THE COI Cybersecurity Industry Observation Framework

THE COI

01 Framework Rationale

Cybersecurity is not a singular technical domain, but a complex ecosystem jointly shaped by resources, technologies, institutions, demand, and governance. As cybersecurity capabilities continue to be produced, traded, deployed, and governed on a global scale, the field has increasingly evolved into an industry characterized by differentiated roles, functional specialization, and cross-domain interaction.

THE COI develops this Cybersecurity Industry Observation Framework not to impose a normative definition or value judgment on the industry, but to offer a structured approach to observation and analysis—one that enables a clearer understanding of how different roles emerge, operate, and relate to one another within the cybersecurity ecosystem. We hold that meaningful understanding of complex systems requires explicit role differentiation; such differentiation is not intended to freeze reality, but to make relationships visible, differences comparable, and evolution intelligible.

Within this framework, THE COI abstracts the cybersecurity industry into a set of core categories, which serve as foundational reference points for observing how the ecosystem functions. These categories are not meant to represent the singular or essential identity of real-world organizations. Rather, they describe the functional roles that entities assume in specific contexts. A single actor may span multiple categories across different phases or situations, and its actions may therefore carry layered meanings.

At the same time, THE COI recognizes that relationships within the cybersecurity industry are inherently multidimensional. Technical, commercial, institutional, cultural, and political dynamics are often interwoven, and their expressions vary across time, geography, and analytical perspective. This framework does not seek to reduce such complexity, but instead aims to provide a basis upon which complexity can be examined, compared, and discussed.

Based on this rationale, THE COI proposes a cybersecurity industry observation framework composed of five core categories. The following sections define each category, clarify their analytical boundaries, and outline the perspectives through which they are examined.

02 Definition of the Research Object

Category 1: Zero-Day (Primary Sector)

Following the economic system analogy, the primary category corresponds to raw resources of the original world, such as coal or oil in the physical economy. In the cybersecurity industry, “Category 1: Zero-Day,” as defined in this report, refers to vulnerabilities that remain in their primordial state, yet uninstrumentalized and outside institutionalized management.

Any further evolution or intervention applied to these raw resources—whether through validation, trading, tooling, defensive deployment, or regulatory, governance, and other forms of institutional counteraction—marks their transition from a primordial state into other dimensions of the industrial ecosystem, gradually becoming operable, institutionally manageable, and governable resource elements.

Category 2: Technology Production and Value Delivery (Secondary Sector)

In the cybersecurity industry, the secondary category refers to the industrial system that transforms technological capabilities into products, tools, services, or financial instruments, and delivers them commercially to end users. The ecosystem includes not only technology developers and manufacturers, but also all derivative actors who convey value to clients—such as sales, integration and system assembly, delivery and implementation, and all supporting structures that facilitate value realization.

Technology itself is morally neutral, yet it empowers its users. The ultimate purpose of the secondary sector is to enable end users to realize the full value of technological capabilities. However, as user needs and objectives vary, the selection and application of specific technologies likewise differ—whether commercial or political, whether just or malicious, the realization of value ultimately depends on the intent of the user.

Category 3: Third-Party Institutions (Tertiary Sector)

In the global cybersecurity market, there is no singular ultimate arbiter. Countless third-party institutions continuously emit judgment signals through their own symbolic systems. These signals are repeatedly referenced and cross-validated within the market, gradually coalescing into a distributed expert trust system, which ultimately converges into actual commercial choices and decisions.

“Third-party institutions,” as defined in this report, are independent organizations or systems that do not directly provide products or services, but through institutionalized mechanisms actively articulate knowledge, judgments, and opinions, producing outputs that are recognized, referenced, and materially influence vendor assessment, trust formation, and business decisions.

Category 4: Demand & Adoption

Within the cybersecurity ecosystem, the fourth category refers to technology demanders and end users, understood as a macro-level user collective, with a highly diverse global distribution. Users can be categorized by country or region, or by industry characteristics; they may also be classified as critical infrastructure based on their socio-economic impact. Moreover, depending on their political or commercial objectives, as well as lawful or illicit intentions, demanders exhibit diverse characteristics.

Not all technological demands are met. The choices of demanders drive technological iteration and industrial development, while their usage simultaneously validates the advancement, maturity, and practical value of technologies, serving as an indispensable feedback and value assessment mechanism within the technological ecosystem, and representing the value pathway through which cybersecurity technologies reintegrate into the mainstream social system.

Category 5: Regulatory Authorities

Within the cybersecurity ecosystem, the fifth category refers to regulatory institutions with clearly defined jurisdictional authority and enforcement capability across national, regional, or industry dimensions. Globally, these institutions coordinate through mechanisms of collaboration and interaction to continuously monitor development trends and challenges across the industry, implementing governance and regulatory measures to maintain ecosystem order and systemic stability.

Regulatory institutions not only establish rules but also, through supervision, coordination, and guidance, influence technological application, industrial behavior, and societal value realization, serving as an indispensable institutional pillar within the cybersecurity ecosystem, while also driving the development and evolution of both industry and ecosystem.

03 Notes

1. Role Multiplicity and Analytical Perspective

It should be noted that certain institutions exhibit role multiplicity within the cybersecurity ecosystem, with their functions and behaviors often spanning multiple categories. For example, regulatory authorities classified under Category Five frequently also act as government demand-side entities under Category Four. Similarly, telecommunications operators may function both as direct users of cybersecurity technologies and as Category Two actors involved in system integration and solution delivery.

Within this framework, classification is not intended to define an institution’s singular or essential identity, but to distinguish the functional roles it assumes in specific contexts. Accordingly, analysis assigns institutions to different categories based on their situational roles, rather than imposing a static or exclusive classification.

2. The Non-Attribution of Individuals

This framework does not assign categorical attribution to individuals themselves. The underlying rationale is that individuals constitute highly fluid variables rather than stable industrial roles. A person’s skills, identities, and behaviors may fall into different categories depending on time, context, and mode of engagement.

For instance, a highly skilled security researcher may, during working hours, operate as part of an enterprise or government demand-side organization under Category Four, or as an employee of a technology vendor under Category Two, conducting compliant research and development. Outside formal work contexts, the same individual’s technical activities may fall within Category One, involving the discovery and analysis of Zero-Day vulnerabilities, and in some cases, their circulation

04 About THE COI

THE COI (Cybersecurity Observatory Institute) is an independent, non-profit research institute dedicated to the sustained observation and systematic epistemic study of the global cybersecurity ecosystem as a structured, multi-layered industry.

Established for academic and public-interest purposes, THE COI does not engage in vulnerability trading, technology production, commercial services, or compliance enforcement. Instead, it operates as a neutral observatory—examining how cybersecurity capabilities are generated, commercialized, institutionalized, and governed across different sectors and jurisdictions. 

By systematically mapping actors, roles, and interactions across the sectors of cybersecurity, THE COI develops analytical frameworks, ecosystem models, and research outputs intended to support informed decision-making by users, institutions, and policymakers.

THE COI is independent by structure.

Its role is not to participate, but to observe, study, and clarify the complexities of an evolving global cybersecurity landscape.

Subscribe and get the research report HERE.

info@the-coi.org

www.the-coi.org

www.linkedin.com/company/thecoi/