RSAC 2026 is in the rearview mirror. Reflecting on one of the definitive cybersecurity conferences of the year—once again, more than 40,000 infosec professionals descended on the Moscone Center in San Francisco—IANS Senior Research Directors Gina Glendening and Nick Kakolowski share what they learned on the ground at the event.
5 questions with IANS research team members on RSAC 2026
What stood out for you from the keynote stage?
Nick: There was a singular message: AI isn’t on the horizon; it’s here. In the wake of major improvements to AI models, businesses are moving headlong to implement AI and figure out security as they go. There’s still a great deal of uncertainty in the marketplace and a ton of vendor hype to cut through. In this environment, security leaders are striving to build functional governance models and figure out how to assess and mitigate AI risk on the fly.
Gina: We felt an urgency this year that defenders need to move faster—not just to secure AI as Nick points out, but to use it to security’s advantage because adversaries are using AI to accelerate their speed, scale and sophistication. As we reflect on the messages we heard from the keynote stage just a few weeks ago, it’s not lost on me that some future predictions are already playing out in real time.
During the Keynote panel, “The Five Most Dangerous New Attack Techniques: Crucial Tips for Defenders ,” led by Ed Skoudis (who is also an IANS Faculty member), panelist Joshua Wright warned of AI’s potential ability to discover new vulnerabilities faster (and better) than humans. He even put up a slide quoting an Anthropic research scientist that said, “Current LLMs are better vulnerability researchers than I am. Future LLMs will likely be better than us.” Now, with the announcement of Anthropic’s Mythos and similar models, Wright’s warning to accelerate every phase of patching hits that much more urgently.
On a lighter note, I also enjoyed Kevin Bacon poking fun of himself and how each of us is now one “degree” closer when we play the game, “Six Degrees of Kevin Bacon.”
What were some of the trending topics at RSAC this year?
Nick: I was struck by how single-minded the conference felt this year. Regardless of the topic of the session—whether it was on the evolution of the CISO role, how to structure teams, or how to think about evolving regulatory and legislative measures—AI was the central theme. We often talk about the technology sector, and as a result, cybersecurity, as a field that moves quickly. In practice, commercial entities historically move fairly slowly. Few businesses are willing to take the risk of being early adopters. AI is changing that. The pace of change in enterprise settings is starting to keep up with the media hype surrounding the tech sector. This acceleration is exposing the cybersecurity debt businesses have been carrying. As a result, every topic is turning into an AI conversation in the sense that the cultural and operational changes being brought on by AI are serving as catalysts to invest in fundamental cyber capabilities—be they strategic, process-related or in tooling—that have long been under-prioritized in the industry.
Gina: I noticed that the “fundamentals” and areas in cybersecurity that are far from solved were overshadowed by the dominance of AI, either as a part of the conversation or instead of it. Certainly, the impact of AI on every facet of security—one could argue even culture and life these days!—cannot be ignored. It would be foolish to have conversations about areas the industry has been grappling with for years without recognizing how AI is impacting them as well.
Any standout speakers or sessions you came across this year?
Gina: IANS Faculty led many of the standout sessions I saw this year at RSAC. That said, it’s great to see the broader security community benefit from the experiences and expertise the IANS community has the privilege to gain from our Faculty every day.
This year, I was particularly impressed with IANS Faculty Aaron Turner and Rich Mogull’s presentation on “Multi-MCP and Multi-Agent Security Reference Architectures.” The way they broke down such a complex topic—and an area moving at light-speed right now—to provide practical, actionable solutions was fascinating.
IANS Faculty George Gerchow and his co-presenter Harold Byun from BlueRock were equally as compelling with their practical (and humorous) take on “Securing AI Agent Toolchains: Exploiting and Hardening MCP Servers.” Not only did they entertain by seeing how far through the presentation they could get before one of them said those two letters “AI” (Harold lost about half-way through, making the audience break out in both laughter and applause), they challenged the audience to think about both the good and bad of MCPs and provided practical guidance exemplifying their obvious expertise in the topic.
Outside of the IANS Faculty-led presentations, I found the panel on “The Cyber House Rules: Perspectives on the 2026 Congressional Agenda” very interesting. Despite the lack of participation of any federal U.S. agencies on stage (from what I understand, the invitation from RSAC to all agencies was extended, but none were accepted), this panel represented a microcosm of the current government’s views on cyber. Congressional Staffer Roland Hernandez (R) spoke glowingly of the administration’s recently released National Cybersecurity Strategy, while Staffer Moira Bergin (D) shared her many criticisms to it. The panel itself hit on all of the major topics we see the industry interested in: in addition to the administration’s National Cybersecurity Strategy, they discussed AI in government, cyber aspects of the current Iran conflict, the Cybersecurity Information Sharing Act of 2015, the CVE program, CIRCIA, and staffing cuts at CISA. They ended the panel in agreement of one thing: Regardless of party or position, it is important that everyone engages with Congress. The panelists encouraged the industry to continue to do more to do that.
What was your favorite part about being on site this year?
Nick: Stepping back from the sessions and connecting with colleagues, IANS Faculty and other conference attendees always stand out as the best part of RSAC. Not only did I get to explore San Francisco this year a bit more than I normally do, but I had a number of insightful conversations to help me contextualize what we’re seeing in the industry right now.
Gina: Year after year, what I enjoy most about RSAC is the community. I love spending time with our Faculty and getting to meet others in their circles—many of whom are truly among the best in the field. The talks, along with the conversations over meals and drinks, keep me intellectually energized and make the experience genuinely fun as I get to know them better on a personal level and continue to build those relationships.
What was IANS’ presence at RSAC this year?
Nick: IANS Faculty Steve Martano and I had the opportunity to present some of our CISO Compensation and Budget Survey findings once again as research partners at RSAC. This year, we focused our discussion on how the CISO role is evolving into an all-purpose digital risk problem-solver in the business. I was humbled by the attendance at the session and loved the great discussion we had with the CISOs in the room.
Gina: Beyond IANS’ presence on stage, it was great to see the IANS Faculty and clients throughout Moscone and the surrounding streets. With over 40,000 attendees, one would think it’s hard to find those within your community, but in practice, you can’t go a block without crossing paths.
Although reasonable efforts were made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions or advice.
Authors
Gina Glendening, IANS
Nick Kakolowski, IANS
About IANS
IANS helps cybersecurity leaders act faster and make better decisions by providing expert insights and actionable guidance from more than 170 experienced practitioners, proprietary benchmarking data, content-rich events, peer-to-peer information-sharing opportunities, and customized consulting services. Learn more at IANS.