April 14, 2026 Key Takeaways from the 2026 RSA Conference

If last year’s RSAC sounded the warning that AI was a train coming and coming fast, this year’s conference was a realization that it has arrived if not already left the station. There was a palpable sense that the bad guys are way ahead. The time to compromise has shrunk immensely and the 44,000 attendees were there figuring out how to catch up.

Nevertheless, RSAC wouldn’t be a respectable tech conference if it didn’t have the requisite optimism and fanciful hype that is characteristic of these events. Not a single company didn’t flaunt its AI bona fides, for fear of being cast aside as irrelevant.

A few impressions from the conference:

• It’s crowded in here
  • There was a stupendous amount of duplication of agentic AI tools.  Clear messaging on how one’s offering is differentiated from the competition was in short supply.  One area where there was not a shortage was the number of agentic SOC platforms purporting to solve for alert fatigue and false positives.  The value of handling high volume repetitive tasks, freeing up analysts to focus on orchestrating and intervening only on priority events is obvious enough.  But it is exceedingly difficult to distinguish one vendor from another.

• Software supply chain security
  • SBOMs need to get extended to AI and LLMs, in essence becoming Machine Learning BOMs. Practitioners must understand what the model architecture is and what the models are trained on (public domain or proprietary data/ human input).
  • We heard wildly divergent opinions regarding SAST.  One camp believes AI will improve SAST by training on flawed code and cleaning it up by reviewing and fixing at scale, with coders effectively becoming editors.  An opposing viewpoint centered on LLMs running on endpoints and performing vulnerability analysis, rendering SAST obsolete.  Such diametrically opposed positions signifies that the issue won’t be resolved any time soon.

• Window dressing
  • Cybersecurity today is at an inflection point whereby AI native vendors are threatening legacy providers.  Hence the impetus among incumbents to dress in AI clothing.  While AI will improve many applications, there are some who believe that just baking it into legacy cyber apps won’t necessarily improve them and that not every app needs to be enhanced by AI.

• A coming out party for AI red teaming
  • AI red teaming was a major theme at the conference, with product launches from such non-obvious vendors as Cisco, SentinelOne, and Netskope.  Automated, continuous red teaming of AI agents at machine speed seems to be table stakes, supplanting traditional periodic, manual and slow pentesting of networks and software.  AI red teaming focuses on identifying vulnerabilities that lead to model theft, prompt injection and data poisoning. The implication for ethical hackers is ominous.

• Social(ly) engineering
  • AI-powered phishing is getting more sophisticated and realistic.  AI agents are maintaining continuous personalized conversations to gather credentials. By scraping public data and creating targeted content, often employing voice and video deepfakes, AI-powered phishing exploits the weakest link in the chain – humans.  Email security, browser protections and threat intelligence are critical but insufficient to combat the threat. Training employees to be better able to detect scams is imperative and will require entirely new approaches.

• PQC – has its time come?
  • Debate around the arrival date of post-quantum cryptography rivals that of the second coming, but most agree that there is much work to be done to encrypt data for a PQC world that is looming ever closer.  Our unscientific observation was a heightened sensitivity to the prospect of quantum as a threat which we will be hearing more of in the near future.
  • Quantum readiness is this era’s version of Y2K but with less clarity.  Both the date and the algorithm used are far from certain. Nevertheless, expect to see organizations accelerate their upgrade cycles.

• Do you know where/who your agents are?
  • As companies grapple with keeping track of AI tools in their organizations, companies that were formerly focused on areas such as API security or vulnerability management are pivoting to shadow AI.  At one session a claim was made that over 60% of enterprises have semi-autonomous agents running with excessive permissions.
  • As we touched on last year, IAM, which in years past was considered a mature category, is back in the limelight to contend with NHI, permissions and insider risk and does not appear to be at risk in getting its share of a non-growing cybersecurity budget pie.

Unfortunately, RSAC occurred just before Anthropic announced Claude Mythos.  We would have liked to have heard the real time reaction to its claim of identifying thousands of bugs and vulnerabilities (one being 27 years old!) in operating systems, browsers and applications.  One suspects it would have made for a vastly different vibe, perhaps one a bit more sobering.

We welcome the opportunity to discuss these findings in further depth.  Berkery Noyes specializes in creating options for our clients as they consider the best way to maximize value. If your capital needs currently or will exceed $10 million, or you are beginning to consider strategic options, let me know if you have an interest in exploring the paths to growth that may be available to you.