National Cybersecurity Center
Blogby Rachel Gardner

Musings on RSAC 2026 

Musings on RSAC 2026 

By Greg Oslan 

March 31, 2026 

RSAC 2026 — my 25th — just wrapped up, and, as usual, it didn’t disappoint. At the conference, I thrived on reconnecting with old friends, colleagues, and countless new acquaintances. I was energized at every turn: from meeting with venture capitalists and investment bankers, learning more about established cyber companies and startups at the forefront of the next great thing, and attending well-organized events and random meet-ups. Indeed, every year, RSAC is a reminder of our great cyber-ecosystem, a problem set that we continue to chip away at (but have yet to solve), and the amazing creativity of the human — and now artificial — mind. 

This year’s conference presented some key takeaways. First, the level of marketing investment continues to amaze. There were the usual large booths — likely costing at least $2 million — mostly in the front and through the center, and myriad smaller booths (perhaps $50,000 — still a big bill for a startup) around the back and on either side. Offsite events hosted by retail businesses disguised as companies took over smaller venues and all of the major hotel ballrooms within a couple blocks of The Moscone Center. And I saw cars wrapped with logos and messages, buses with signs, and walking billboards — people dressed in costume. The quest for attention seemed endless. 

Second, despite all the fanfare, I was disappointed in how companies lacked the ability to stand out. For example, so many cyber companies claimed to be the “leader” in vibe coding, and agentic AI-driven, AI-powered, quantum-ready, next-generation solutions. It was a lot of “We are the best! Just ask us.” This is not to demean the many really good companies, products and ideas. Artificial intelligence is likely a key part of their strategy. But why should the customer or the partner care? The reality is that they might be introducing more risk into their environment if they don’t really understand the implications of use. They might be able to code or test faster, but how does anyone really know? To be clear, I’m pro-AI and an agentic architecture. In fact, we use it at the National Cybersecurity Center in almost everything we do. However, we debate incessantly about how to be sure our models are working correctly, not drifting, hardened against prompt injection, and providing consistent answers — all while the underlying models from OpenAI, Anthropic, Google, and others are changing. 

And third, while RSAC is the largest cybersecurity show in the world, it’s mostly focused on the business-to-business segment. For obvious reasons, that’s where the money is. But I found fewer than 10 companies that are addressing the weak link in the chain — people. After all of these years and billions and billions spent, more than 80% of all cyber breaches can still be traced back to an individual. And, after speaking with well over 100 people this week, I found that they all agree. We’ve tried training, educating, forcing compliance, and everything in between. Still, nothing has really changed. My goal for RSAC 2027 is to increase the dialogue around individual risk and how that translates to both personal and business risk. Most individuals work in a business of some sort, and if they are not aware, knowledgeable and able to keep themselves safe online, how can they help a company to do the same? 

I also attended Piper Sandler’s investment banking conference, and made note of some interesting themes: 

  • The leading company metric this year is gross net retention (while also adding customers, growing your top line, holding 85%-plus gross margins and not spending too much, of course). 
  • The IPO market remains uncertain, given the conflict in the Middle East, sky-high valuations, and lots of component solutions. While last year was a good exit year through acquisitions, they were concentrated among a small number of buyers that can buy the best private companies (with lofty valuations). 
  • As artificial intelligence evolves, so, too, does the offensive and defensive cybersecurity landscape. Adversaries are leveraging AI fast with no real boundaries. 
  • Several companies presented their solutions along with multiple fireside chats, including ones with Nikesh Arora, CEO of Palo Alto Networks, and Kevin Mandia, founder and former CEO of Mandiant, now CEO of Armadin and cofounder/partner at Ballistic Ventures. 

At events held by ForgePoint Capital (thanks to Alberto Yepez, cofounder/managing partner), Piper Sandler (thanks to Brian White and Lauren Webster), and others, I reconnected with more friends and colleagues — all former directors and senior leaders from the intelligence community. I also listened to Admiral Mike Rogers’ presentation on a number of topics (under Chatham House Rule, however). At the executive sit-down dinner at the Four Seasons, I had the opportunity to meet some great people and also heard a closing panel moderated by Silver Buckshot Ventures’ Founding Partner Nicole Perlroth that explored the opportunities and challenges of AI and cyber. Clearly, it’s AI all the way. The only question is, in what way? 

I haven’t missed many RSACs, and I certainly don’t plan on missing next year’s. I extend my sincere thanks to Greg Clark, Jen Easterly, and Hugh Thompson for all the effort required to make this the premier conference that it is. 

Read More

Spring Break Travel Tips to Protect Your Family s Devices#BlogMar 4, 2026

Spring Break Travel Tips to Protect Your Family’s Devices 

The Everyday Devices We Use – and How They Let Bad Actors In#BlogFeb 25, 2026

The Everyday Devices We Use – and How They Let Bad Actors In

National Cybersecurity Center Debuts Free Cyber Alerts as Part of Its Mission to Make Online Safety More Accessible#BlogFeb 18, 2026

National Cybersecurity Center Debuts Free Cyber Alerts as Part of Its Mission to Make Online Safety More Accessible