The 5 Lessons RSAC 2025 Forced Me to Learn About Modern Cybersecurity

Attending the RSA Conference 2025 in San Francisco was both exhilarating and sobering. It is one thing to read about the reports or watch product demos on the internet — quite another to be with more than 400 cybersecurity vendors, several thousand industry professionals, and the very real energy of an industry in transformation. \n

But as a founder, I came to RSAC not just to network or scan the expo floor. I came to get a perspective. And few people provided more clarity than cybersecurity veteran Richard Stiennon. His post-conference reflection hit home — not just because of what he saw, but how he framed it. \n

So, instead of a traditional recap, I want to share what I took away from RSAC 2025, through the lens of my own experience and with Stiennon’s reflections as a compass.

\ I’m Andrew, a serial entrepreneur sharing my vision and story on creating value in the AI cybersecurity market.

1. Cybersecurity Has Officially Become Overwhelming — and That’s Not All Bad

Stiennon pointed out the sheer scope of the expo: over 400 exhibitors, many of them new, and the usual suspects expanding into everything. He noted, rightly, that “you can walk the expo floor for three full days and still not see it all.” I know because I tried.

\ From data security and threat intelligence to identity, AI safety, and even cybersecurity for space infrastructure, the breadth is staggering. But here's the paradox: the industry is growing because the threats are growing. Attack surfaces expand. Regulations multiply. Complexity is the new baseline.

\ And yet, amid this sprawl, I saw something hopeful: a deepening of purpose. Many vendors weren’t just selling; they were refining. I had some of the most honest conversations I’ve had in years — not about flashy roadmaps, but about “what actually helps customers sleep better at night.” That shift felt real.

2. AI Is Everywhere — and Now Everyone’s Watching What It Really Does

AI was the oxygen of RSAC 2025. It was in every talk, every pitch, every booth backdrop. And yes, some of it felt like vapor. But not all.

\ Stiennon’s observation was sharp: we’ve reached peak AI hype — and that forces vendors to either back it up or be dismissed. What impressed me were the ones who took a sober view. The best vendors showed exactly how AI was helping reduce analyst fatigue, surface novel attack patterns, or support identity verification in real time.

\ One standout moment for me came during Cisco’s presentation. Jeetu Patel introduced their open-source 8-billion parameter Foundation AI Security Model — a bold move toward standardizing AI for security without locking users into proprietary systems. This wasn’t just a tech demo; it was a signal that the AI wave is entering its infrastructure phase.

\ Still, as Stiennon noted, “just adding GPT to your product doesn’t mean it works.” We, as buyers and builders, need to demand clarity: What models? What training data? What safeguards? These are not just technical questions — they’re ethical ones.

3. The Industry Is Splitting and Consolidating — at the Same Time

One of Stiennon’s more interesting takes was on the state of the vendor ecosystem: while some players are consolidating and going horizontal, a new generation of hyper-focused startups is emerging. It's the classic barbell effect — with giants on one side, and specialists on the other.

\ I saw this tension firsthand. On the one hand, there are platform vendors that now offer “everything” — EDR, SIEM, XDR, IAM, cloud security, and OT. On the other hand, I met two-person teams building anomaly detectors for SaaS apps or decentralized key management layers. Both are needed. But they solve very different problems.

\

As a founder, this poses strategic questions: Do we partner with larger players to embed into broader workflows? Or do we double down on solving one painful problem better than anyone else? RSAC made me realize there’s no single right answer. But there is one wrong answer — trying to do both without the resources or focus.

\

4. Identity Is the New Perimeter — and Everyone Knows It

If there was one area that got disproportionate attention at RSAC 2025, it was identity. According to Stiennon, 332 sessions were related to identity in some form, and that’s not a coincidence.

\ From passwordless authentication to continuous behavioral profiling, the message is clear: identity is no longer a checkbox. It’s the new battlefield. As zero trust matures from buzzword to baseline, identity becomes the front door, the hallway, and the lock.

What struck me was how deeply integrated identity is becoming into AI safety, compliance, and even incident response. The best vendors weren’t just securing identity; they were enriching it — using telemetry, heuristics, and even blockchain-derived proofs to ensure users are who they say they are.

\ It made me ask: Are we doing enough in our own product to treat identity not just as access, but as context?

5. What’s Old is New Again: The Return of Community and Trust

For all the AI and automation and funding noise, RSAC 2025 had a surprisingly human undercurrent. Hugh Thompson, RSAC’s Executive Chairman, closed the conference by talking about the need for a “Bayesian mindset” — staying open to uncertainty, collaborating, and building systems that learn as threats evolve.

\ It resonated. Because the truth is: cybersecurity is a human system before it's a technical one. What keeps breaches from becoming catastrophes isn’t just detection speed — it’s relationships. Between vendors and customers. Between red teams and defenders. Between founders and their communities.

\ Stiennon, too, underscored this. His view — that the industry is moving from “fear-driven marketing” to “trust-driven operations” — felt spot on. You can’t just scare customers anymore. You have to serve them.

Final Thoughts: What This Means for Us

We in the industry need to be more explicit about where we're creating value, honest about what works with technology, and more rigorous in how we measure danger. Perspective is everything, after all. And in such a loud marketplace, clarity is a competitive edge.

\ So, to our customers, our partners, and our peers: expect more from us. This year, we’re doubling down on clarity, ethics, and real-world impact. Not just because RSAC inspired us, but because this industry demands it now more than ever.

\ Richard Stiennon’s full post, including his curated exhibitor list and detailed takeaways from RSAC 2025, is available on his Substack.