Market Overview

Historically, investing in cybersecurity was considered a cost center to maintain infrastructure. In addition, mid-sized enterprises* and SMEs* typically assume they are too small to be targeted. This misconception led quite a few companies to allocate only a fraction of total budget to security measures.

However, the barrier to entry for cybercrime has plummeted due to democratization (the state where the accessibility to advanced tools like generative AI made cyber attacks within the reach of general public) and cheaper cost (criminals can now leverage affordable tools that do not require technical skills). Meanwhile, the shift toward cloud computing, advancements of IoT, and spread of remote work has vastly increased the digital footprints of most organizations, not only within corporate network but also outside, due to the use of mobile devices and diversified network environments. The situation has expanded attack surfaces, giving hackers more entry points to exploit.

The series of cyber attack reports identified types of attack and attack surfaces, and gave warning to companies across the board to realize the difficulty (efforts) and length of time required to recover from cyber attacks. Under the circumstances, boardrooms pivoted to treat cybersecurity and business continuity (BCP) as a strategic priority instead of viewing it as merely a technical routine by IT department. Given the situation driving cybersecurity investment, we have estimated the cybersecurity market size in FY2025 at 1.95 trillion yen (based on the sales of service providers).

*Translator’s note: In this report, "mid-sized enterprises" refer to companies with up to 2,000 employees (as defined under Japan's Industrial Competitiveness Enhancement Act), while “SMEs” refer to companies typically with up to 300 employees (as defined under Small and Medium-sized Enterprise Basic Act).

Noteworthy Topics

Cybersecurity Maturity Averaged at 3.0

Between the end of June and early September 2025, we have carried out the corporate user survey on cybersecurity implementation. The population of the survey was 495 private companies in Japan in the following sectors: process manufacturing, discrete manufacturing, service operation, distribution, or financial services.


The survey result revealed that cybersecurity maturity at most companies was between Level 2 and 4, with less than 10% assessing their levels at either 1 (Ad-Hoc / Initial) or 5 (Optimized / Adaptive). The average maturity was 3.0 (Defined / Standardized), indicating security processes are formally documented, standardized, and implemented organization-wide. Nonetheless, amid growing threats, the status seems concerning.

Future Outlook

The cybersecurity market in Japan is projected to attain 2,122 billion yen in FY2026, representing 9.0% increase from the previous fiscal year (based on the manufacturer sales).
Looking ahead, AI is expected to be a central element in cybersecurity. In the medium to long term, AI agents will be integrated into products (hardware and software), and once these agents are incorporated into operations, cybersecurity operation will be automated. 
In addition, cybersecurity marketplaces—a channel that has not seen much growth in the Japanese market—is expanding. Major foreign companies are increasingly utilizing these platforms, and this trend is likely to continue.
Moreover, by around 2030, it may be necessary to establish measures against unauthorized cryptographic decryption by quantum computers. Vendor companies should consider not only the features of their products but also their collaborative relationships with partner companies and the overall ecosystem. Meanwhile, partner companies (SI companies pertaining to system development and maintenance) need to strengthen their technical capabilities and know-how to respond to changes in user companies’ system environments, while identifying vendors capable of keeping pace with evolving security trends.

Research Outline