May 22, 2025 Key Takeaways from the 2025 RSA

“(A)I Can Do Anything Better Than You”

With a tip of the hat to Annie Oakley, if there was a theme song for this year’s RSA conference, it would be the classic number from the 1946 musical Annie Get Your Gun.  The vibe at the conference was all AI, all the time.  No exhibit, panel, keynote, sidebar or party passed without its mention, and it was hard to come away without feeling that us mere mortals are either doomed or vastly empowered by its capabilities.

This year’s conference had record attendance of 44,000 from more than 140 countries, not including the untold number of unregistered participants who filled lobbies, bars and hotel suites around the event. Below are a few observations we took away from the conference:

• Need for community
  • The conference’s opening keynote stressed the need for cyber professionals to share information and collaborate with each other to combat threats and protect an exponentially expanding attack surface.  For an industry historically allergic to transparency, there is a growing recognition that coordinated disclosure and crowdsourced insights are required to attain collective resilience.  This is especially critical in light of the uncertainty around the future of CISA.

• Agentic AI will be a major asset for security operations
  • AI agents are autonomous bots that can take action independent of humans and communicate with each other.  Many of the tasks security teams currently perform – from threat hunting to enforcing access permissions – will be handled by AI agents.  Nevertheless, a deep understanding of security operations is needed for vendors to imbue their agents with sophisticated threat analysis.
  • By automating repetitive tasks, improving signal to noise ratio, responding to threats, and taking preemptive action, agents are driving palpable cost savings as well as alleviating staffing pressures for security operations.
  • On the flip side, agents pose serious risks by engaging in unintended behaviors and retrieving nefarious prompts from web resources.  Palo Alto’s acquisition of Protect AI announced at the start of the conference illustrates the appreciation that solution providers have for the risks posed by AI and could be a forerunner of additional deals this year.

• Non-human identity (NHI)
  • If a programmer is using AI agents to call out to APIs, is it really doing so on behalf of the coder?  As agents are autonomous, who is accountable or responsible for their behavior?  How prevalent is agent-to-agent authentication?
  • Agentic AI presents an entirely new threat vector and will massively expand the TAM for identity and access management.
  • Many believe there is no IAM stack for NHI yet, but we can expect to see leaders emerge from recent significant investment into the space.  Persona Identities announcement at the conference of a $200M raise is just such an example.

• A new world order
  • The profound implications AI has on security is spawning a large cohort of AI-native cybersecurity startups.
  • Incumbent cyber companies not ‘born on AI’ are facing fundraising challenges and run a risk of having their solution leapfrogged by an AI-enabled alternative.
  • Even within the ‘born on AI’ universe, a debate exists between those coming at the problem from a cyber perspective and those who come out of the AI world.

• Nation-state adversaries taking an increasingly prominent role as threat actors
  • Targets of cyber attacks are just as likely to be a victim of a nation-state as of a criminal enterprise.
  • Astonishing as it sounds, there are numerous cases of North Koreans posing as employees at tech companies, with the intent to both spy and channel funds to the regime.  We heard of one instance where a single North Korean was employed by three companies simultaneously under various assumed identities.

• Secure by design
  • While the notion of secure by design, in which secure coding practices are ingrained in the entire development life cycle, has been around for a couple of years, we noted a greater emphasis in conversations this year.
  • By employing a set of codes that limit the security choices an engineer can make while coding, secure by design safeguards against mistakes that have to be remediated when writing code.
  • Unlike shift left, which advocates testing early and frequently during development, secure by design goes beyond mere detection and correction of vulnerabilities and seeks to prevent mistakes before they happen. This can accelerate releases by avoiding the delays caused by having to continually run security tests during development.
  • Homeland Security Secretary Kristy Noem allayed concerns that CISA, which promulgated secure by design in 2023 and has experienced upheaval of late, was not backing away from the protocol. In fact, she emphasized the administration’s desire for security that is “baked into products.”

• Predictive threat prevention
  • As organizations become more proactive in preventing threats, they are employing predictive threat intelligence to improve their security posture.
  • By gathering information from various sources and then leveraging AI to analyze the data to discern patterns and trends, predictive threat intelligence can identify attack infrastructure before exploitation.  During the conference one such company, Augur Security, which uses AI-based behavioral modeling and agentic automation to predict and block threats preemptively, announced a capital raise.

The cybersecurity sector is as vibrant as ever, enjoying increased customer budget allocations relative to other IT expenditures, substantial investment inflows and an active M&A market.

We welcome the opportunity to discuss these findings in further depth.  Berkery Noyes specializes in creating options for our clients as they consider the best way to maximize value. If your capital needs currently or will exceed $10 million, or you are beginning to consider strategic options, let me know if you have an interest in exploring the paths to growth that may be available to you.