August 22, 2025 Key Takeaways from the 2025 Black Hat Conference

Earlier this month we trekked to Las Vegas once again for the annual Black Hat conference. With RSA having taken place just 3 months prior, there was no particularly revelatory news to report, although the hype foisted upon attendees by exhibitors was as elevated as we’ve experienced in our decades-long journey attending technology conferences. It felt like half of the vendors on the floor purported to be able to handle all of your security needs.

Our takeaways from the conference:

• A New Tool to Sprawl
  • The incipient greenshoots of non-human identity (NHI) companies that we saw at RSA have grown into full bloom.  It was claimed that the ratio of non-human actors to actual persons is greater than 100:1, what with the proliferation of bots, AI agents and APIs. This has led to the emergence of dozens of NHI vendors vying to become the Okta of NHI.
  • Which begs the question: is there a need for a dedicated NHI solution?  As one investor told us, one would surmise that the incumbent IAM platforms “should” be able to address this new dimension of identity.  Look for companies like Okta or Ping to go fishing in this pond.

•  Need for Community (Redux)
  • Continuing the theme from RSA, there is a healthy willingness to collaborate among security professionals that extends beyond just alerting others to new threats to sharing vulnerabilities and remediation techniques.
  • Misery loves company.  As cybersecurity budgets escalate, industry participants are called on to justify their spend and are held increasingly accountable for securing their organizations. This across-the-board scrutiny fosters empathy towards fellow compatriots.

• Asleep in the Watchtower
  • Community is especially important in light of recent significant downsizing at CISA.  We heard concern around the loss of coordination between government agencies as well as between the public and private sectors. This is alarming considering that state-supported cyberthreats continue to increase, driven by trade frictions, dueling regulatory regimes and geopolitical conflict.
  • One government security vendor we spoke with is an unexpected beneficiary of DOGE’s cost-cutting and CISA’s travails, picking up talent they hadn’t had access to before.  Every opening they post results in dozens of ‘fantastic’ resumes.

• AI Security Skepticism and Confusion Abound
  • Some AI advocates claim that not only will SOC analysts become redundant, but AI agents will replace the need for SOCs altogether. Others don’t subscribe to that notion and believe that humans are required for tasks beyond routine investigations and automated repetitive tasks.
  • Customers don’t know what to believe. Virtually every vendor has rebranded as an AI company, and customers are deploying AI because they believe they need to or be [pick one] exposed/left behind/ridiculed/fired.
  • A common concern centered around what seems to be a cavalier attitude on the part of the leading AI companies as it relates to security.  One speaker at the conference stated that LLMs are “insanely insecure” because they are essentially mimics and don’t actually understand what it means to write secure code.

• Compliance Lag
  • AI adoption is getting ahead of controls. Agent-to-agent interaction represents an infinite expansion of the attack surface, yet many organizations have not implemented adequate security or governance frameworks.
  • Waiting for regulations to be fully in place is not sufficient given government’s tendency to lag behind technological realities.
  • Frameworks like the NIST AI Risk Management Framework (AI-RMF), OWASP Top 10 for LLMs and GenAI, and MITRE ATLAS provide guidance but adherence can be challenging given the constantly changing nature of AI systems.

• Buy > Build
  • Traditional security tools are not suited to handle autonomous AI systems that make decisions and communicate independently – witness Sentinel One’s $250M acquisition of Prompt Security to give it better visibility and control over AI use.
  • For large cybersecurity companies as well as companies in other technology sectors, buy will outweigh build as a growth strategy.  Their size often acts as an obstacle in developing innovative products quickly, so like big pharma does with biotech, they effectively outsource their R&D by acquiring it.  We’ve seen 129 acquisitions of cybersecurity companies through this July as compared to 83 during the first 7 months of 2024. Notable recent acquisitions include Commvault’s acquisition of Satori, Palo Alto’s purchase of CyberArk, Rubrik’s acquisition of Predibase, and Snyk’s of Invariant Labs.

Cybersecurity has evolved from a standalone feature in the tech stack to being ‘baked in’ to all elements of an IT system, from app development to networking to data repositories and so on.  Look for robust consolidation within the cybersecurity sector as well as acquisition overtures from the broad technology platforms.

We welcome the opportunity to discuss these findings in further depth.  Berkery Noyes specializes in creating options for our clients as they consider the best way to maximize value. If your capital needs currently or will exceed $10 million, or you are beginning to consider strategic options, let me know if you have an interest in exploring the paths to growth that may be available to you.