Western governments are grappling with how private-sector offensive cyber capabilities should fit into state operations. This raises a number of practical questions: If a state tasked a company with carrying out cyber operations against an adversary, who inside those organizations would actually carry out offensive work?1 How would these units be structured for government tasks? And how would offensive activity coexist with a company’s day-to-day R&D and commercial operations?

In China, these questions are far less abstract. Private companies have been core contributors to national cyber capability building for years, supported by both policy and institutional design. They develop many of the tools, techniques, and forms of expertise that underpin defensive security products and can also be leveraged for state-sponsored cyber operations. The clearest organizational expression of this approach is companies’ widespread use of attack-defense labs (攻防实验室), internal units that merge defensiv…