Reflections on RSAC 2025: Key Takeaways and Infosec Trends

IANS was on stage as a research partner at the 2025 RSAC Conference in San Francisco. RSAC is the central meeting place for the cybersecurity community, with more than 450 sessions and what organizers say was a record-breaking 44,000 security professionals and luminaries in attendance. Nick Kakolowski and Gina Glendening, two of IANS’ senior research directors, were there and are sharing their reflections on RSAC 2025.

5 questions with IANS research team members on RSAC 2025

1. What stood out for you from the keynote stage?

Nick: The transition in tone around AI popped. The infosec community has understandably been quick to flag how much of the AI conversation over the past year has been built on hype and promises, not results. This year, the examples in many of the keynotes and the discussion around that content have shifted. AI is starting to show results and emerge from a promise into a practical option in the right use cases.

Gina: While I obviously wasn’t surprised that many of the keynotes focused on AI, an evolution from previous years was the focus on agentic AI and, like Nick points out, a shift in the framing of AI from highlighting the potential of the technologies to actual applications organizations can (and, more urgently, should) utilize now. The acknowledgment that adversaries are using AI to increase the speed and scale of their attacks was a key theme, along with how necessary it is for defenders to heed that call to action. One of the standout keynote sessions was the panel, “Hollywood’s Take on Cyber Conflict” with Chris Krebs, Jen Easterly, Rob Joyce and Michael S. Schmidt. It was on the last day of RSAC and was a great summation of themes heard throughout the week.

“I started the AI journey worrying very much about how it enabled speed and capacity. It would make everyone faster, whether you’re offense or defense,” Joyce said. “But the folks that worried about the end-day machine—zero-day machine—being powered by AI: I was fairly dismissive here last year… Today, AI is getting very, very good at finding flaws in software.” He went on to say that while it’s still hard to do, it can be done at scale. However, alongside worries of adversarial use of AI, there is optimism around the opportunistic uses for defenders. “AI is going to be—is already—arguably the most powerful technology of our lifetime, and it’s going to change everything,” Easterly said. “I think in the world of cyber defense, AI will help us create systems that can detect a cyberattack before it occurs, that can identify vulnerabilities no human ever could and can deploy countermeasures in a millisecond and then learn from every attempt to breach them.” That such well respected voices in the community are now singing this tune—not just the vendor community—stood out to me.  

2. What were some of the trending topics at RSAC this year?

Nick: I tend to focus on the leadership content at RSAC, and the themes remain similar to what they’ve been in the past: Dealing with burnout, managing liability, communicating with executives and influencing around the organization. It comes as no surprise that the CISO role continues to evolve and these core executive skills are becoming more important each year.

Gina: Agentic AI was the buzz this year. It seemed every talk had mention of it—whether front and center or dropped into whatever topic was being discussed. Now, as we sift through hype vs. reality, it will be interesting to see where and how security teams and solution providers are deploying agentic AI. Is what they’re calling agentic AI the same across the board, or are they just using the term synonymously in reference to any type of AI? Will it make teams more efficient? Replace jobs? Live up to all the promises made? If so, when and at what stakes?

3. Any standout speakers or sessions you came across this year?

Gina: The panel I look forward to every year is led by Ed Skoudis (an IANS Faculty Member) on “The Five Most Dangerous New Attack Techniques… and What to Do for Each.” This year, the panel called out how attackers are using authorized user privileges in unexpected ways, which they termed authorization sprawl. This insight underscores what we hear in our IANS community all the time surrounding the challenges (and importance) of identity controls and protections. The panel also pointed out increasing and more damaging attacks (oftentimes ransomware) we’re seeing to industrial control systems and operational technology. In addition to the common challenges faced by that sector for years, they noted that adversaries are now manipulating and misusing the tools and technologies available for the asset owner/operators in particularly nefarious ways, including to gain a foothold in the environment. To a sector that has primarily focused on availability for many years, they asked: “Do we want to keep a system up 100% of the time while someone is misusing it with a potential path to destruction?” It adds a layer of complexity to an already difficult situation defenders are tasked with managing.

Other sessions I enjoyed for their practicality and actionable insights and recommendations were delivered by IANS Faculty. From Aaron Turner’s session on Identity to George Gerchow’s session on Harnessing AI to Enhance Cloud Security; Ismael Valenzuela’s session on AI, Automation and Threat Modeling; Russell Eubank’s session on How to Succeed in Your First 90 Days as a CISO; or Bryson Bort and Sounil Yu providing a hands-on workshop on Sounil’s Cyber Defense Matrix—there are so many IANS Faculty on the RSAC stage each year, it’s hard to catch all of their presentations in person. (I’m thankful I’m able to check out the recordings after the fact.) I always find IANS Faculty lead the standout sessions at RSAC. It’s great to see the broader security community benefit from the experiences and expertise the IANS community has the privilege to gain from our Faculty every day.

4. What was your favorite part about being on site this year?

Nick: Interacting with members of the IANS Faculty. These industry luminaries always stand out at RSAC, and it’s such a pleasure to get to see so many of them and spend quality time with them throughout the week in San Francisco.

Gina: I agree. This year and every year, my favorite aspect of RSAC is connecting with our Faculty and meeting the people in their networks, who are often the best in the industry as well. The presentations and conversations over meals and beverages feed my intellectual curiosity and bring me joy as I get to know each of them better as individuals.

5. What was IANS’ presence at RSAC this year?

Nick: I had the opportunity to present at RSAC. Getting on stage with IANS Faculty Steve Martano was a blast. We had great participation from folks in the room, and the conversation with them was fascinating. The opportunity to participate in such an engaging conversation with this community is always humbling.

Gina: In addition to the presence on stage, I loved walking around Moscone and the streets surrounding it and seeing so many from the IANS community in San Francisco. One would think that with 44,000 people in attendance, how could you ever find anyone? But, in reality, you can’t turn a corner without bumping into someone you know.

About the IANS Faculty

Our Faculty comprises more than 150 renowned security practitioners with deep, domain-based knowledge who understand—firsthand—the challenges faced by CISOs and their teams.

IANS connects clients with Faculty to help them make better decisions, grow professionally, save time and stay compliant. Get in touch to learn more about how we can help move your security program forward.

Although reasonable efforts were made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions or advice.