TAC Security is sitting on a regulatory windfall that nobody’s talking about. While every analyst obsesses over their AppSec business (ESOF), there’s a “dark horse” division — ioXt certification for IoT devices — that could become their largest revenue driver in future.
- Only 8 authorized labs globally to issue ioXt certifications
- TAC is one of them (authorized December 2024)
- US Government Cyber Trust Mark goes mandatory January 4, 2027
- Thousands of Chinese/Indian IoT manufacturers need certification
- TAC can charge 5–10x less than Western labs and still make 75%+ margins
ioXt is the “Cybersecurity Rating” for Physical Devices
Think of it like this:
Traditional Products:
- Cars have crash test ratings (NHTSA)
- Appliances have energy ratings (Energy Star)
- Food has nutrition labels (FDA)
IoT Devices (pre-2024):
- Smart TVs: No security rating
- Routers: No security rating
- Smart locks: No security rating
- Thermostats: No security rating
→ Manufacturers could ship insecure devices with ZERO consequences
Then came ioXt. It’s a global standard that says: “If you want to claim your device is secure, you need an independent lab to certify it.”
On January 4, 2027, all vendors supplying consumer IoT products to the US government will be required to carry the US Cyber Trust Mark — a mandatory labeling requirement backed by the FCC and White House.
1. TAC is One of Only 8 Labs Globally
Let me repeat this because it’s important: Only 8 authorized labs exist on Earth right now.
The authorized labs are:
-
UL (US) — Enterprise, expensive, slow
-
TÜV SÜD (Germany) — Enterprise, expensive, slow
-
SGS (Switzerland) — Enterprise, expensive, slow
-
Bureau Veritas (France) — Enterprise, expensive, slow
-
Intertek (UK) — Enterprise, expensive, slow
-
Dekra (Germany) — Enterprise, expensive, slow
-
TAC Security (India) ← This one
-
One other lab (forgot which)
If you’re a Chinese IoT manufacturer wanting to sell to the US government, you have 8 choices. Most are in Europe/US, charging $20K–$50K per device certification, with 6–12 month timelines. TAC can do it for $3K–$8K in 4–6 weeks. That’s the arbitrage.
2024: ~$500M
2025: ~$700M (mandates driving adoption)
2026: ~$1.0B
2027: ~$1.5B (US Cyber Trust Mark goes mandatory)
2028: ~$2.2B (global adoption accelerates)
2029: ~$3.0B+
Now here’s the key question: What’s TAC’s realistic market share?
If TAC captures just 3–5% of the $3B market by 2029:
$3B × 5% = $150M potential ARR ???
There are many frameworks. ETSI EN 303 645 is probably the most influential technical baseline today. Many other programs reference or build on it.
Is ioXt the biggest?
Not necessarily
But - By certification ecosystem
ioXt is very strong.
In April 2026, the FCC selected ioXt as the Lead Administrator for the U.S. Cyber Trust Mark program.
That means if U.S. manufacturers want Cyber Trust Mark compliance, ioXt sits very close to the center of the ecosystem.
This is much stronger than just being "one of many frameworks.
I’m genuinely curious about:
-
What did I miss?
-
Are there other Indian investors who follow TAC? What’s your take on ioXt’s importance?
-
If you work in IoT or crypto space, have you heard of ioXt certifications? Are manufacturers actually asking for them?
-
For TAC investors: Is this on your radar, or is this the first time you’re learning about it?
If you think I’m completely wrong about ioXt being a hidden gem, please tell me:
-
What am I missing?
-
Why isn’t this priced in already?
-
What’s the bear case I haven’t considered?
I don’t have reliable sources for some of the pricing and market-size estimates I mentioned, which is why I used “???” after several of the numbers. Those figures were only rough estimates and should not be treated as facts.
I’m still learning about the ioXt opportunity myself, which is why I posted this discussion in the first place. I was hoping others with more industry knowledge could help validate or challenge the assumptions. I’ve also reached out to the company seeking more information, but I haven’t received a response yet.
One of my assumptions is that authorized labs do not simply issue certificates. An ioXt lab assessment appears to involve structured security testing and validation of connected devices and applications before certification can be granted. Based on industry norms, this can resemble a lightweight firmware or product penetration test, often including vulnerability assessment, security verification, and review of relevant device, app, or backend security controls. Depending on the device and certification requirements, this may include areas where companies such as TAC already have expertise through vulnerability assessments, penetration testing, and security validation services.
My estimate that TAC could potentially offer more competitive pricing is partly based on its existing strategy in AppSec and compliance services, where management has often emphasized lower-cost offerings compared with larger competitors. Also, from what I have seen, security assessments such as vulnerability scanning and penetration testing can often cost several thousand dollars or more with many providers. Since ioXt certification involves security testing and validation activities in addition to the certification process itself, I assumed that TAC may be able to leverage its existing security assessment capabilities and potentially offer competitive pricing. However, I do not currently have verified pricing data for ioXt certification services, competitor pricing, or TAC’s actual pricing strategy in this area, so this remains an assumption rather than a confirmed fact.