The real question is not whether IIJ is big The useful way to look at Internet Initiative Japan is not as a subscale national carrier, and not really as a legacy ISP either. It is better understood as a company that monetizes institutional trust in the Japanese Internet stack. That trust was built first in connectivity, then extended into operations, then into cloud, then into security, then into managed mobile, and finally into a broader systems-integration model that lets the company sell “Internet competence” in increasingly expensive forms. By fiscal year ended March 31, 2026, IIJ was doing JPY345.4 billion of revenue and JPY34.8 billion of operating profit, with management explicitly describing recurring revenue accumulation, large multi-year contracts, and service integration as the engine of the next phase of margin expansion. The company’s own framing is unusually revealing: it calls out monthly recurring revenue, the fixed-cost economics of backbone operation, and the difficulty for latecomers to replicate the mix of engineers, capex, and operating history required to run a serious network business.
That framing matters because the user’s anchoring object, AS4688, is not where the obvious scale sits. Public routing evidence points to AS2497 as IIJ’s main live backbone identity, while AS4688 looks like a historical and institutional residue: still attached to Internet Initiative Japan in PeeringDB, still visible in routing registries and IX records, still labeled “HI-HO” by Cloudflare Radar and BGP tools, but showing zero originated prefixes in several public datasets and no current public peering ports listed in PeeringDB. In other words, AS4688 is economically interesting not because it is clearly carrying the center of IIJ’s traffic today, but because it exposes how IIJ’s value is layered: the company has accumulated network identities, relationships, brands, and operating surfaces over decades, and some of those surfaces continue to matter long after their original retail story has faded.
The thesis of this essay is that IIJ’s durable margin in Japan comes from being the “serious Internet layer” for enterprises and public institutions. That means four things at once. First, it runs one of Japan’s largest backbones and can credibly sell reliability, low operational drama, and network engineering depth to buyers who care more about failure costs than about the lowest monthly line price. Second, it converts that credibility into adjacent managed services—security, cloud interconnect, outsourced operations, SASE, DNS, email security, mobile gateways—where trust compounds. Third, it uses MVNO economics not merely to chase consumer SIM volume, but to create a flexible mobile infrastructure for enterprise IoT, cable-TV MVNE partners, and specialized network use cases. Fourth, it turns systems integration from a lower-multiple project business into a feeder system for recurring revenue by bundling construction, operation, connectivity, cloud, and security into long-duration contracts. That combination is why IIJ can be smaller than NTT, KDDI, or SoftBank in raw telecom heft and still earn structurally respectable margins.
The sceptical version of the same argument is also true. IIJ’s moat is real, but not mystical. It depends on its ability to preserve enterprise trust after incidents like the 2025 Secure MX breach; on its continued access to carrier inputs supplied by firms that are also owners and competitors; on its ability to pass on supplier cost shocks such as the VMware repricing management disclosed; and on the proposition that Japanese enterprises still want a neutral, high-skill operator to stitch together networks, cloud, and security at a time when hyperscalers, SASE vendors, and large carriers are all trying to sell their own integrated stacks. The serious Internet layer is valuable. It is also expensive to defend.
Who IIJ really is IIJ says, with justification, that it was Japan’s first established full-scale commercial Internet service provider, founded in December 1992. That origin story is not just branding. It explains why the company continues to think of itself less as a telecom utility than as a technical institution: a place where the backbone, the engineers, and the operating culture are the base asset, and the product portfolio is built on top of that base. In its integrated report, IIJ explicitly says its backbone is one of the largest in Japan, extends to the United States, Europe, and Asia, has been continuously expanded with traffic growth, and has supported long-term relationships mainly with large enterprises and government agencies. The same documents emphasize that around 70% of employees are engineers, and that the group’s customer base is roughly 16,000 enterprises, primarily large-scale enterprises and public bodies.
That customer mix is the first clue to margin quality. IIJ is not economically organized like a mass-market broadband provider that lives or dies by household churn and ad spend. Its own service-provider materials pitch 99.9999% availability, guaranteed connectivity, DDoS mitigation, and expert operations. Investor materials describe long-standing recurring-revenue relationships with large corporations, minimal client churn over 30 years, and a proposal-based sales force built around blue-chip enterprise IT needs. This is a very Japanese kind of defensibility: less a winner-takes-all consumer franchise than a trusted vendor status inside difficult-to-refresh institutional accounts.
The financial mix confirms the point. In FY2025, total network services revenue reached JPY178.7 billion, while systems integration added JPY163.7 billion and ATM operation remained immaterial. Within network services, enterprise Internet connectivity generated JPY53.9 billion, enterprise mobile JPY18.2 billion, MVNE platform service JPY12.0 billion, consumer Internet connectivity JPY28.7 billion, outsourcing JPY67.6 billion, and WAN services JPY28.6 billion. The word that matters there is outsourcing. The highest-value expression of IIJ’s franchise is not a plain transit line. It is a continuing operational relationship around somebody else’s infrastructure and workflows. That is where the company’s “serious Internet layer” turns into margin.
This is also why IIJ’s cloud and security businesses should be seen as close relatives of its backbone, not separate adventures. The company expanded from connectivity into security services, network operation and monitoring, cloud computing, systems construction, and managed operation because those are the natural adjacencies once a customer trusts you with core network behavior. Its business materials show an unusually coherent set of overlaps: cloud exchange for AWS, managed firewalls, DDoS protection, remote access, mobile private gateways, DNS platforms, cloud email security, SaaS web gateway security, SOC services, private backbone services, and closed-network attachments to third-party security vendors such as Prisma Access. In economic terms, IIJ keeps trying to answer the same customer question: “If my business depends on the Internet, can you make the ugly parts disappear?”
There is a second, subtler truth inside the corporate story. IIJ is not merely a service seller; it is an institutional participant in Japanese Internet plumbing. Its securities report says it connects high-capacity lines from multiple Tokyo and Osaka points to JPNAP, which is operated by INTERNET MULTIFEED, an equity-method investee, and that it has been part of the WIDE project’s dix-ie exchange since the project’s establishment. INTERNET MULTIFEED itself is described by IIJ as a joint venture with the NTT group that operates interconnection points and provides IPv6 connectivity for telecom carriers. That is not the profile of an ordinary reseller. It is the profile of a company embedded in the governance and interconnection layers of the national Internet ecosystem.
That embeddedness helps explain why IIJ still looks strategically important even when compared with much larger firms. Against the national carriers, it lacks retail reach and spectrum ownership, but it is faster-moving, more engineering-led, and more neutral in how it integrates third-party technologies. Against classic systems integrators, it has something they mostly do not: a live backbone, meaningful peering and IX presence, and operational experience with traffic, attack surfaces, and protocol behavior at carrier scale. IIJ’s own presentations make that comparison explicitly. The commercial meaning is straightforward: it occupies valuable space between the bureaucratic mass of the incumbent carriers and the application-heavy but network-light SI firms. In a mature market, that middle position can be more profitable than it looks.
What AS4688 proves and what it does not AS4688 matters because it is a reminder that IIJ’s network value is not captured by a single flagship ASN. Public data presents a layered and slightly untidy picture. PeeringDB lists a network called “Internet Initiative Japan AS4688,” tied to Internet Initiative Japan Inc., company website override set to IIJ’s English site, operational status shown as active, open peering policy, but with zero IPv4 prefixes, zero IPv6 prefixes, no public peering exchange points currently listed, and no interconnection facilities listed. Cloudflare Radar identifies AS4688 as “HI-HO,” with the AKA “Internet Initiative Japan AS4688,” in Japan, and shows it under the same organizational umbrella as AS2497, AS61215, and AS59258. BGP tools, meanwhile, show the aut-num name as “HI-HO-AS,” describe it as “hi-ho Inc.,” note that it is maintained by MAINT-AS2497, and show legacy-looking IX IPs at DIX-IE, NSPIXP3 Osaka, and NSPIXP6 Tokyo.
The first economic conclusion is negative rather than positive: public routing evidence does not prove that AS4688 is a major live production backbone in the way AS2497 clearly is. PeeringDB’s zero-prefix entry and Cloudflare’s routing page argue strongly against that reading, and AS2497 is the network that public peering data associates with very large advertised prefix counts, global scope, and the broader IIJ backbone identity. IIJ’s own as-set, AS-IIJ, includes AS4688 among many other ASNs routed by IIJ members, but that only tells us the autonomous system is institutionally part of IIJ’s routing orbit, not that it is carrying flagship flows today.
The second conclusion is more interesting: AS4688 appears to be an administrative and historical residue of IIJ’s long involvement with the hi-ho access business. The current hi-ho company history states that Panasonic’s internet service brand “Panasonic hi-ho” began in 1995; that hi-ho Inc. was established in 2007 and wholly acquired by IIJ from Panasonic Network Services in the same year; and, crucially, that IIJ sold all hi-ho shares to ISP Holdings in December 2017. Yet AS4688 still shows up in public network-resource records as organizationally linked to IIJ, and BGP registry metadata still references hi-ho, with maintenance by IIJ-related objects. That mismatch is commercially meaningful. It suggests that IIJ’s historical control over consumer and wholesale network layers has outlived the equity ownership of the original retail brand, and that some network-resource legacies were not fully “cleanly separated” in the public Internet record even after the share sale.
There are several possible interpretations, and public records do not let us choose confidently among them. AS4688 could be effectively dormant but retained for contingency, registry continuity, IX membership, historical reachability, or non-public operational uses. It could represent legacy surfaces still meaningful to old customers or partners. It could be a placeholder identity with more administrative than traffic value. The fact that PeeringDB marks “Never via route servers” and an open peering policy, while listing no present exchange ports, reinforces the view that this is a historical object with an institutional life but not an obvious current scale role. That is exactly the kind of detail investors often ignore—but it matters when a company’s commercial advantage depends on accumulated operational rights and relationships rather than on a single headline asset.
To understand why, compare AS4688 to AS2497. PeeringDB’s AS2497 record shows IIJ’s main network as a global NSP with very large public prefix counts and participation in a broader active peering footprint. Cloudflare Radar shows real traffic views for AS2497. The same organization owns both. In commercial terms, this means IIJ’s visible network estate has a core identity and a sedimentary layer. AS2497 is the core. AS4688 is sediment: evidence of prior business lines, prior interconnection surfaces, and long-term institutional presence. The economic value of sediment is not throughput; it is optionality, continuity, and proof that the company has been embedded in the country’s Internet architecture long enough to accumulate residues competitors do not have.
This also helps avoid a category mistake. The business model of “Internet Initiative Japan AS4688” is not, in 2026, separable from the broader IIJ group. The public record does not support an argument that AS4688 on its own is a standalone money machine. What it supports is a narrower point: AS4688 is a clue to how IIJ turned early consumer ISP and interconnection experience into something broader and more durable. The company did not become valuable because one old ASN was special. It became valuable because it kept building adjacent revenue streams around network competence while preserving the credibility that made those adjacencies believable. AS4688 is best read as archaeological evidence of that transition.
The hi-ho side of the story sharpens the contrast. Today’s hi-ho company presents itself as a provider of FTTH/ISP services and MVNO/mobile offerings, and in 2026 it received administrative guidance after inadequate customer notification around a VDSL-service termination left some apartment residents without working connectivity. The brand also attracts poor public complaints on Japanese comparison sites about support quality and, in some cases, service quality. Those anecdotes should not be overstated; forum and review evidence is noisy. But the business meaning is clear enough. The retail ISP layer attached to the historical AS4688 identity does not obviously carry the premium-trust economics that define IIJ proper. If anything, public signals around hi-ho reinforce the idea that IIJ’s real moat migrated away from consumer access long ago, toward enterprise-grade operation and adjacency businesses.
Where the margin actually comes from IIJ’s business becomes much easier to understand if one starts with cost structure rather than products. The company says plainly that the major costs of enterprise Internet connectivity and outsourcing are network and systems operating costs—leased circuits, equipment depreciation, data-center fees, and personnel—that are not directly linked to revenue at the unit level. That is the classic fixed-cost backbone model. Once built, staffed, and kept reliable, it becomes more profitable as more recurring revenue is loaded onto it. IIJ also says this model is hard for latecomers to imitate because it requires highly skilled engineers and capex sustained at meaningful scale. This is not just self-congratulation. It is the economic heart of the company.
That fixed-cost logic shows up in the margin line. For FY2025, IIJ reported total gross profit of JPY76.2 billion and total gross margin of 22.1%. Gross profit for network services was JPY48.4 billion at a 27.1% margin, while systems integration generated JPY26.3 billion at a 16.1% gross margin. This immediately tells you how the company thinks internally: network services are the profit driver, while systems integration is the revenue driver and the door-opener. Management’s own language mirrors this. Large service-integration deals create immediate construction revenue, but their real value lies in the monthly recurring operational and network revenues that follow. That is why IIJ keeps emphasizing MRR accumulation rather than celebrating single-quarter project wins in isolation.
The FY2025 numbers sharpen the point. Network services grew 9.9% year on year to JPY178.7 billion. Outsourcing—where many security and managed-operation services sit—grew 14.3% to JPY67.6 billion. Enterprise mobile rose 17.6% to JPY18.2 billion. Consumer connectivity grew only 6.9% to JPY28.7 billion, and the plain MVNE line grew 5.2% to JPY12.0 billion. This profile is exactly what one would expect from a company whose best economics sit in managed, enterprise-grade, more technically entangled services rather than pure consumer access. It is also what one would expect if management’s “serious Internet layer” thesis is right: the more operationally critical the service, the better the growth.
The base this all sits on is the enterprise Internet and IP-services franchise. IIJ’s enterprise connectivity business reached JPY53.9 billion in FY2025 and the total contracted bandwidth for IP services rose from 13,832.2 Gbps to 16,532.1 Gbps, according to the latest filing. That is not spectacular mass-market scale, but it is the kind of volume that matters when sold to enterprises who use the service for main or core connectivity rather than as a cheap backup. The company’s own presentations stress that its IP-service contracts are bandwidth-guaranteed, are used as core connectivity, and are typically bought by enterprises rather than households. The economic consequence is lower churn, higher technical stickiness, and better cross-sell into security, cloud, and managed operations.
Then comes outsourcing, which is where the backbone stops being just transport and becomes a platform for rent extraction. IIJ’s security business is a good example. In company presentations, IIJ says its cloud-based mail security has the number-one share in the cloud-based mail-security market, that its SaaS web-gateway security service has held share leadership for ten consecutive years, that enterprise e-mail service accounts including OEM exceeded 10 million in July 2024, and that SMX and SWG had 2.9 million and 1.2 million contracted accounts respectively as of September 2024. The slide deck also lists named customers for the web-gateway service including Sumitomo Life, Fuji TV, Mitsubishi Chemical, Meiji Gakuin University, and Morinaga. Whatever one thinks of self-reported market positioning, these are not minor footholds. They show that IIJ has converted its network position into a broad security-services installed base.
Security matters economically because it is both a premium adjacency and a trust amplifier. A network operator can sell DDoS mitigation and firewall management in a way that feels native. An operator with a long enterprise track record can also sell email security, SASE integration, and SOC services with less buyer anxiety than a purely software-native entrant might face in heavily regulated or tradition-bound Japanese accounts. IIJ’s recent launches underline the continuity: Security Doctor in 2025, Prisma Access cloud exchange in late 2025, IFMS Cloud in 2026, AI security consulting through IIJ Global in 2026, and repeated recognition from security partners such as Palo Alto, Okta, and Sophos at the subsidiary level. The through-line is not innovation theater. It is the methodical broadening of a trusted operating envelope.
Cloud is similar, but the economics are a little different. IIJ is not trying to outspend AWS, Azure, or Google Cloud as a hyperscale platform. Instead it sells secure attachment, governance, migration, and operation. Its AWS cloud-exchange service pitches secure private connectivity between customer networks and AWS. Multi-cloud support shows up repeatedly in filings as a growth driver for operation-and-maintenance revenue. A 2024 IBM Japan partnership positioned IIJ as part of a distributed-system joint platform for regional financial institutions. In that world, IIJ’s cloud business is not an alternative to hyperscalers; it is the Japanese network-and-operations layer that makes them usable inside old, regulated, or latency-sensitive institutions. That can be a better business than trying to be a subscale cloud landlord.
The owned-data-center strategy deepens this margin logic. IIJ says it operates 16 data centers in Japan, of which two are its own. Matsue Data Center Park and Shiroi Data Center Campus are not vanity real estate. They are balance-sheet tools. Matsue was opened in 2011 as Japan’s first containerized data center with outside-air cooling, while Shiroi is a large-scale data center with 50MW receiving capacity; the company says construction of the third building phase began in June 2025. In investor materials, IIJ explicitly says it expects higher efficiency by gradually migrating leased data-center space to its own facilities. That is textbook gross-margin management: replace external rent with owned infrastructure once you have enough load to justify the capex.
The mobile business is where many outside observers underestimate IIJ. Consumer SIMs matter, but mainly as one leg of a broader utilization story. IIJ’s presentations state that profitability should improve by aggregating consumer and enterprise traffic because their usage peaks differ: consumer traffic spikes during commuting and lunch hours, while enterprise traffic from dongles and IoT devices is more 24/7. This is a network-engineering insight turned into a business model. If the same mobile platform can absorb both patterns, utilization rises and unit economics improve. IIJ also points out the strategic value of having become a full MVNO in 2018: it built its own HLR/HSS and eSIM platform, launched eSIM in 2019, has pursued local-5G and multi-profile SIM offerings, and keeps linking mobile to private-network and IoT solutions. That is not bargain-SIM commoditization. It is a modular mobile platform.
The MVNE business adds another layer. IIJ says most MVNE clients are Japanese cable-TV operators with direct consumer relationships, and a late-2024 company presentation said IIJ had 192 MVNE clients as of March 2024, including 94 cable operators. That structure is economically smart. IIJ avoids the full burden of owning consumer distribution while still monetizing the mobile platform underneath. Cable operators bring local billing relationships and household bundling. IIJ brings the boring but hard part: the network, the provisioning, and the compliance-heavy operation. In cable terms, it is selling picks and shovels.
The same is true in the consumer market, where IIJ’s direct brand matters less than one might think. IIJmio is important, and it continues to grow: consumer Internet connectivity subscriptions rose to 1.72 million by March 2026, of which IIJmio Mobile Services represented 1.43 million. But the company’s own descriptions of consumer channels—direct web sales, partner retail through BIC Camera and Japan Airlines, plus MVNE supply to others—make clear that IIJ treats the consumer line as one component of a mobile platform rather than the center of the group’s valuation. Independent market studies reinforce the interpretation: MM Research Institute said IIJ held the top share in Japan’s unique-service SIM market as of March 2024, with strong enterprise IoT SIM demand helping it expand share. The fact that IoT was the growth explanation is the giveaway. Even where IIJ leads in “consumer” MVNO statistics, the higher-quality economics often come from enterprise-like lines.
This is why AS4688’s apparent dormancy is not a problem for the thesis. The serious economic machine is not a single access network identity. It is a stack: backbone credibility, enterprise resale value of reliability, adjacent managed services, owned infrastructure where useful, mobile platform leverage, and service integration that converts one-off projects into recurring operational relationships. If one insists on finding the value in a specific old ASN, one will miss the larger point. IIJ makes money by turning Internet-layer seriousness into an annuity. AS4688 is only one shard of the pottery.
Dependencies, regulation, and the state-shaped market beneath it No network business in Japan is fully autonomous, and IIJ is unusually honest about that. Its filings say a significant portion of access circuits, domestic and international backbone circuits, WAN lines, mobile interconnectivity and facilities, and even data-center facilities are procured from NTT Group and KDDI. Those same groups also compete with IIJ in Internet connectivity, mobile, WAN, outsourcing, and systems integration. In other words, two of IIJ’s most structurally important suppliers are also two of its permanent rivals. That is a vulnerable position, but also a stabilizing one: if IIJ can remain commercially relevant under those conditions, its franchise is probably real.
Ownership makes that co-opetition more explicit. As of March 31, 2025, KDDI held 11.52% of IIJ, while NTT and NTT Communications together held another 11.52%. The current ownership balance emerged after NTT’s partial disposal in 2023, when KDDI bought 18.707 million IIJ shares from NTT as part of a capital and business alliance and IIJ repurchased treasury stock in a separate off-auction transaction. IIJ says there are no special commercial arrangements tied to these holdings, but the alliance with KDDI explicitly contemplates cooperation in procurement, mobile services, mutual use and joint development of commercial products, and personnel exchange. This does not make IIJ a captive, but it does mean its independence is always strategic rather than absolute.
The state context runs deeper than shareholdings. IIJ’s current president, Yasuhiko Taniwaki, came from the Japanese communications bureaucracy: Ministry of Posts and Telecommunications, then MIC, with senior roles including Director-General of the Telecommunications Bureau and Vice-Minister for Policy Coordination, plus a cybersecurity role connected to the Cabinet Secretariat and NISC before joining IIJ as advisor in 2022 and becoming president in 2025. His background does not prove favoritism, and IIJ says it operates independently. But it does place the company in the overlap between technical infrastructure and state policy, exactly where one would expect a national Internet institution to sit.
That overlap matters particularly in mobile. Japan’s MVNO market did not just appear by accident; it was shaped by prolonged regulatory pressure around competition, interconnection charges, and fairness relative to the MNOs. Japanese public materials around mobile-market competition and interconnection-charge studies repeatedly frame MVNO predictability, transparency, and equal footing as competition-policy goals. IIJ itself has long benefited from those rules; an older IIJ presentation to an international audience explicitly credited strong protective policy, non-discriminatory access, and guideline-based wholesale tariffs as reasons Japan’s MVNO market grew. More recent regulatory change has also mattered at the technical edge: J:COM’s 2025 note on receiving mobile phone numbers credits a MIC policy decision and subsequent reform that allow MVNO-side progress toward voice/SMS interconnection. The economics are straightforward. IIJ’s mobile platform exists partly because Japanese telecom policy spent years making sure that wholesale access did not remain purely discretionary.
There is a more awkward state interaction on the security side. In 2025, IIJ disclosed that unauthorized access to its enterprise mail-security platform, IIJ Secure MX Service, had occurred on or after August 3, 2024, with up to 6,493 contracts and 4,072,650 email accounts potentially affected. A follow-up statement narrowed confirmed leakage to 586 customer contracts, including 311,288 account credentials, six contracts involving e-mail content and header data, and 488 contracts involving third-party cloud authentication information, with overlaps removed; the company attributed the breach to exploitation of a previously undiscovered vulnerability in third-party software used in the platform. In July 2025, IIJ said it received written administrative guidance from MIC over an incident involving leakage of the secrecy of communications, and stated that it had already strengthened behavior-detection functions and was layering web-application firewall defenses.
Economically, the incident cuts both ways. On one side, it damages exactly the trust layer that IIJ monetizes. A serious Internet operator that runs e-mail security for high-end customers is supposed to be where risk is reduced, not where it concentrates. On the other side, the customer list that surfaced through disclosures by affected users is a reminder of how deeply embedded IIJ is: Tokyo Metropolitan Government units, Kioxia, Hitachi Construction Machinery, Keidanren-related organizations, and others all disclosed they were customers or counterparties in the blast radius. That is bad incident optics, but it is also evidence of where IIJ sits in the institutional market. A commodity provider does not create this kind of public-sector and blue-chip notification chain.
The other regulatory lesson comes from the hi-ho side. In March 2026, hi-ho disclosed it had received MIC administrative guidance because customer notification around service suspension or termination had been inadequate; press coverage said some apartment residents using a VDSL-based service were not properly informed before service stoppage, with the interruption surfacing after the service had already ceased. From IIJ’s perspective this matters less as a direct earnings issue—hi-ho was sold in 2017—than as a reminder that legacy consumer-access businesses live in a tighter, more complaint-sensitive regulatory environment than institutional managed services do. It reinforces the idea that the economically superior part of IIJ’s historical inheritance was never “consumer ISP” in the abstract. It was the operating and interconnection competence that could be lifted out of that world and sold upward.
Why the margin is durable and how it could still be eroded The strongest argument for IIJ’s durability is that the company has already survived the commoditization of the businesses that usually kill old ISPs. Consumer Internet access became crowded. Mobile became price-competitive. Cloud infrastructure became hyperscaler territory. Enterprise networking became software-defined. Security became full of specialist vendors promising to eat the incumbent operator. Yet IIJ kept moving up the stack while continuing to use its backbone and operations competence as the reference point for trust. Its own mid-term plan puts this in very plain language: enhance the core business through large composite transactions, increase recurring enterprise revenue to realize economies of scale, and further differentiate through stable, high-quality network operation and higher-value security services. The company is not trying to win the market by being the loudest. It is trying to make itself the least embarrassing choice for important networks.
That strategy has visible customer traction. The 2025–2026 project list in investor materials includes infrastructure and operations for public institutions, regional-bank shared-platform work, megabank global networking, educational infrastructure, public-safety mobile services, and security-enhancement projects for financial institutions and manufacturers. Separately, IIJ’s business pages and releases show targeted solutions for GIGA School environments, regional financial systems, and closed-network enterprise security overlays. These are not generic SMB web-hosting deals. They are long-duration, institution-shaped contracts where failure is costly and switching is socially expensive. That is where durable margins tend to live in Japan.
The job-post evidence tells the same story from the inside. IIJ and IIJ Global recruit across network, cloud, server, security, and IoT engineering roles, with published environments that include MPLS, VPNs, OpenStack, VMware, Prisma, Zscaler, Cato, Linux, Kubernetes, and major public clouds. The HRMOS postings for IIJ Global emphasize large domestic prime projects, end-to-end network and security proposals, access to test labs, and long customer engagements. That is not the hiring pattern of a consumer ISP optimizing call-center scripts. It is the pattern of an engineering-heavy operations company trying to stay broad enough to remain relevant at the edge where networks, cloud, and security now meet.
The market chatter, such as it is, also fits. Consumer reviews of IIJmio often describe the service as inexpensive and broadly acceptable rather than exceptional on raw speed; some older user conversations focus on throttling rules or the difference between “good enough” and premium-mobile performance. That is not a problem if the group’s real money is elsewhere. In fact, it may be a feature. IIJ does not need to win a consumer-speed beauty contest if consumer volume mainly helps platform utilization, supports eSIM and full-MVNO capabilities, and feeds a broader mobile infrastructure business. Informal evidence matters mainly because it tells you what the company is not. It is not a retail glamour asset.
The risks, however, are real and not just theoretical. The first is trust erosion. The Secure MX breach is the most obvious example, precisely because it struck a premium trust product. If repeated or followed by evidence that IIJ cannot keep its own managed-security surfaces clean, the central logic of “buy IIJ because they are serious” weakens dramatically. The company’s response—strengthening monitoring, hardening WAF layers, forming a CEO-direct project—shows it understands that the risk is not just legal but commercial. “Serious” is the brand. Brand damage here is margin damage.
The second is supplier and partner dependence. IIJ discloses that it relies heavily on NTT and KDDI for circuits, mobile interconnectivity, facilities, and other services. That is manageable when industry relationships are stable. It becomes a problem if carrier incentives harden against neutral wholesalers, if mobile-feature parity for MVNOs lags MNO services for too long, or if access economics shift against independent operators. The regulatory history of Japanese MVNO competition has prevented the most obvious foreclosure, but it has not abolished structural dependence.
The third is technological enclosure by larger platforms. IIJ’s recent success in areas such as SASE integration, firewall management, and cloud attachment partly depends on acting as a neutral implementer of third-party tools. There is real value in that, and partner awards from Okta, Sophos, and Palo Alto suggest the channel remains healthy. But the same model means that vendor consolidation or stronger direct-enterprise motion by those vendors could squeeze operator margins. The VMware shock disclosed by IIJ in FY2024 is a warning from a related angle: third-party platform decisions can land directly in IIJ’s cost base, and while the company says it managed substantial pass-through, that is not pure moat. It is operational competence under pressure.
The fourth is capital intensity. IIJ’s investment in facilities is increasing. It disclosed rising capex, growing borrowings and lease obligations, and an expectation of ongoing spending on network facilities, cloud-related systems, service development, own-data-center construction, and human-resource expansion. In the FY2025 company presentation, capex reached JPY32.2 billion, with a notable increase tied to Shiroi and Matsue data-center spending. This is not alarming by itself—owned infrastructure is part of the margin story—but it means the business only stays attractive if utilization and recurring revenue keep filling the pipes and buildings. Serious infrastructure is wonderful until it is empty.
The final risk is that IIJ’s “middle position” becomes less valuable. If the big carriers become more credible and less bureaucratic in enterprise managed services, and if the big SI firms become more network-native through partnerships or acquisitions, IIJ could find itself squeezed from both sides. The company’s answer is the service-integration model: use big, multi-year, composite contracts to make replacement awkward and to move the relationship from “vendor” to “operating partner.” Recent order flow suggests that strategy is working. But one should not pretend that it is impossible to erode. What makes IIJ dangerous to compete against is also what makes it vulnerable: most of its value sits in reputation, not in a statutory monopoly.
What the public record can say with confidence and what it cannot The public record can say a great deal about IIJ’s economic shape. It can say the company is an engineering-heavy Japanese Internet institution with a large backbone, deep enterprise and public-sector penetration, growing recurring revenue, expanding outsourcing and security lines, a meaningful mobile platform, and a business model built around converting network credibility into adjacent managed services. It can say the main live network identity is AS2497, while AS4688 appears to be a historical hi-ho-linked residue still attached to IIJ’s organizational orbit. It can say that IIJ’s core margins come from network services and from the operation-and-maintenance tail attached to systems integration, not from household broadband romance. And it can say that trust is both the company’s key asset and the source of its greatest exposure, as demonstrated by the 2025 mail-security incident.
What it cannot say with confidence is equally important. It cannot prove what AS4688 is used for internally today, if anything meaningful, beyond what public routing and registry traces suggest. It cannot allocate profit cleanly among sub-lines such as enterprise IP, consumer IIJmio, MVNE, security services, cloud interconnect, and system operation. It cannot tell us how concentrated IIJ’s top customer base is, nor how much of recent MRR growth comes from a handful of very large public and financial contracts. It cannot show the precise negotiated economics of access and interconnection with NTT and KDDI, beyond IIJ’s acknowledgement of reliance and competition. And it cannot reveal whether the 2025 security incident caused any material but slow-moving damage to future bookings that had not yet shown up in the FY2025 numbers.
That uncertainty should not lead to agnosticism. It should lead to a more disciplined conclusion. The value of IIJ is not that it owns a magical backbone, or that one old autonomous system somehow hides a secret business. The value is that the Japanese market still appears willing to pay for a specialist operator that is plainly neither a full incumbent carrier nor a pure software integrator; that IIJ has built enough engineering depth and interconnection legitimacy to occupy that role; and that it has spent decades broadening its revenue streams without abandoning the network posture that made the broader sell believable. AS4688 is a fragment of that story, not the whole story. But the fragment is revealing. It shows how durable Internet businesses are often built: not by replacing the old layer, but by stacking new margins on top of it until the original layer becomes less visible than the trust it created.
Evidence ledger IIJ FY2025 financial results release — URL: https://www.iij.ad.jp/en/ir/library/financial/pdf/IIJ4Q25E.pdf — Source type: company filing / earnings release. Supports: FY2025 revenue, operating profit, recurring-revenue growth, network-services breakdown, subscription counts, and management’s current strategy language. Does not prove: exact profitability by sub-product or customer cohort. Why it matters economically: it is the best current primary source for seeing where revenue is actually accruing and how management wants investors to think about margin.
IIJ FY2025 presentation material — URL: https://www.iij.ad.jp/en/ir/library/financial/pdf/IIJ4Q25E_presentation.pdf — Source type: company investor presentation. Supports: network-services gross margin, SI gross margin, large-project pipeline examples, capex trajectory, and the service-integration model as current strategy. Does not prove: realized lifetime value of those contracts or whether management target-setting is conservative. Why it matters economically: it shows how IIJ converts projects into recurring revenue and where the company believes operating leverage emerges.
IIJ Integrated Report 2025 — URL: https://www.iij.ad.jp/en/ir/integrated-report/archives/pdf/integrated-repot2025_en.pdf — Source type: integrated report. Supports: the fixed-cost economics of the backbone, the “latecomers cannot easily imitate” claim, customer mix, employee-engineer ratio, data-center footprint, and the broad value-creation logic. Does not prove: that management’s cultural self-description is fully borne out in daily operations. Why it matters economically: it contains the clearest articulation of why IIJ thinks its network-assets-plus-engineers model is scarce.
IIJ Annual Securities Report FY2024 — URL: https://www.iij.ad.jp/en/ir/library/sec-report/pdf/FY2024_EndE.pdf — Source type: statutory securities filing. Supports: revenue and gross-profit breakdown by service line, risk factors, supplier dependence on NTT/KDDI, shareholder data, backbone interconnection with JPNAP and dix-ie, and capex/funding disclosures. Does not prove: current FY2026 conditions beyond March 2025. Why it matters economically: it is the strongest audited-like public source on structural dependence, co-opetition, and the underlying service economics.
PeeringDB entry for AS4688 — URL: https://www.peeringdb.com/net/32317 — Source type: public network-resource registry. Supports: organizational tie to IIJ, zero public prefixes listed, open peering policy, no currently listed public exchange ports or facilities, and the continued existence of the ASN as an operational object. Does not prove: whether AS4688 has non-public uses or internal traffic significance. Why it matters economically: it shows that AS4688 is real but publicly quiet, which changes how one should interpret its strategic significance.
Cloudflare Radar routing page for AS4688 — URL: https://radar.cloudflare.com/routing/as4688 — Source type: public routing-observation dataset. Supports: AS4688 naming as “HI-HO,” country/organization link to IIJ, and visibility of related organization ASNs including AS2497. Does not prove: precise traffic volume or commercial role. Why it matters economically: it is a clean external check that AS4688 persists as part of IIJ’s network estate but is not the obvious center of activity.
BGP.HE page for AS4688 — URL: https://bgp.he.net/AS4688 — Source type: public routing/IRR aggregation. Supports: HI-HO-AS naming, hi-ho description, maintenance by MAINT-AS2497, and legacy IX interface addresses at DIX-IE and NSPIXP. Does not prove: current revenue-bearing usage or whether those IX endpoints remain materially used. Why it matters economically: it is the clearest public sign that AS4688 sits in IIJ’s orbit as a historical network-resource artifact rather than as a random stale entry.
PeeringDB entry for AS2497 — URL: https://www.peeringdb.com/net/690 — Source type: public network-resource registry. Supports: that AS2497 is the main IIJ network identity with large public prefix counts and global scope. Does not prove: actual traffic profitability. Why it matters economically: it provides the essential contrast that prevents overreading AS4688 and anchors the commercial analysis in IIJ’s real core network identity.
hi-ho corporate history page — URL: https://hi-ho.co.jp/company — Source type: company history page. Supports: Panasonic origin of the hi-ho brand, IIJ’s 2007 acquisition, and IIJ’s 2017 sale of all hi-ho shares to ISP Holdings. Does not prove: how every network resource was separated after the sale. Why it matters economically: it explains why a hi-ho-linked ASN can still illuminate IIJ’s history without implying that hi-ho remains a core IIJ operating business.
hi-ho service page — URL: https://hi-ho.co.jp/service — Source type: company service page. Supports: current hi-ho positioning in FTTH/ISP and MVNO/mobile services. Does not prove: quality of service or business scale. Why it matters economically: it helps separate today’s hi-ho retail proposition from IIJ’s enterprise-led margin engine.
IIJ Secure MX breach disclosures — URLs: https://www.iij.ad.jp/en/news/pressrelease/2025/0415.html and https://www.iij.ad.jp/news/pressrelease/2025/0422-2.html — Source type: company incident disclosures. Supports: timing, potential and confirmed scope, cause via third-party software vulnerability, and nature of exposed information. Does not prove: the long-term revenue damage from the incident. Why it matters economically: it is the most direct challenge to the trust premium on which IIJ’s security and outsourcing businesses rely.
IIJ notice on MIC administrative guidance after the breach — URL: https://www.iij.ad.jp/news/pressrelease/2025/0718.html — Source type: company statement about regulator action. Supports: that MIC issued written guidance, that IIJ framed the incident as involving secrecy-of-communications leakage, and that remediation steps were underway. Does not prove: the full content of MIC’s own notice or whether the remediation is sufficient. Why it matters economically: regulator criticism raises the cost of trust repair in IIJ’s premium service lines.
Tokyo Metropolitan Government notice on the IIJ incident — URL: https://www.digitalservice.metro.tokyo.lg.jp/information/press/2025/04/20250417 — Source type: customer/public-sector notice. Supports: that Tokyo-government units were users of the affected IIJ Secure MX service. Does not prove: IIJ’s overall public-sector customer concentration. Why it matters economically: it is visible evidence that IIJ’s enterprise-security installed base reaches sensitive public institutions.
MM Research Institute report on Japan’s SIM market — URL: https://www.m2ri.jp/release/detail.html?id=630 — Source type: industry-research press release. Supports: that IIJ led the unique-service SIM market as of March 2024 and that enterprise IoT SIMs were a major growth factor. Does not prove: IIJ’s profitability per SIM or exact 2026 share. Why it matters economically: it supports the claim that IIJ’s mobile economics are materially anchored in enterprise/IoT rather than only in bargain consumer plans.
IIJ Global 2026 news page — URL: https://www.iijglobal.co.jp/en/news/ — Source type: subsidiary news page. Supports: IIJ Global’s recognition by Okta, Sophos, and Palo Alto in 2026. Does not prove: the scale of security revenue directly attributable to those partnerships. Why it matters economically: partner awards are weak evidence on their own, but in context they confirm IIJ’s serious role in the enterprise-security implementation channel.
ITmedia report on MIC guidance to hi-ho — URL: https://www.itmedia.co.jp/news/articles/2603/31/news153.html — Source type: local-language press. Supports: the business meaning of hi-ho’s 2026 notification failure and the VDSL-transition issue affecting apartment residents. Does not prove: the full scale of hi-ho’s customer losses or its financial condition. Why it matters economically: it highlights how different the retail-ISP quality signals are from IIJ’s enterprise-grade positioning, reinforcing the argument that the durable value migrated upward.
What would change the view of the serious Internet layer The commercial view would change materially if any of four facts became public.
First, if credible routing or operational evidence showed that AS4688 is in fact carrying meaningful production traffic, customer estates, or private interconnection of strategic importance, then the old-identity thesis would shift from “archaeological clue” to “live hidden asset.” Nothing in the public record proves that today.
Second, if future disclosures showed that the Secure MX incident caused a measurable deterioration in large-account renewals, public-sector wins, or security attach rates, then IIJ’s trust premium would deserve a lower multiple than this essay implies. At present the evidence proves the incident and the regulator response, but not the long-tail commercial damage.
Third, if NTT, KDDI, or major security/cloud vendors were shown to be compressing IIJ’s procurement economics or bypassing it successfully in the high-end enterprise segment, then the “serious Internet layer” would look more like a transitional role than a durable one. IIJ’s disclosures show dependence and co-opetition, but not yet structural displacement.
Fourth, if owned infrastructure at Shiroi and Matsue failed to fill with profitable recurring workloads, then IIJ’s capex story would stop looking like operating leverage and start looking like ballast. For now, the evidence still points the other way: rising MRR, expanding outsourcing revenue, and a pipeline of long-duration service-integration contracts suggest the serious Internet layer is still being bought.