If you walked the RSAC Conference 2025 show floor this year, you could be forgiven for thinking you were at the world’s strangest petting zoo or furry convention. There were goats! There were puppies! And if real animals on the conference show floor isn’t your thing (social media posts from RSAC 2025 attendees revealed mixed opinions), you also had robot dogs or your pick of people in furry animal costumes. Both on the expo floor and on the streets outside the Moscone Center, we found people dressed in full costume as rabbits, ducks, bees, and even a yeti.

Read on for our key takeaways from this year’s RSAC Conference and find out which of these numbers were greater: the number of Forrester analyst steps taken at RSAC 2025 or the number of mentions of agentic AI (see the answer at the end of the blog).

 

Agentic AI Was Everywhere

This year’s unofficial RSAC Conference theme seemed to be: AI agents and agentic AI are the future … as long as people don’t mind the additional work of teaching, training, and supervising them.

Today’s version of agents and agentic AI mostly consists of a smattering of half-complete processes dropped into a human’s lap. It’s a lot like living with a productive but easily distracted DIY’er, where many projects get started, few ever finish, and you learn to live with the messy results. In short: Agents will do some work and complete tasks but not workflows. This will leave people with more alerts and activities to perform. Some of the manual toil will be removed, if your environment is ready for automation (something most vendors ignore for now).

The RSAC sessions focused on skills and talked about how the cyber workforce did not consider the human challenges around agentic AI. Agents will create more alerts, but those alerts will need a mid- to senior-level practitioner to 1) check the agent’s work and 2) take action on the alert. At the same time, the increased usage of copilots and large language models by current early-career practitioners and the vendor promise and roadmap of agents as a replacement for those practitioners (such as tier 1 and 2 security operations center analysts) will eliminate the hands-on work needed to build domain and institutional knowledge. The trade-off here sets us up for potential issues down the line. In the hopes of solving today’s — supposed — early-career skills shortage, we will create a shortage of skills in the mid- to senior levels in the long term.

Efficiency Drove Vendor Messaging

Aside from an overload of agentic AI (and a few uses of AI that just didn’t make sense), most of the messaging was rather bland (not necessarily a bad thing). A lot of vendors emphasized platformization, automation, and intelligence. When considered together, this emphasized an underlying theme of helping security leaders do more with less in a struggling economy, although vendors avoided coming right out to talk about economic uncertainty. They also avoided any discussion of the geopolitical volatility and tariff mayhem gripping the world and the implications for everything from nation-state attacks and less cooperation and unity on fighting insidious ransomware to dealing with other rising risks such as deepfakes and undermining trust in tech and traditional government and societal institutions.

Related to various security markets, we found that:

  • Application security messaging shifts to platformization and application detection and response. Application security (AppSec) is still prominent at RSAC Conference, but the key messages have changed. API security signage dropped significantly, with only a couple of vendors highlighting API security capabilities, even though APIs remain a common cause of major breaches. The most precipitous drop in the AppSec world, though, was application security posture management (ASPM). Eight months ago at Black Hat while walking through Startup City, we saw four or five early-stage vendors pitching ASPM. Walking through the RSAC Early Stage expo last week, there were none. It wasn’t that the early-stage vendors had graduated to the main expo, as we didn’t notice any ASPM signage there either. Instead, emerging companies pitched runtime application security, sometimes called application detection and response, while established vendors touted their unified web application protection platforms.
  • Identity maintains a strong showing. Identity vendors of all shapes and sizes were present, including a healthy dose of non-human identity management and identity verification offerings. Identity vendors featured heavily in the Early Stage expo. Announcements from identity vendors were muted, however, as many vendors are holding product announcements for the upcoming Identiverse event. The FIDO Alliance’s seminar on the state of passkeys was lightly attended compared to previous years.
  • Quantum security has a light presence on the show floor, with signs of growth. Some smaller vendors in the quantum security space could be found on the outskirts of the expo pitching post-quantum, cryptographic agility, or quantum key distribution solutions. We also noticed one quantum security vendor at the Early Stage expo. As we get closer to 2030 and some of the first deadlines for quantum migration, we expect these vendors to be more prominent and for quantum security messaging to grow.
  • The combination of insider risk management + DLP grows. The convergence of insider risk management solutions with strong data loss prevention (DLP) controls was showcased at some very large booths. Insider risk continues to be a primary use case for data protection solutions, and employee monitoring solutions (for security and productivity) are enjoying a moment in the limelight. DLP itself had a strong presence across the show floor as existing providers continue to push AI capabilities into their offerings or different ways to enforce DLP policies, such as through a browser. MIND, one of the startups showcased in Innovation Sandbox, also focused on an AI-driven approach to DLP.
  • Cyber resilience has an even stronger showing than last year. A modern data resilience strategy today includes security as a core component. Your data resilience platform must be architected with Zero Trust principles and have additional security integrations. Major data resilience, backup, and storage providers are all coming to the RSAC table now with a clearer security message. They highlight their built-in capabilities to detect and help you recover from cyber events such as ransomware, their partnerships with incident response services providers, and their use of post-quantum cryptography to protect data at rest and in transit.
  • Risk messaging was stale in the main expo but fresher in the Early Stage expo. While RSAC is primarily a security conference that’s not overly focused on governance, risk, and compliance (GRC), there were a lot of booths and talks about cyber risk, risk management, and prioritization (especially in the vulnerability risk management space). But we also saw a lot of “risk eye candy” with plenty of form but little substance — particularly in the main expo. GRC vendor presence was subdued, with several of the significant enterprise risk management GRC platforms not attending or having a small booth presence. Those GRC vendors messaging “AI + compliance” missed an opportunity by ignoring “risk” — this was particularly unfortunate given that the “risk” sessions were the most well-attended ones over at Moscone West. Third-party risk management vendors had a bigger presence, but most of the cyber risk ratings vendors were messaging vendor/supplier risk with a mix of detection and response tools that fall short of customer expectations. The Early Stage expo fared better, with some interesting approaches from emerging AI governance vendors.
  • Security services remain inevitable. The Security Services Flywheel showed up (again) at RSAC. As we’ve mentioned in several bullets, a common trend includes “detecting and responding” to all the things, leading to an explosion of “insert technology here”-disaster recovery-style pseudo-services and fully managed services. The success of managed detection and response stands out as the model for vendors in other technology categories, resulting in an explosion of subscription-based managed services riding on a vendor’s underlying products. Customers get a benefit, with a service to run the products they adopt, and vendors accelerate adoption, use, and revenue when customers buy these services. The erroneous belief that the services can rely almost entirely on agent-ish AI — aka bots — will result in disappointed customers and high churn early on.

On The Show Floor: Animals, Experiences, And Gen X Nostalgia

We’ve already highlighted the goats, the puppies, and the furries. Another key theme on the show floor was experiences over stuff. One booth offered a walkthrough ending in a sensory experience of cooling clouds and lightly scented jasmine, a welcome conclusion that contrasted the beginning, which replicated the chaos of a ransomware attack. For those prone to getting migraines, however, some booths with experiences involving blinking lights and screens were ones to avoid.

Several vendors leaned heavily into Gen X nostalgia for their booth displays. Many booths featured ’80s and ’90s toys, video games, and other cultural touchstones from the era. With Gen Xers holding more leadership roles, making strategy decisions, and owning the security budget, vendors are responding by tapping into their childhoods.

The number of country-specific pavilions on the show floor and the growing global audience were also notable. Germany has had a presence for many years now, but we also passed pavilions from Italy, the Netherlands, Saudi Arabia, Singapore, and Spain. We observed one large booth with a well-attended presentation in Spanish.

In total, Forrester S&R analysts attending RSAC 2025 recorded 686,735 steps. With 44,000 attendees at RSAC 2025, we would guess that there were more mentions of agentic AI than steps, but it was close.

For a deeper dive into the conference, we invite Forrester clients to join us for a webinar on Wednesday, May 14 at 1 p.m. EDT. We’ll have eight analysts available to share their insights on the conference and answer questions from clients.