Source: Luis Alvarez/Stock Photos Office/via Getty Images.
A rebranded RSAC Conference went beyond post-pandemic recovery status with new records set for attendance in 2025, with more than 43,500 attendees, 730 speakers, 450 sessions and 650 exhibitors. Here, our analyst team offers an overview of key conference themes, as well as closer looks at topics in the areas of data security and privacy, identity and access management, and security operations. We also explore the demonstrations of innovation in security technology at the event, for which the conference is well known.
The Take
Once again, security for AI and AI for security were the most-discussed topics at the event. There is abundant reason for security practitioners to be simultaneously hugely optimistic and markedly pessimistic. For all the benefit AI promises for the better handling of overwhelming volumes of security data and processes, it also introduces entirely new categories of cyberrisk on multiple fronts. Yet AI was not the only high-profile topic at the RSAC Conference 2025. Political and economic uncertainties were brought into focus for the cybersecurity community by what briefly appeared to be the imminent end to US government funding for a critical element of vulnerability management. These factors colored discussions of everything in security, from supply chains and data sovereignty to how companies can best prepare for a future that may be difficult to anticipate. The variety and intensity of many discussions at the conference spoke to the drivers behind its record attendance, and bode well for its future as a well-established community invested in how these issues will unfold.
The RSA Conference Conference?
RSAC was careful to request that references to the conference in media not be shortened to the RSA Conference or similar, noting both its private-equity-led separation from what is now RSA Security in 2022 and more directly the rebranding of the conference entity at the beginning of this year to RSA Conference (RSAC). This led to some humor around the RSAC Conference branding (RSA Conference Conference?), but also some reflection that the extra “C” denotes an emphasis on community, a subject of RSAC committee program chairman Hugh Thompson’s keynote. Given the emphasis that conference goers put on the value of the informal conversations that occur when an entire industry gathers in one place, that may be an acknowledgement of the true value of the conference.
With the recent CVE scare (the threat of loss of US federal funding for MITRE to manage the Common Vulnerabilities and Exposures program, a public catalog of known vulnerabilities depended on by many security products), it is understandable why many in the security industry have communal resources top of mind. The Cybersecurity and Infrastructure Agency (CISA) averted this potential problem with an 11-month contract extension, but the future of CISA itself was also in view, with Chris Krebs, the agency’s first head, criticizing the current presidential administration for cuts to cybersecurity personnel. Its next director, Jen Easterly, similarly called out key dismissals in federal government of non-partisan public servants. These viewpoints were countered by current US Secretary of Homeland Security, Kristi Noem, who defended the cuts and emphasized a mission change for CISA to concentrate on critical infrastructure protection and away from preventing misinformation. She further called for reauthorization of the decade-old Cybersecurity Information Sharing Extension Act, which in part calls for greater sharing of vulnerability information by the private sector with her department.
An active innovation and networking scene
The Innovation Sandbox competition event doubled in both physical space and attendee size in 2025, with Thompson noting that 140 entrants were considered finalists. With judges mindful of the event’s role as a statement-maker, they chose ProjectDiscovery.io as this year’s most innovative startup.
This win says much about how the Innovation Sandbox is not just a showcase for entrepreneurs; it is also a barometer of practitioner priorities. One recurring manifestation of that aspect is the tendency for the competition’s victors to vary from those capitalizing on the latest “buzz” to those working to solve some of security’s most intractable, and often least “buzzy,” problems. Of the 10 Innovation Sandbox finalists, seven were directly involved in the intersections of security and AI. ProjectDiscovery.io, however, is different: While it has some AI in its operational capabilities, it fundamentally addresses a chronic issue in vulnerability management. As a hosted service for the popular Nuclei open-source vulnerability scanning tool, it identifies and addresses exposures in applications quickly, helping to close the exploitability time window before adversaries can inflict damage. It is a priority that organizations often spend considerably on, yet there still remain large gaps in effectiveness.
The Innovation Sandbox is just one aspect of the RSAC Conference’s role as an entrepreneur’s conference as much as it is a practitioner event. While discussions about attacker tactics and novel security risks are perennial, the sheer entrepreneurial presence at the RSAC Conference is unmistakable. Beyond the Innovation Sandbox, the Early Stage Expo also doubled in size, with 67 vendors. While there have been anecdotal concerns about conference return on investment or true customer persona matching, 106 exhibitors made their debut on the main expo floor. Even the periphery of the expo floor felt packed right up through the last day.
Networking opportunities at the RSAC Conference go well beyond the conference itself. Preceding the event, BSidesSF, for example, booked 2,500 attendees and reserved the entire adjacent Metreon theater venue. Despite headline concerns and macroeconomic uncertainty, the atmosphere at the conference seemed more optimistic, and several exhibitors announced significant venture fund raises leading up to the conference. Northern California is still the epicenter for venture investing in general, and cybersecurity is no exception. Perhaps for this reason, trade group representation from the Netherlands, Germany, Spain, Ireland, Korea, Saudi Arabia and Singapore showcased new offerings from their respective countries. We expect to further explore venture funding among many of the RSAC Conference 2025’s exhibitors in future reports, and consider what outcomes potentially lie ahead in the current environment.
Advances in security operations technologies
In S&P Global Market Intelligence 451 Research’s survey, which is focused on SecOps, respondents indicated they are unable to investigate 43% of security information and event management/security alerts in a typical day, down 11 points from a year ago (54%) — the largest change, and first drop, since we first asked the question in 2020. The 2025 conference showcased security analytics advances that may be responsible for some of this drop. These included increased adoption of centralized security platforms coupled with cloud-based security lakes and increased use of normalized schemas like the open cybersecurity schema framework, easing the process of collecting, normalizing, storing and processing security telemetry from multiple sources.
Early gains from the deployment of generative AI-based assistants may also be contributing, aiding security analysts by reducing the analytical burden of performing alert analyses, determining likely root causes and recommending potential courses of action. Several vendors announced agentic AI technologies at the show, including agents that can automatically perform alert triage, investigate phishing incidents and perform automated malware analysis. In the future, agents will likely also be capable of automating routine actions either autonomously or with a human in the loop. The dawn of the agentic security operations center is clearly upon us.
Centers of gravity coalescing around identity and access management
451 Research’s conceptual framework for “centers of gravity” and the related industry discussion around “platformization” have become increasingly relevant for identity and access management (IAM) vendors, which continue to expand outside their former silos into adjacent markets. This includes “lite” versions of identity governance and administration (IGA) tools that address novel use cases without requiring a heavyweight IGA rollout. Similarly with privileged access management (PAM), it is becoming common for vendors to address what are typically considered PAM use cases, such as addressing privilege escalation or just-in-time privilege management or secure remote access without a full PAM deployment. This is becoming an important way to address what we call the “PAM paradox”: the fact that many of the top identity management pain points are addressable with PAM, yet enterprise adoption of PAM hovers at about 40%, well below other common security tools.
As with security operations, deployments of generative AI-based technologies are rapidly becoming de rigueur in IAM circles as well. Obvious use cases for AI agents are the many highly manual IAM processes such as user access reviews and managing entitlements and permissions, as well as for authorization decisions (what can or should this user or resource be allowed to do?).
In authentication, momentum seems to be gaining for “phishing-resistant,” passwordless forms of authentication, particularly for fast identity online-based methods like passkeys. Authentication vendors are also increasingly supplementing their multi-factor authentication offerings with advanced identity verification techniques to further address onboarding, user provisioning and credential resets.
Data privacy and governance face fragmentation
While data governance technology has been largely established since regulatory changes in the early 2000s, data privacy management — or the PrivacyOps category, based on S&P Global Market Intelligence 451 Research’s Market Monitor sizing — is much more recent. PrivacyOps largely emerged between 2016–2018 as the EU’s General Data Protection Regulation went into effect. Yet while vendors in these (overlapping) privacy and governance spaces traditionally often pursued compliance, legal and policy-oriented budget, the go-to-market landscape has shifted today.
Enterprise data privacy and data governance practices are more cross-disciplinary than ever before, but there is often disproportionate burden for certain groups involved. Based on a survey conducted by S&P Global Market Intelligence 451 Research, the general IT function often takes on decision-making and execution responsibilities for the five privacy functions aligned with the National Institute of Standards and Technology Privacy Framework. Realizing this critical role of technical personas, data privacy and data governance specialty providers are increasingly chasing budget from IT programs and the office of the chief information security officer (particularly data security budget), notably as dedicated privacy and compliance teams struggle to rally resources amid regulatory structure that has lagged in enforcement action.
Today, the data privacy and data governance providers visible at the RSAC Conference 2025 are often best differentiated not by their specific technology architecture or use of AI, but rather by their primary enterprise purchase influencers. Specialists are now pursuing different departments and budgets, even when they may look very similar based on their technology or supported business outcomes. This risks further fragmentation of the market, and potential confusion among enterprise stakeholders. Businesses need to be cognizant of their own organizational structure and responsibilities in order to evaluate products in privacy and governance accurately.
Looking ahead
AI remains a central topic for cybersecurity as it is across most other aspects of technology, and that seems unlikely to diminish any time soon — quite the opposite, in fact. An explosion of AI agents introduces potentially a much more complex environment for managing functionality that ultimately aims for greater autonomy in comprehension and actions. This will likely have a significant impact on security, not least in devising ways to assure accountability and control for agentic functionality — and thus, likely also the identities and privileges associated with agents. While specifications such as Agent2Agent and model context protocols are emerging, there is clearly far more work to be done on the security front to help assure what has already been an explosion in the adoption of generative AI.
We expect the RSAC Conference in 2026 to be a leading venue for showcasing not just discussions but innovation in tackling these and other frontiers, and for calling out key developments in what comes next.
The Security Talent Gap is More Complicated Than You Think
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
This content may be AI-assisted and is composed, reviewed, edited and approved by S&P Global in accordance with our Terms of Service.
