RSA Conference 2025 recap: The top takeaways

RSA Conference is amazing. Why else would I travel halfway across the world, shoved into a shoebox-sized seat for 15 hours as a stranger elbows me in my side? There’s a warmth to the event that has nothing to do with the sunny San Francisco weather, and everything to do with being among the RSA community. As the world’s largest cybersecurity event, RSAC is a singular experience powered by a legion.

No surprise then that this year’s theme was “many voices, one community.” However, I couldn’t help but feel the unity of RSAC was driven by an underlying anxiety—from a community of defenders under attack from outside, but also within. Here are the key themes I picked up on at the conference.

1. Agentic AI is now being taken seriously, despite the buzz

On the expo floor, it was nauseating how many vendors were selling things like “non-human identity management” and “agentic SOC.” Many of the booths reeked of AI washing—slapping ‘AI’ on a product whether it fits or not. And yet one floor above, many of the best keynotes were on the topic of how CISOs can deal with AI, and yes, even agentic AI.

Many of the best presentations focused on real opportunities with agentic AI, such as using it for AI red teaming or autonomously closing compliance gaps. However, there was just as much talk about tackling issues such as AI oversight and transparency.

Meanwhile, there was a sense that attackers were able to overwhelm cybersecurity team using agentic AI without constraint. Mark Thurmond, Co-CEO at Tenable, cited that password attacks had risen from 579 per second in 2021 to more than 7,000 per second in 2024. 

“We cannot double security budgets each year,” he said. “We need to scale, but with intelligence.”

2. Cyberwarfare and attacks on civilian infrastructure are major concerns

“Cybersecurity is national security,” said Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA). This year, China’s cyber espionage has surged 150%, and Volt and Salt Typhoon—advanced persistent threats reportedly operated from China—got more than a few mentions.

One of the big concerns at the conference was attacks on critical infrastructure and civil assets to create widespread panic and disruption, rather than to extract ransom payments. At one point, apocalyptic clips from the miniseries Zero Day were played. According to Krebs, the threat of a “Cyber 9/11” was not Hollywood theatrics, but real and imminent.

General Paul Nakasone, former commander of United States Cyber Command and board member of OpenAI, said part of the solution was to “take on” adversaries outside of the United States. Discussions waded into whether to engage in private sector offensive cybersecurity, and the very complicated logistics involved.

“To conduct (those types of activities), you need to synchronize them,” Nakasone said. But who leads that? What if a private sector company attacks a presumed adversary in an allied nation, and it turns out that it was a friendly target? 

The United States doesn’t appear to be the only one affected. France’s national cybersecurity agency reported a 15% increase in Russia-linked attacks in 2024, targeting ministries, defense firms, and cultural venues. 

3. Defenders and AI being held back, or held accountable?

Where to draw the regulatory line was a recurring theme. Cybersecurity superstar Bruce Schneier did an amazing keynote on why regulators need to ensure AI systems are trustworthy and integrous (and yes, that is a real word.) The man has enviable stage charisma, and I highly recommend watching it. Yet as I left the building, I overheard agitated dissent.

“If we regulate, we’re going to lose and fall behind them in terms of AI,” one of the men behind me said. “Them” being nation-state cyber actors, adding to the sense of defenders having their hands tied.

At this year’s RSA AI Safety Keynote—run by Microsoft’s Ram Shankar Siva Kumar, who never disappoints—the vibe was that regulating AI was like trying to wrestle a bull in the dark.

“Clearly (AI) capabilities are moving much faster than safety and security, and I think there is a sense in which folks in the field… feel like we’re barely keeping up,” said Jade Leung, CTO of the UK AI Security Institute, and former head of the Governance team at OpenAI. 

“These capability evaluations are very new… it’s underappreciated how much of an evolving science this is.”

4. Burnout is still a major problem in cybersecurity

For many years, cybersecurity has had a major issue with burnout, and it’s only getting worse. 66% of cybersecurity professionals say their job is more stressful than it was five years ago. 

Why? The issues they face get more complex each year, there’s often no budget or business recognition, as well as a lack of proper upskilling. This causes hiring and retention issues, which makes things even worse. And if that wasn’t bad enough, bad actors using AI are just piling on already strung-out teams.

I attended a talk by Brenden Smith and Emy Dunfee from FirstBank, cybersecurity leaders who managed 5,000 hours of incident response time with zero turnover (without increasing salaries or rewarding bonuses.) Among their many techniques were giving staff learning opportunities, particularly those related to a recent incident.

According to Brenden, there were a lot of parallels between physical bank robberies and cybersecurity incidents. Both were high-adrenaline incidents which rarely resulted in a “win” for defenders, resulting in burnout.

“Bank robberies are very common, but rarely reported on (in the media),” Brenden said. “Stopping them is quite hard… and there is usually no resolution.” 

Emy said that by giving their employees learning opportunities, both related to the incident and just things staff were interested in, this had helped mitigate burnout.

“It shows (the staff) don’t have to be a keyboard warrior every single day. Most employees have things they want to improve on… and you’re giving them the opportunity to go away, then come back and share knowledge with the team.”

“By having a learning experience related to the incident… (that staff member) gets to be the person who brings (the solution) back to the team.” Emy said this gave staff a much-needed win.

5. People talking too much about AI, and not enough about quantum

While everyone was talking about AI at this year’s RSA, barely anyone was talking about quantum computing—something Dr. Adi Shamir pointed out during this year’s Cryptography panel. If you’re not familiar with that name, Dr. Shamir is a renowned cryptographer, and one of the co-inventors of the RSA algorithm (He’s the ‘S’ in ‘RSA’.)

According to another panelist, Dr. Raluca Ada Popa—leader of the AGI security team at Google DeepMind, and Associate Professor at UC Berkeley—organizations were not shifting to post-quantum cryptography (PQC) quickly enough.

“I think a lot of industry practitioners believe since (modern cryptography standards) are not broken now, that it’s not a priority,” she said.

Dr. Raluca noted this was a big mistake, as attackers can harvest sensitive data in the present, and then decrypt it in the future once quantum computing has arrived. According to NIST, post-quantum cryptography should be standard by 2030, as they are expecting the imminent arrival of this technology.

6. Fun fact: there were an awful lot of goats

At last year’s RSA Conference, one of the booth runners—Kiteworks—had the novel idea of having a small petting zoo filled with puppies. I still remember when I shared this with a colleague, they dryly remarked that while they loved dogs, it was a poor marketing strategy. All the leads you’d get at the booth would be low quality, as visitors would be more interested in puppies than products.

Still, this doesn’t seem to have dissuaded any of the vendors at this year’s event, many of which had taken a leaf from Kitework’s book. However, there were more goats than puppies. That’s a downgrade in my book (though cats would be even better.)

And that’s a wrap! Keep checking our blog for our upcoming RSAC 2025 Swag Awards, where we’ll share all pictures of all the neat merch that were on offer at the event, and rank them accordingly. Until then, you can check out last year’s results in case you missed it, as well as our RSA Conference 2024 recap.