expected 2027 breakeven.

Sources

Original post: https://m.blog.naver.com/PostView.naver?blogId=star_of_self&logNo=224104362554
Security-market competitiveness research: https://drive.google.com/open?id=18nWu5iQX2duXbxBlLBO5T990ICyG7BR7Qx96QNDiSFg
Genians investment-analysis report generation: https://drive.google.com/open?id=1BvqlrMrBngbgTV3Q2jZsD1d4ntG0t6-iCImm4nU4dXk
S2W company-analysis request and execution: https://drive.google.com/open?id=1k_zkeNm1WmzH-e6g6bCWjX197UNJrw45-DsG10aINyg

Naver original