40,000. What does that number mean to you?

Numbers are thrown at us from all directions, every day, whether we like it or not. They’re a constant presence in our lives, our actions, and our thoughts. So what comes to mind when you think about numbers? Maybe it’s the cost of something you saw in an ad, reading the time, trying to pretend you actually brush your teeth for two minutes every time, or maybe numbers are that series of digits on your weight scale that seem to creep higher and higher each time (is it just me?). Numbers are unavoidable. Numbers have meaning. Numbers have power.

Now, what about that 40,000—Did anything come to mind?

Maybe you thought about money, thinking about how $40,000 is just shy of the average starting salary of teachers in the United States. Maybe Wikipedia’s definition of the number 40,000 came to mind, which is, literally, I’m not kidding, the “number that comes after 39,999 and before 40,001”. Maybe you recalled that 40,000 is the number of McDonald’s franchises around the world. Or, maybe you thought about the 40,000 calories eaten by one man in order to experience what a tiger shark’s diet is like (this is real).

Regardless of what may have come to mind, 40,000 means something specific when it comes to RSAC Conference. Here, 40,000 refers to people. 40,000+ human people descending upon one city and one conference, all for one purpose—cybersecurity.

I, as a human person, was one of those human people.

Let’s jump into what RSAC had to offer this year, as well as my take on what topics were top of mind, as well as my experiences on the vendor floor.

40,000+ people is a lot of people

40,000—That’s over twice the capacity of the Chase Center (where the Golden State Warriors play) and almost 2/3rds the capacity of Levi’s Stadium, where the 49ers do their sports-thing. 40,000 people is a heck of a lot of people.

In the context of RSAC Conference, that means that 40,000+ cybersecurity professionals gathering together to listen to talks and gain industry know-how. RSAC Conference attendees range from the unemployed and the entry-level all the way up to corporate executives and government officials from around the world. In 2025, RSAC boasted 730 speakers across 450 different sessions, along with a maze of vendors. 650 vendors, to be exact.

To be fair, the real number of attendees this year is actually around 43,500, but once I found that story about a man eating 40,000 calories, I just had to keep it at 40,000 for coolness reasons.

NOTE: If “RSAC Conference” seems potentially redundant, it’s not; it’s actually on purpose. RSAC went through a formal rebranding in 2025, updating their name to “RSAC Conference” from the previous “RSA Conference”. This updated naming also helps to distinguish between RSAC and RSA Security, a separate entity.

Those 43,500+ attendees get funnelled into San Francisco’s Moscone Center, an enormous complex of what is three separate buildings, Moscone North, Moscone South, and Moscone West. In 2025, RSAC added a fourth location into the mix, the YBCA (Yerba Buena Center for the Arts). This gave RSAC a nice, second stage for keynotes so they can hold large talks in two locations.

2025 Areas of Focus

Artificial intelligence AI-n’t going anywhere

“Old McDonald had a farm - AI, AI-Oh!”

The consistently hot theme across 2023 and 2024 was AI and, drum roll, it’s still AI. AI is everywhere and that was definitely the case at RSAC. The San Franciscan air itself hung thick with AI. A million different ads across buses, bus stops, windows, walls, and airports clamored for attention, all shouting about some kind of AI capability.

Of course, “AI” is a really broad term, isn’t it? I mean, at least it is to me, where I’m at like Level 2 out of 100 when it comes to deep knowledge of artificial intelligence systems (and I don’t think I’m alone). “AI” can refer to any manner of artificial intelligence and is unhelpfully non-specific. Most of the material that I experienced was approachable and not very technical, but keep in mind that there were many, many talks covering this topic. The subgenre of “Artificial intelligence/Machine learning” included 130 sessions.

Dozens and dozens of talks this year fell under some kind of AI-related theme, indicating that there is both heavy interest and heavy concern about the how to secure this sprawling AI landscape.

As business leaders and teams buy more and more AI products, do security teams know all of the risks involved?

Do teams know how to secure these AI systems or implement governance mechanisms that help ensure proper use?

For AI, RSAC sessions covered such topics as:

• AI tools are introducing new attack vectors

  • Tools, like code copilots, introduce novel attack vectors

  • Since most organizations are not building their own LLMs, are they aware of how LLMs themselves can be weaponized or poisoned?

• Managing risk as AI proliferation continues

• Unrestricted models like FraudGPT and WormGPT are enabling less technical threat actors

  • Minimal intelligence + simple prompts can equal exploit code they wouldn’t have the know-how to produce

• Governance concerns

  • Your company has AI tools deployed, but do you have governance mechanisms in place? Do you have applicable policies in place, let alone enforceable policies?

What I found validating was that other security professionals are very concerned about AI systems in general; how do we keep our companies, our colleagues, and ourselves secure?

Geopolitical & regulatory impacts

It’s no secret that companies must conduct business in accordance with laws and regulations (duh, I know), but how do companies translate such legalese into actionable guidelines? Laws like GDPR outline what must be in place, but it doesn’t detail how companies reach compliance. That is up to individual companies to implement or not implement. With non-compliance penalties that force companies to pony up real-world dollars, security and security-adjacent functions are often on the hook.

There are always talks about the intersection of international law and security. I found it interesting that the fallout of the 2020 Solarwinds attack is still top-of-mind enough to warrant discussion in 2025, focusing on the litigation against Tim Brown, the Solarwinds CISO, that resulted from federal investigations. Perhaps this is because CISOs continue to face uncertainty about whether or not they may be held personally liable in the aftermath of a major compromise. For CISOs, the worry alone has to be a tremendous burden to bear.

It’s also no secret that nation states engage in unrelenting digital reconnaissance and espionage, constantly seeking an edge over friends and foes alike. I have loved the talks given by Kevin Mandia, a man who is quite literally in the room after major incidents occur, as he has a unique view into the global threat landscape.

His keynote this year, Cybersecurity Year-in-Review and the Future Ahead, paid particularly attention to China’s state-sponsored threat actors. I found myself shocked at how directly he mentioned China and its ongoing support of cyber efforts directed against the United States. Various reconnaissance and malware campaigns have long been attributed to Chinese-backed APTs, yet Mr. Mandia’s callouts this year had an urgency to them—at least from a U.S. perspective, China has gained footholds across the country, especially within critical infrastructure. Sometimes the motive for infiltration and lateral movement throughout victim organizations is unclear, which is troubling. This year, Kevin also sat down with Nicole Perlroth to have a conversation that is worth the watch (look for it to be released on YouTube this summer!).

One session carried an interesting title, asking, “Autocracy or Democracy: Which is Better at AI?” While I did see this session, I found the title itself rather profound. I don’t think I usually consider different systems of government in regard to artificial intelligence development. I think it’s a fabulous question that is worth pondering.

• What do you think?

  • How might any given system of government better enable technological development?

In the days following RSAC I’ll be watching more of these sessions as I try to learn more about the regulatory and geopolitical realms of cybersecurity.

Supply chain pains

There were 37 talks this year under the subcategory of “Supply Chain”. Supply chain concerns are nothing new to security practitioners, especially with the wildfire of AI tooling that never seems to stop spreading. Supply chain worries are varied and the RSAC sessions reflected this, with topics ranging from firmware, to AI/LLMs, to potential issues with SOC 2 reports.

You can’t run a company today without some kind of third-party supplier, software, or hardware, but the incorporation of third-party technologies is the incorporation of risks outside of your control. For tech companies, the inclusion of third-party code into a codebase is something that should be of paramount concern. Talks this year seemed focused on helping others identify and wrangle the myriad of supply chain troubles that plague security teams.

I’m not surprised that supply chains didn’t get as much attention as AI, yet I’m encouraged in seeing that it’s still a high priority for many professionals.

North Korean employee fraud

Last year, security training company KnowBe4 shocked the world by announcing that they had duped into hiring a North Korean software engineer. Being alive in the late 20th to early 21st century means that you’re likely aware of North Korea’s cleverness when it comes to perpetrating fraud and criminal activity. The ever-connected, online world has opened the door for them to steal and launder funds in order to finance their totalitarian state. The BBC produced a brilliant podcast about this called the Lazarus Heist, exploring illicit North Korean cyber activity.

According to the Google Threat Intelligence Group, KnowBe4 is most certainly not the only victim. North Korea has weaponized remote work and remote hiring practices to trick legitimate companies into hiring North Korean employees. Fake personas and paid middlemen around the world work with the North Korean government to get their workers hired, usually in some form of IT or software engineering capacity. Once hired, these North Korean employees can whatever access is at their disposal to harvest intellectual property, maintain internal visibility within possible future targets, and plant footholds into system for future weaponization or data exfiltration.

I heard this situation mentioned multiple times across RSAC and I feel that the emphasis is warranted.

How can your company best verify potential hires without being discriminatory? What technical and non-technical controls are in place to monitor systems activity and, hopefully, alert to potential malcompliance?

This presents a unique opening for security teams to work with their HR partners to learn about what measures are in place, what measures should be in place, and how such efforts can scale.

Vendor Trends

If you want to know what companies want you to know about their products, I’ll give you a hint: it’s two letters, starts with an “A” and ends in an “I”. Yup. AI continues to reign supreme. The video above is fair representation of my my experience on the vendor floor. If I had played a drinking game where I take a sip each time I saw “AI” then I wouldn’t have made it 5-1/2 feet before passing out.

Those that attended last year’s RSAC may have felt as if they, too, were drowning in references to “AI” but I’d have to say that companies outdid themselves this year with even more AI speak than before. Words like “generative”, “agentic”, and “LLMs” hung in the air like a strong perfume. You couldn’t shake it. You couldn’t even make eye contact with a vendor without them tossing out some sort of spiel about their native artificial intelligence capabilities.

The end result of this AI-centered chaos is rather disappointing.

Think about a time when you were at a bar or a restaurant that had loud music playing, or maybe where conversations were loud and energized, making it hard to hear. Were you able to easily talk to the person next to you? Could you hear what you wanted to hear? Do you find yourself wishing for a different environment where you could engage more thoughtfully with those around you?

For me, the end result was noise. Lots and lots of noise.

There are so many companies singing the same song that it’s impossible to filter through to what’s most meaningful—whether or not a company has a novel approach that solves a problem I/my team/my company is facing.

There are security companies at RSAC that are tackling security problems well. The bummer is that the overly aggressive messaging around AI is starting to get tiring as everyone still seems to be riding the tidal wave of generate AI popularity that shook the Earth in 2023.

The challenge for companies in 2025 is nothing new. Companies need to find out how to rise above the noise to shine a light on the solutions offered within their product.

Pushy salesmanship

If you know me at all, you may not be surprised to know that I find it hard to turn down a good chance at small talk. If I see you, I want to smile and nod. If I talk to you, I want to ask you how you’re doing and have a chat. If someone at a vendor booth offers me something, I usually take it. My personality makes me ripe for the picking out on the vendor floor. I feel like a gazelle surrounded by lions.

I try to jump onto the vendor floor with a purpose. I swear, I really try. While my main interest is the sessions and talks themselves, I have to admit that the vendor floor is a cool place to see. I’ll bop over to the vendor area during lunch or as soon as the vendors are open at the end of the first day (after the keynotes).

Walking around the booths reminds me of how I felt when walking around Toys ‘R Us in the 1990s (RIP, Toys ‘R Us). I’m walking slowly, head tilted up, likely mouth-breathing without meaning to, staring in awe at all of the lights, sounds, and gizmos around me. However, unlike my younger self who just liked shiny things, at RSAC I’m walking around because I genuinely want to find companies and/or products that stick out, that warrant attention. Not because they have the brightest lights but because their solution is worth the time.

There were several times where I was walking around, gawking at the sights and sounds around me, only to be pulled aside by a vendor that I didn’t really want to talk to.

Don’t get me wrong, I understand that salespeople and customer-facing engineers fill these booths and are expected to lure people like myself in to gather marketing leads and potential prospects. They have a job to do. I get it. My issue isn’t with them doing their job, my issue lies with how they go about doing it.

General reflections on vendor experience

Here are a thoughts from my experience with vendors this year:

1. I felt caught in the dragnet (sometimes)

   No, not the cop show from the ‘60s. By dragnet, I mean the manner of fishing which pulls in a large amount of the target catch along with other unintended victims. These victims are usually other wildlife and/or vegetation that simply become collateral damage. This happens because of the chosen method, not because of fishing itself. The vendors that take on this approach just want to lure people in, potentially with some super sweet swag (under the reciprocity rule of persuasion psychology, perhaps), solely to meet lead quotas. I can’t tell you how many times I was scanned, only to see that the booth added no notes to my lead information. The few vendors that didn’t take this approach were thoughtful and used any questions to better guide the chat and demo, at least promising to continue the conversation using context I’d already shared. Pardon me as now I look around for verbal self-defense courses... This experience is nothing unique to RSAC, mind you, as this has been my experience elsewhere, too.

2. Everything, everywhere, all at once

   That’s what the booths felt like—there was so much going on; everything, everywhere, all at once. Blinky lights, full-size monster trucks, 20-foot tall action figures, conversations, laughter, and oh so much noise. I was fine, but it was all overwhelming. I found comfort in the booths that didn’t have amplification or crowding due to booth attractiveness alone. For example, Wiz always has killer booth designs, yet, while there, I was bumping into more people looking at the booth itself than people who were genuinely learning about the product. Crowdstrike is a partial exception for me, here. Yes, their booth was insane this year. However, they seem to always hold their in-person talks at the backside of their booths, away from the other lines and demos. In general, though, the over-ornamentation feels cheap. I think that companies can still have large, attractive booths without overdoing it.

3. Will people remember your booth or will they remember your product?

   Yes, expensive booth investments may garner more leads which may lead to more sales. Yes, branding is a critical part of any business, most especially tech startups. But, unless you’re a large, established org (insert any big security company name here), it appears as if there’s a heavier focus on the brand itself rather than on product quality. If I leave your booth more in awe of the booth than the product that was described/shown, then where’s the return in the long run?

4. I appreciated the catch-and-release companies

   Some companies caught my eye due to booth awesomeness alone. Some companies were ones that I was seeking out intentionally. And some companies caught me off guard by reading my name tag, saying my first name, and making enough eye contact while greeting me that I felt too much pressure to not engage. For those companies where I wasn’t interested in the product but were effective at snagging us security pros as we drifted downstream, I appreciated them for releasing me back into the water. After a brief chat and some back and forth, it’s easy to see whether or not your product is a fit for my use cases. Or, maybe I outright say that I’m not interested. Just because someone is talented at reeling you into a booth doesn’t mean that you have to feign interest in return.

Companies have an incredible opportunity to invest in their sales and marketing strategy. While everyone else is adding more blinky-blinkies and trinkets, you should start with the people on the ground, brainstorming, trialing, and standardizing more effective in-person demonstrations.

Whenever someone new enters a booth, whether warm (where someone approaches the booth) or cold (where a booth rep pulls someone in), booth workers have a chance to set the stage for the conversation. The visitor may have preconceived notions of your company or they may not know your company at all. Regardless of what they know or don’t know, that first interaction that they have with your booth should immediately have them feeling welcomed and listened to. Don’t scan them right away. Make an effort to create a comfortable space between them and your company. If they’re comfortable, they’ll be honest with you, and maybe that honesty is a “No thanks, I’m not interested.” Great! That’s fine. The point is that you’re setting the stage for success on both sides by allowing them room to be honest.

Focus on that first impression and then have the meaningful solution to keep the conversation going.

Negative first impressions are hard to shake, but strong first impressions are just as sticky.

Conclusion

Alright, so this post is already much longer than I had planned (and by “planned”, I mean that loose outline that I was forming while writing this). Let’s wrap this up!

I’ve been fortunate to attend RSAC Conference for the past two years and have really enjoyed the conference. I may have had a lot of feels about my vendor experience this year, but all in all the experience is strongly enjoyable and one that I’ve found fruitful.

With perhaps one or two exceptions, everyone I bumped into at RSAC Conference was willing to have a chat. Every speaker session or panel I attended had the speakers ready and willing to take conversations outside afterward. They are always willing to talk shop, answer additional questions, or offer to connect beyond the conference. Just like a kid who is looking for role models, I’m always on the hunt for security professionals that I can look up to. RSAC Conference gives me the chance to meet my heros in the industry and identify new ones.

There’s an energy that hangs in the air for the two years that I’ve attended. From the expo floor to talks large and small, the overall atmosphere is one of comradery. I guess that an electricity forms when people are united by a common interest and a common cause, charging conversations and opening folks up to new acquaintances and opportunities.

I attend conferences because there’s a motivating humility that comes from being so close to others who have profound levels of expertise and knowledge. I always leave with new ideas, new things to bug my boss about, new concepts, and a refreshed feeling of purpose.

If you’re considering attending, then let me help you—you should! I’ve gained a great deal from my first two experiences at this conference and will be looking forward to many more.