Thousands of cybersecurity professionals poured into San Francisco last week for RSAC 2025, filling Moscone Center’s halls with buzz, curiosity, and more than a few skeptical questions about the industry’s AI future. Whether through packed panels, impromptu reunions in the coffee line, or oddball expo floor games, there was no denying that this year’s conference had one major theme thumping through every hallway: artificial intelligence.
Some were intrigued, others cautious, and a few plainly unconvinced. But no one ignored it.
AI: The Good, the Hype, and the Real Questions
Derek Manky from Fortinet has been coming to RSAC for 15 years. That’s long enough to spot a real shift when it’s happening. And this year? AI wasn’t just a bullet point on a presentation slide. It was the undercurrent of nearly every discussion.
Tim Mackey of BlackDuck echoed that, saying the excitement around generative AI is no longer the main event — now it’s about separating what’s actually useful from what’s smoke and mirrors. And he’s not wrong. Talk of agentic AI, a more autonomous and proactive form of artificial intelligence, crept into conversations that used to be dominated by phishing and patching.
One sentence stood out:
“Agentic AI isn’t just ‘smarter’ AI — it does stuff on its own.” That came from AvePoint’s Tim Boettcher, who was keen to point out that these systems bring both benefits and fresh attack surfaces.
That duality was everywhere. Cisco showed off new AI integrations. Terra Security, a startup barely six months old, had already secured $8 million to take its agentic platform mainstream. Even that buzzword-heavy magic show on the expo floor couldn’t distract from how serious people were taking this shift.
What’s Actually Working? And What’s Just Shiny?
You could feel it: a sense of the cybersecurity industry holding its breath. Everyone’s sprinting to get AI into their platforms, but who’s pausing to ask whether it really works?
Tony Anscombe from ESET was direct. He said the industry is still catching up to attackers who are already using AI to refine social engineering attacks and churn out smarter malware. His concern? Too many vendors are shouting about AI “defenses” without showing the receipts.
Michael DeBolt of Intel471 had his own list. He was keen on behavior-based threat hunting — a technique that tracks how attackers act, not just what tools they use. He spent much of his RSAC time on the show floor, scoping tools that promise to move faster than the bad guys. Whether they actually deliver? “That’s the million-dollar question.”
Let’s pause and put a few things side-by-side:
| AI Use Case | Promised Benefit | Actual Concerns |
|---|---|---|
| Threat Detection | Faster response to anomalies | False positives, data overload |
| Agentic AI Integration | Autonomous security decision-making | Loss of human oversight |
| AI-Driven Analytics | Predictive defense strategies | Trustworthiness of outputs |
| AI in Phishing Defense | Real-time scam detection | Adaptability of phishing tactics |
Plenty of ideas. Fewer proven wins.
The Community Beat: Real Talk, Reunions, and Baby Goats
You can’t script moments like these. One minute you’re debating zero trust frameworks with a startup founder; the next, you’re petting a baby goat on the expo floor. RSAC always had a knack for blending tech with something more human, and this year, that blend felt… essential.
Ira Winkler from CYE summed it up best: “It’s always the same leopard. But the spots? The spots talk.”
And this year, the spots talked a lot about community. Sophos’ Chester Wisniewski noted how this year’s theme — “The Power of Community” — wasn’t just plastered on banners. It actually carried through the keynotes, the panels, and even the late-night bar chatter. Hugh Thompson’s keynote leaned hard into that idea. When the tech landscape feels unpredictable, people lean on people.
There was laughter. There was frustration. There were real connections.
Innovation in Focus: Who’s Building What (and Why It Matters)
For some, RSAC is where old friends catch up. For others, it’s the launchpad.
Leo Scott from DataTribe had his eyes firmly set on the Innovation Sandbox, a competition spotlighting the newest companies trying to shake up cybersecurity. This year? A lot of startups were tackling digital identity. Why? Because AI systems depend on who’s asking the questions, and identity is at the heart of that trust chain.
• Many entrants focused on AI-related identity issues
• Data integrity and verification were top startup priorities
• A shift from just blocking bad actors to validating good ones
Agentic AI was again part of the conversation here. Jon France noted that several companies weren’t just talking about it — they were shipping it. Cisco’s announcement grabbed headlines, but newer players like Terra Security showed that even tiny startups are ready to challenge the status quo.
Public Sector Takes the Stage: Policy, Workforce, and Big Shifts
You don’t often get cybersecurity, public policy, and military-grade urgency in the same room — unless it’s RSAC’s public sector day.
Marcus Fowler from Darktrace Federal said the discussions this year felt different. More grounded. Less buzzwords, more workforce pipelines, real budget questions, and agency collaboration.
The keynote by Gurpreet Bhatia — the acting deputy DoD CISO — didn’t hold back. Zero-trust isn’t a suggestion anymore. It’s the baseline. And as AI plays a bigger role, the pressure to secure federal systems with autonomy and auditability gets heavier.
And yes, it wasn’t just about policy. It was about people too. From recruiting cyber talent to training existing staff to think critically about AI tools, the public sector’s approach is starting to align with private players in a way that used to feel miles apart.
