Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry
The belief that offense enables defense in cyberspace, first rooted in China’s 1990s hacker culture, has since permeated the country’s cyber ecosystem
Across the globe, a core tenet is gradually gaining traction in the cyber domain: passive defense alone is not enough. A limited but growing number of states have embraced some form of active defense—the idea that effective cybersecurity requires not just detection and response, but also preemptive action to disrupt adversaries.1
In the United States, this principle is formally codified in the 2018 Department of Defense Cyber Strategy under the doctrine of “Defend Forward,” authorizing U.S. Cyber Command and the NSA to proactively disrupt threats within adversaries’ own networks. Variations of this approach have since been adopted by other governments. In China, the concept of active defense is grounded in longstanding military strategy. Although this principle extends to cyberspace - as outlined in China’s 2015 military strategy - China has not yet articulated a dedicated active cyber defense doctrine comparable to that of the United States.
Yet in practice, China’s cyber ecosystem reflects a deeply embedded mindset: “To defend, one must first know how to attack” (未知攻,焉知防). Popularized within grassroots hacker communities in the 1990s, this defense-through-offense philosophy has since extended throughout China’s cyber landscape. Today, it underpins a tightly integrated ecosystem of state-aligned private companies, in which offensive cyber capabilities are a major engine of cybersecurity innovation.2 These capabilities likely serve as key enablers of the country’s advanced persistent threat (APT) groups, given China’s extensive reliance on private-sector proxies for cyber operations.
Coolfire and the Origins of China’s Defense-Through-Offense Mindset
In the mid-1990s, during the early years of China’s internet, hacking was less a profession than a form of exploration. With few formal institutions to train aspiring security experts, the country’s first generation of hackers turned instead to underground forums, online hacking manuals, and peer-led learning networks.
Within this first generation of hackers, the defense-through-offense philosophy was popularized by influential Taiwanese hacker Lin Zhenglong (林正龙), known as “Coolfire.” In "A Top-Secret Analysis of China’s Hacker X-Files," posted on the website of the Changzhou Computer Information Network Security Association (常州市计算机信息网络安全协会) in 2009, he was described as “the number one hacker in China.” His “Hacker Entry-Level Tutorial Series” (黑客入门教程系列), a collection of eight articles, became the first structured hacker training material available to Chinese speakers. Many early hackers, including Xfocus member Wang Yingjian (王英键, casper) and Green Army founder Gong Wei (龚蔚, goodwell), credited his work as foundational to their entry into hacking.
Coolfire framed offensive skills as essential for defensive awareness. In the introduction to his manual, he wrote:
"This is not an instructional document, but rather a guide to show you how to crack a system so that you can better protect your own system. If you read through this entire document, you will understand how hackers infiltrate your computer. I am Coolfire, and the purpose of writing this article is to raise awareness about the importance of computer security, not to teach people how to crack passwords. If anyone uses this document to maliciously hack into others' computers or networks, I bear no responsibility!!”
China’s Early Cyber Defenders Embraced the Defense-Through-Offense Mindset
By the early 2000s, the defense-through-offense mindset had been adopted by Chinese hacktivist groups targeting perceived threats from the United States, Taiwan, and Japan. These groups, such as the China Eagle Union, the Green Army, and the Honker Union of China, combined this approach with nationalist ideology, framing offensive cyber operations as legitimate acts of patriotic defense.3
China Eagle Union leader Wan Tao (万涛, Eagle) stated in 2013 that in the early 2000s “We thought it was our responsibility to defend China,” while the group’s website declared: “Without real offensive practice, how can we prove our shield is truly strong?” Similarly, Honker Union founder Lin Yong (林勇) claimed in 2010 that their goal was strictly defensive: “The Honker Union… has no interest in getting involved in politics. We work only for the security of Chinese websites.” In a 2008 interview, Green Army veteran Zhou Shuai (周帅, coldface)—who had participated in patriotic hacking campaigns in the late 1990s and was later indicted by the U.S. in March 2025 for state-sponsored cyber operations—summed up the ethos succinctly: “Only when you know how to attack can you know how to defend.”
For these groups, offensive operations were not only a form of patriotic defense but also the most effective method of gaining real-world hacking skills.
Learning by Breaking
In the early 2000s, China had few formal pathways for hands-on practical skills. Dedicated university cybersecurity programs were limited, and widely accessible training platforms such as Capture the Flag (CTF) competitions,4 bug bounty programs,5 and cyber ranges6 were still years away. In this vacuum, hacker groups emerged as de facto training academies. Groups such as China Eagle Union, 0x557, and Xfocus, organized around collaboration, mentorship, and skill-sharing—grounded in the belief that mastering offensive techniques was essential for effective defense.
In practice, this often meant targeting real-world systems. In a 2009 article, Wan Tao (万涛, eagle), founder of the China Eagle Union, noted: “ When you don't have certain resources, you can only look for [attack targets] on the Internet.” Reflecting on the past at INSEC WORLD 2020 conference in Chengdu, Wang Junqing (王俊卿, la0wang), founder of 0x557, said: “The environment in the late 1990s and early 2000s gave us a lot of space — we had the opportunity to hone our network attack skills [on real world targets]. Nowadays, although the environment has changed, we can still study it from another angle: CTFs, vulnerability testing, and other security competitions."
By the late 2000s, many self-taught hackers began to professionalize. Notable companies founded by members of early hacker groups included Knownsec (2007), DBAPP Security (2007), and Pangu Lab (2014) - all of which embedded the “to defend, one must first know how to attack” principle into their business models.
However, into the early 2010s the broader industry largely focused on antivirus software and basic enterprise protection. It wasn’t until demand for more advanced capabilities grew that offensive knowledge became a strategic asset.
Institutionalizing the Attack-Defense Mindset
The formalization of the defense-through-offense model accelerated in the early 2010s, spurred by international success, economic opportunity, and policy shifts. The 2013 revelations by former US NSA employee Edward Snowden were a key inflection point. They exposed the scale of U.S. surveillance and revealed China’s own cyber vulnerabilities, catalyzing a national reassessment of cybersecurity priorities.
“The Snowden files were a really big deal for us,” said retired PLA colonel Lyu Jinghua. Xfocus members and Knownsec founders Zhao Wei (赵伟, icbm) and Yang Jilong (杨冀龙, watercloud) echoed that view. According to Zhao, the Snowden revelations confirmed China’s worst fears: US intelligence operated in "God Mode," with near-limitless access to private communications. “We have Snowden to thank,” Yang noted in 2016. “His revelations made China increasingly aware of its gap with the rest of the world.”
In 2014, President Xi Jinping elevated cybersecurity to a national strategic priority, calling for China to become a “cyber powerhouse.” The private sector quickly aligned. As a 2022 article by 36Kr—China’s equivalent of TechCrunch and a publicly listed media company focused on technology and finance—titled “The Invisible Smoke: Thirty Years of Ups and Downs in China's Cybersecurity” (看不见的硝烟:中国网络安全三十年沉浮史) observed: “In 2014–2015, the cybersecurity component was the hottest sector in the A-share market. As long as the main business of a listed company included cybersecurity, it would be sought after by investors.” The industry has since grown steadily, averaging an annual growth rate of 12.4%, according to data from the Chinese Ministry of Industry and Information Technology (MIIT).
At the same time, Chinese university CTF teams—particularly from Tsinghua, Zhejiang, and Shanghai Jiao Tong—began to shine in international attack-defense live-fire competitions (实战化演练) such as the prestigious DEFCON CTF held annually in Las Vegas. These competitions embody the “defense through offense” principle. In these events, teams must defend their systems while simultaneously launching attacks on others. The Chinese CTF teams’ success brought global recognition and national prestige, reinforcing the value of offensive training as a legitimate path for cyber talent development.
This dual momentum—top-down state prioritization of cybersecurity as a national security imperative and bottom-up recognition of Chinese hacking talent on the global stage—catalyzed the growth of China’s domestic hacking competition ecosystem. Between 2004 and 2013, only a few such events were held each year. That changed in 2014 with the launch of BCTF, China’s first attack-defense CTF explicitly modelled on DEFCON CTF. From 2017 to 2023, China hosted between 37 and 56 hacking competitions annually, many centered on real-time attack-defense formats.
A New Generation of Entrepreneurs Focused on Attack-Defense Live-Fire Capabilities
While attack-defense was already a central focus for companies founded by elite hackers active in forums during the 1990s and 2000s, it has since become its own industry segment—now driven by a new generation of hackers trained within a far more structured and state-aligned system. Unlike their predecessors, who came of age reading hacker magazines and teaching themselves online, these post-90s entrepreneurs emerged from formal cybersecurity education, CTF training circuits, and research labs.
According to a December 2023 analysis by Anquan 419, a media company focusing on China’s cybersecurity industry development, the cybersecurity market is shifting from a compliance-dominated model to one increasingly focused on attack-defense, driven by national policy support, growing market demand, and rapid technological innovation. A January 2025 report published by Hufu Think Tank (虎符智库), which was founded by China’s top cybersecurity company Qi An Xin, further supports this trend, noting that attack-defense live-fire capability is increasingly regarded as the primary engine of innovation in the sector. Many of today’s most prominent cyber firms were founded by former CTF champions, whose experience in attack-defense contests laid the foundation for commercial tools and services such as red teaming, penetration testing, breach simulation platforms, cyber ranges and threat intelligence.
Founders like Chen Peiwen (陈佩文), who leads Boundary Unlimited (边界无限), Kevin Shen (沈凯文) of Yunqi Wuyin (云起无垠), and Shu Junliang (束骏亮) of Feiyu Security (蜚语安全) all led top university CTF teams before launching startups grounded in offensive capabilities. Their companies now specialize in fuzzing, application security, and secure software development—sectors where offensive skills are a strategic advantage. According to Chen Peiwen, enterprise and government clients increasingly demand measurable results, prioritizing active threat simulation and mitigation over policy compliance.
Other founders, such as Zhang Ruidong (张瑞冬), who heads NoSugar Information Technology (无糖信息) and Yang Changcheng (杨常城), founder of Zhongan Netstar (中安网星), have applied offensive techniques to fraud detection, identity threat defense, and support for law enforcement. Collectively, they represent a generational shift in China’s cybersecurity industry—one where defense-through-offense is no longer just a guiding principle, but a commercial strategy.
Conclusion: From Underground Ethos to Strategic Asset
This evolution reflects a broader institutionalization of the defense-through-offense mindset that still echoes Coolfire’s original lesson: you cannot truly secure a system without first understanding how to break it. Once the hallmark of underground hacker culture, it is now embedded in China’s cybersecurity architecture—from universities and CTF teams to companies that formalize and commercialize offensive expertise as a driving force of cybersecurity innovation. As this ecosystem grows, it is likely playing a central role in enabling China’s APT activity, given the state’s growing reliance on private-sector actors to conduct cyber operations.
Even as active cyber defense gains ground, public discourse around appropriate policy frameworks and operational norms continues to lag behind.
While the defense-through-offense mindset exists in Western technical circles, it operates within a system primarily driven by defensive priorities, where ties to government are often commercially motivated and relatively fragmented.
The word “honker” comes from “hong-ke,” a transliteration of the Chinese word 红客, which means “red hackers”). (For more on this early generation of patriotic hackers, see the chapter “Becoming a Cyber Superpower: China Builds Offensive Capability with Military, Government and Private Sector Forces” in the book “The Emergence of China’s Smart State.”) See also https://nattothoughts.substack.com/p/zhou-shuai-a-hackers-road-to-apt27.
Capture the Flag (CTF) competitions are simulated cybersecurity challenges where participants apply offensive and defensive skills—such as exploiting vulnerabilities, reverse engineering, or cryptography—to solve problems and retrieve hidden “flags” for points.
Bug bounty programs are structured initiatives where organizations invite security researchers to identify and responsibly disclose vulnerabilities in their systems, offering financial rewards for valid findings.
Cyber ranges are simulated environments designed to replicate real-world networks, systems, and threats, enabling individuals or teams to practice cybersecurity operations—such as attack detection, incident response, and red teaming—in a controlled and legal environment.
I would translate it as "not knowing how to attack, how do you know to defend"
This is more cautious and closer to Sun Tzu than your translation which (as so often is the case) interposes western war ways onto China. Sun Tzu teaches that we cannot secure victory, but we can always avoid defeat. That is, the defeat of the enemy arises from our enemies error, not our own excellence. Our own excellence only preserves our continued capacity to fight. This, this aphorism "if you don't yet know how to attack how do you know to defend?" means: You must know how you attack in order to correctly defend. How you attack is through dissmulation and awaiting the enemy's error. To defend then you must avoid error. That is, you must study your own position carefully to see it as your enemy would so that you may strengthen your defense accordingly.
This, the usual Western misapprehension of Sun Tzu explains once again the Western defeat by Sun Tzu's thinking. The author of the piece I am now criticizing is essentially, probably unknowingly, replicating the Japanese banzai style bushido mentality and Clausewitz. If Clausewitz were right, Germany would have one either or even both world wars. Germany lost both. If Bushido were right Japan would have won the second world war. It did not.
We must see Sun Tzu as he really is, not as how he is interpolated by Westerners such as Giles who at every turn impose Western military thought into Sun Tzus masterpiece.