5 unexpected takeaways and one big prediction from RSAC
The dust is settling, and CISOs are refocusing on what actually matters to their organizations, not just what marketers want them to care about (no offense to my marketing friends!)
This year’s RSAC was different. A big part of that is because for the first time, I showed up not as a product leader or industry insider, but as a founder of a venture-backed cybersecurity startup. From presenting in front of George Kurtz, CJ Moses, Robert Herjavec, and Bartley Richardson as one of just six finalists (out of 1,000+ applicants!) in the CrowdStrike, AWS, and NVIDIA accelerator, to taking the RSAC stage alongside the CEO of SailPoint Mark McClain and my Inside the Network co-hosts Sid Trivedi and Mahendra Ramsinghani, to book signing, hosting a CISO lunch, and co-hosting a packed happy hour in the evening, I got to do what founders do - hustle & make every minute count.
But that wasn’t all. Even though my most valuable part of the week was spent with customers and prospects, I did get to spend an hour and a half on the Expo floor. What I saw there was very different from what I’ve seen before. All that combined with my conversations with CISOs made me realize that this year’s RSAC was different from events I’ve been to in the past.
In this piece, I am sharing the main conclusions I walked away with from this year’s RSAC.
This issue is brought to you by... Tines.
Inspiration from Druva, PathAI, and more in this practical GRC guide
GRC today is more complex, and more critical, than ever. Between increased regulations across the board, data management and privacy concerns, siloed ownership, and time and resource constraints, it’s no wonder 46% of security leaders say spiraling regulatory complexity keeps them up at night.
In this practical guide for security teams, learn how your team can overcome the challenges of today’s fragmented, manual GRC processes. Get access to four opportunities for immediate impact, get inspiration from teams at Druva, PathAI, and more, and learn how you turn GRC from a checkbox into a strategic advantage.
Let’s skip over the usual stuff
Yes, the Expo floor is busy. Yes, there are many new companies. Yes, the industry is going through consolidation. Yes, not everyone can make it. Yes, we do have a lot of tools. Yes, some companies are not clear about what problems they are solving. Yes… You get the point. All these takes are not wrong, but it’s like going to Walmart and complaining that there is too much stuff on the shelves to choose from. Sure, but is that a bug or a feature? If you just need a loaf of bread, maybe it’s better to go to a neighborhood grocery store.
Yes, the RSAC floor is a lot, but similar to how you would approach Walmart (or any other big box retailer): you either go there with a shopping list so that you only buy what you need to buy, or you go there to see what’s available on the market. If you do the latter, better give your wallet and phone to your spouse so that you don’t end up walking away with stuff you never knew you needed.
I continue to be convinced that we need more founders brave enough to tackle problems that have previously been seen as unsolvable, that consolidation is an ongoing process, that just about every industry has become more crowded and more competitive, and so on. If you are a regular reader of Venture in Security, you know that I have several articles about each of these topics, and that I often try to remind folks that many things can be true at the same time, and that most people (be they CISOs, founders, investors, industry analysts, etc.) are just trying to do their best and succeed at their role.
With this out of the way, let’s talk about the takeaways.
Here are my unexpected takeaways after attending RSAC 2026
CISOs’ AI concerns today are grounded in reality
It hasn’t been long since the time when everyone was talking about how “Deepfakes are going to become every CISO’s #1 concern by 2025,” but guess what - it’s 2026, and it’s safe to say that this has not happened yet. This is just one example, and I am sure each of us can come up with a long list of these doomsday scares that didn’t materialize.
Every security leader I talked to at RSAC shared security concerns that are grounded, realistic, and pragmatic. It was not about “AI causing chaos” or “every employee using deepfakes” (not in my discussions anyway). I saw CISOs worried about the fact that they don’t fully know where their company’s data is going because of the number of AI tools employees are using to be more productive (you know, the usual shadow IT problem, now described as shadow AI). I saw CISOs realizing that attackers can now use AI to do reconnaissance at scale, and to find and exploit gaps in fundamental controls (identity, vulnerability management, etc.) that they simply had no manpower to manage at scale.
It wasn’t long ago that no one could cut through the noise, but now things feel back to normal. Going into the event, I expected fears of an AI “armageddon” to dominate the conversation, but that never materialized. It looks like AI is becoming a part of everything, and we’re slowly moving on from treating it as something new.
There’s a lot of excitement about using AI to solve old problems
A couple of RSACs ago, every mention of AI came with a sense of dread. The narrative was overwhelmingly negative - attackers would use AI to get better at breaking in, employees would misuse it, and things would go very wrong everywhere all at once.
This year felt very different because the tone shifted from fear to possibility. There was real excitement around how AI could finally help solve problems that have been stuck for decades. Take my experience at the CrowdStrike, AWS, and NVIDIA accelerator, where I presented as one of the finalists. The company that took the top spot - Jazz Security - is using AI to tackle DLP. Not exactly the most sexy space, and one the industry has struggled to get right for years, but now, for the first time, it feels like we might actually have a shot at solving it.
When I spoke with CISOs, the excitement around AI was everywhere - AI for pentesting, AI for identity, AI for exposure management, AI for the SOC, AI for vulnerability management, etc. Across the board, the theme around AI was not about replacing engineers, but about using it to finally solve problems that have been unsolvable for years. That’s exactly where I personally believe the real opportunity lies, so seeing the industry align around that mindset was really encouraging.
Security startups are doing a better job with messaging
About 20 minutes into my journey on the Expo floor, I started to feel like something was off. I couldn’t figure out what was going on until it hit me: I was able to understand what most of the companies were actually doing!
For the first time, I found myself reading taglines and thinking, “Ah, I actually get what they’re trying to say.” It made me realize that most security companies were never trying to be confusing on purpose, they just struggled to clearly communicate their story. LLMs are making it much easier for technical founders to explain why their features matter and what problems they solve, while also helping non-technical marketers better understand and articulate what the product is actually built to do.
Interestingly enough, I think startups are doing a better job at messaging than large companies. I don’t know why that is, but if I had to guess, I’d say that it’s probably because of two reasons. First, the bigger the company, the more people are involved in approving every message, and the more people you add, the more the outcome starts to feel like a watered-down version that makes everyone kind of happy. What begins as something clear and specific, like “we back up your data so you can recover from ransomware”, somehow turns into “resiliency at the speed of light,” and you’re left wondering what that actually means. Second, larger companies have broader product portfolios, and that makes people want to come up with a single tagline that describes everything they do. In reality, that’s incredibly hard, so more people get pulled in, more opinions are added, and you end up right back at the same diluted, overly abstract messaging.
The real competition is not other vendors, it’s doing nothing
Most security teams I spoke with aren’t actively doing POCs with 10 vendors that solve the same problem. Instead, tost of the time they’re deciding whether to even prioritize the problem this quarter (or this year, or ever, really). Basically, the biggest blocker for cybersecurity startups isn’t budget, it’s buyer attention.
This isn’t in any way a new phenomenon, but nowhere is it as clear as when you are looking at cybersecurity buyers trying to find the few things they actually care about on the Expo floor. There are many loud voices on LinkedIn saying that because of AI, security teams are now building products themselves instead of buying them, but when you listen to CISOs, it becomes clear that for many problems, they simply do nothing (and for some really good reasons).
My biggest takeaway: security leaders are going back to fundamentals
There are many takeaways from this year’s RSAC I would like to discuss, and there are many things I am reading from others that I don’t quite agree with. My biggest takeaway from RSAC 2026 is that security leaders are going back to fundamentals.
What I saw at this year’s RSAC is that more and more CISOs are refocusing on the basics. The last few years proved that what gets companies breached aren’t some novel zero days or AI-driven threats, but weak fundamentals. After decades of tool sprawl, overlapping categories, and being pulled in random directions by every new trend, there’s a growing realization that the real gaps were never about needing more cool tech. I heard it over and over again that teams are doubling down on asset visibility, tightening identity controls, cleaning up access policies, enforcing least privilege, and getting serious about operational rigor. Things like patching, vulnerability management, access reviews, and other boring areas are what actually gets people to spend time and money because that’s what real problems actually are. There’s also a shift in mindset - instead of asking “what new tool should we buy?”, the question is increasingly “are we actually using what we already have the right way?” Instead of adding more layers, teams are trying to simplify, consolidate, and make their environments understandable again.
AI is part of this story, but not in the way people expected a year ago. Instead of replacing fundamentals or replacing security engineers (good luck with that!), AI is becoming a way to finally execute on the fundamentals at scale. This focus on fundamentals is what I discussed on Illumio’s podcast right before RSAC, and it is what I expect to see more of as we go further.
My biggest prediction is this: once the hype settles, the industry will keep moving back toward fundamentals, and we’ll see that trend accelerate over the next few years. It’s the right direction, because most breaches don’t come from sophisticated zero-days or intricate attack chains. They come from much simpler failures like default credentials that were never changed, assets that no one even knew were still out there, temporary exceptions that became permanent without anyone noticing, and similar “boring” problems. The rest is just marketing.
