Introduction#
On December 29, 2025, the Internet Society of China (中国互联网协会, ISC — an industry association affiliated with MIIT) published the China Internet Enterprise Comprehensive Strength Index (2025). Buried in Appendix 3 of the 39-page report is the 2025 Top 20 Chinese Cybersecurity Enterprises (2025年中国网络安全前二十家企业) — the officially sanctioned, publicly celebrated face of Chinese cybersec.
Cross-referenced against contractor leaks, US sanctions, and published APT attributions, the list is more revealing than the ISC likely intended.
The Top 20 (full ranked list)#
Translated from Appendix 3 of the ISC PDF (my translation of company names). Brand names are from the report; English names follow each firm’s own usage where it exists.
| # | Chinese name | Common English name | HQ |
|---|---|---|---|
| 1 | 三六零安全科技 | Qihoo 360 (360 Security Technology) | Tianjin |
| 2 | 天融信科技集团 | Topsec | Guangdong |
| 3 | 深信服科技 | Sangfor Technologies | Guangdong |
| 4 | 奇安信科技集团 | QiAnXin (QAX) | Beijing |
| 5 | 绿盟科技集团 | NSFOCUS | Beijing |
| 6 | 启明星辰信息技术 | Venustech | Beijing |
| 7 | 杭州安恒信息 | DBAPPSecurity (DAS-Security) | Zhejiang |
| 8 | 山石网科通信 | Hillstone Networks | Jiangsu |
| 9 | 新华三技术 | H3C (New H3C) | Zhejiang |
| 10 | 中孚信息 | Zhongfu Information | Shandong |
| 11 | 亚信安全科技 | AsiaInfo Security (TrustOne) | Jiangsu |
| 12 | 天翼安全科技 | Tianyi Security (China Telecom subsidiary) | Jiangsu |
| 13 | 杭州迪普科技 | DPtech | Zhejiang |
| 14 | 国投智能(厦门) | SDIC Intelligence (formerly Meiya Pico) | Fujian |
| 15 | 上海观安信息 | GuanAn Information | Shanghai |
| 16 | 北京数字认证 | BJCA (Beijing Certificate Authority) | Beijing |
| 17 | 杭州美创科技 | Hangzhou Meichuang (Mechuang) | Zhejiang |
| 18 | 北京安博通科技 | Anbotong (ABT Networks) | Beijing |
| 19 | 北京神州泰岳软件 | Ultrapower Software (Beijing Shenzhou Taiyue) | Beijing |
| 20 | 福建中信网安 | Fujian Zhongxin Wang’an (Hua’an Star) | Fujian |
Firms with off-record / contractor footprint#
These are the firms where public reporting links them — at varying distances — to offensive operations, contractor work, or state-aligned intelligence collection.
- #1 Qihoo 360 — On the US Commerce Entity List since May 2020 for “supporting procurement of items for military end-use in China,” and on the DoD’s Chinese-military-tied list since 2022. 360 publishes attribution work against Western APTs and was the commercial parent of the Pangu team prior to its 2021 merger into QiAnXin — including the Bvp47 disclosure pinning a Linux backdoor on the NSA Equation Group.
- #2 Topsec (天融信) — In ThreatConnect’s 2015 Anthem-hack attribution work1, C2 infrastructure for the Anthem breach (Deep Panda / APT19) resolved to a
topsec2014.comdomain registered fromTopSec_2014@163.com. Topsec is described as a PLA vendor with military clearance. - #4 QiAnXin (奇安信) — Spun out of 360 in 2016. Per The Wire China’s i-Soon investigation2, a wholly-owned QiAnXin subsidiary invested in i-Soon in 2018 and remained the second-largest investor at ~13%; leaked documents show i-Soon occasionally subcontracting on QiAnXin government contracts. QiAnXin also owns the Pangu Lab (iOS-jailbreak / Bvp47) following a 2021 merger, and Natto Thoughts traces Pangu’s head TB as QiAnXin’s “key point of contact” with i-SOON’s CEO.
- #6 Venustech (启明星辰) — In late May 2025, two datasets surfaced on DarkForums: the VenusTech Data Leak and the Salt Typhoon Data Leak. Per SpyCloud3, the samples appear to document offensive hacking services for Chinese state customers — including a contract to deliver four monthly updates of stolen email data from the Korean National Assembly server at
65,000 yuan ($9,000) per cycle, plus targets in Hong Kong, India, Taiwan, South Korea, Croatia, and Thailand. BankInfoSecurity4 covered the broader Salt Typhoon contractor angle. The dataset’s full provenance has not been independently verified outside the original brokers. - #9 H3C (新华三) — Wholly owned by Tsinghua Unigroup since HPE’s 2024 exit. Its semiconductor subsidiary, New H3C Semiconductor Technologies, was added to the BIS Entity List in November 2021 as a supplier supporting “the military modernization of the People’s Liberation Army.”
- #14 SDIC Intelligence / Meiya Pico (国投智能 / 美亚柏科) — On the US BIS Entity List since October 2019 for Xinjiang surveillance, and on OFAC’s Non-SDN Chinese Military-Industrial Complex Companies List since 2021. Developer of the Massistant mobile-forensic extraction tool used by Chinese police to siphon SMS, GPS, photos, contacts, and encrypted-app data from seized phones. Per Recorded Future5, also trains Tibetan police on hacking techniques.
The remaining 14 firms in the Top 20 sell into government, defense, and SOE markets, but I could not find public English-language reporting attributing them as contractors to MSS, MPS, or PLA hacking operations. Selling into the classified market is not the same as running offensive operations from those positions.
Notable absences#
Who isn’t on the podium is the more interesting question.
- KnownSec (知道创宇) — The November 2025 leak exposed a turnkey offensive toolchain, a global key-target library, and quantified exfiltration (95GB of Indian immigration data, 3TB of LG U+ call records, 459GB of Taiwan road-planning data). Absent from the top 20. The CICCI is a comprehensive strength index weighted on revenue, R&D, IP, and headcount — not on tradecraft.
- i-Soon / Anxun (安洵信息) — The Chengdu firm at the center of the February 2024 GitHub leak and the March 2025 US DOJ indictment of eight i-Soon employees plus two MPS officers. Not on the list — but its second-largest investor, QiAnXin, is at #4.
- Wuhan Xiaoruizhi (武汉晓睿智) — DOJ-named MSS front in the March 2024 APT31 indictment of seven Chinese nationals, described as having been “established by the Hubei State Security Department in 2010 specifically to carry out cyber operations.” Not on the list.
- Sichuan Silence (四川无声) — OFAC-sanctioned December 2024. Integrity Tech / 永信至诚 — sanctioned January 3, 2025 as a Flax Typhoon contractor. Sichuan Juxinhe (四川聚信和) — sanctioned January 17, 2025 as a Salt Typhoon contractor. None on the list.
The pattern: firms that get burned in Western indictments and sanctions don’t appear on the ISC’s celebration list. The CICCI filters for scale and respectability. Burned contractors don’t make the cut — but their investors (QiAnXin) and commercial parent figures in the same ecosystem (360, Topsec) do.
US sanctions overlay#
Of the official top 20: #1 Qihoo 360 is on the BIS Entity List (2020) and the DoD Chinese-military-tied list (2022); #9 H3C has its semiconductor subsidiary New H3C Semiconductor on the BIS Entity List (November 2021); #14 SDIC Intelligence (Meiya Pico) is on both the BIS Entity List (2019) and OFAC’s NS-CMIC list (2021). That is three of the top twenty with current US export-control or sanctions designations (H3C via subsidiary). The other seventeen are not formally sanctioned — though Topsec (#2), QiAnXin (#4), and Venustech (#6) have been named in public reporting as state-aligned hacking contributors.
Of the top twenty firms that China’s officially-affiliated industry body crowned in December 2025, six can be tied to public offensive-cyber reporting: 360 (Entity List + Pangu/Bvp47), Topsec (Anthem-hack infrastructure), QiAnXin (i-Soon’s second-largest investor and Pangu’s parent), Venustech (named in the 2025 Salt Typhoon / VenusTech dark-web dump), H3C (semiconductor subsidiary on the Entity List), and SDIC Intelligence/Meiya Pico (Entity List + OFAC NS-CMIC). The CICCI is not a tradecraft index — it weights revenue, R&D, headcount, IP. And yet a third of the podium has a documented offensive shadow. The list isn’t trying to be a contractor catalogue; it just happens to read like one if you cross-reference it.
ThreatConnect, “The Anthem Hack: All Roads Lead to China,” 2015. https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/ ↩︎
The Wire China, “Hacking the Hackers: i-Soon, Chengdu 404, and the Cyber-Industrial Complex,” March 3, 2024. https://www.thewirechina.com/2024/03/03/hacking-the-hackers-i-soon-chengdu-404-data-leak/ ↩︎
SpyCloud, “State Secrets for Sale: Inside the Chinese Hacking Ecosystem.” https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/ ↩︎
BankInfoSecurity, “Chinese Data Leak Reveals Salt Typhoon Contractors.” https://www.bankinfosecurity.com/chinese-data-leak-reveals-salt-typhoon-contractors-a-28919 ↩︎
Recorded Future, “Chinese firm tied to Uyghur abuses now training police on hacking in Tibet.” https://therecord.media/chinese-firm-tied-to-uyghur-abuses-training-police-hacking-tibet ↩︎