What We’re Looking Forward To At The RSAC 2026 Conference
The annual RSAC Conference in San Francisco is the cybersecurity industry’s biggest event of the year. For the analysts attending, RSAC Conference week provides an opportunity to learn about cybersecurity trends and topics, meet with vendors and clients, and share our insights and observations. It’s also an excellent opportunity to meet our daily step goals as we dash from meeting to meeting during the week.
In this blog, the 11 Forrester attendees are sharing what they are most looking forward to at RSAC 2026 Conference and what they expect to see. We’re also providing a sneak peek of the sessions that some of us are leading during the conference.
JB
Coverage: insider risk management; overall trends in AI for security, security operations, security leadership, security infrastructure, email security, human risk, and Zero Trust
What I hope to see: For me, RSAC Conference is like “old home week.” It’s an opportunity to meet with clients and catch up with old industry friends (at this point, we’re all “old” friends). I’m very much looking forward to learning how users and vendors are getting actual value from AI in real-world deployments after all the hype from the last couple of years. Of course, I’m super excited for the “Birds of a Feather” session I’m leading and my talk about insider incident response on Monday with Jess Burn (see below for details). What I expect to see: I expect to see many more announcements about new AI capabilities, messaging about securing AI, and mind-boggling branding choices (which make the “recovering marketer” in me a bit twitchy).
My 5-second assessment when I encounter a new vendor or offering: I want to know what problem the solution solves and what outcome(s) it delivers. Is this new or novel, or does it compliment or replace an existing solution?
Steph
Coverage: overall trends in tech strategy, tech architecture, infrastructure and ops, enterprise business apps, software development, security and risk, and sustainability
What I hope to see: I hope to see solutions that are more than just a feature waiting to be acquired by a larger tech or security vendor. I also want to understand how services and solutions fit into a holistic whole, addressing the needs of the CIO and the CISO, helping to address issues such as modernization, tech debt, cloud migration, sovereignty, and, yes, deploying AI at enterprise scale.
My 5-second assessment when I encounter a new vendor or offering: I’m looking for how it integrates into today’s environments, which are hybrid and multicloud and will be for the foreseeable future, and how it complements other tooling and platforms in the environment. How does it scale, and how quickly can it be deployed?
Jess
Coverage: CISOs and security leadership; cybersecurity talent management and training; email, messaging, and collaboration security; and incident response services
What I hope to see: I hope to see vendors that design for the reality CISOs face: constrained teams, tool sprawl, and pressure to prove progress. I’m looking for offerings that help CISOs make better decisions faster — not just dashboards but actionable context and metrics: why something matters now, what can wait, and what trade-offs are being made. I’m also very much looking forward to speaking at RSAC for the first time, moderating a panel of my colleagues at the Forrester networking event on March 24, and spending time with those colleagues and our clients in the security community.
My 5-second assessment when I encounter a new vendor or offering: I’m looking for how it changes behaviors. Does it change how leaders make decisions, how security analysts spend their time, or how users behave? Or does it just generate more noise? If it doesn’t change behavior, it’s unlikely to change outcomes.
Jeff
Coverage: securing AI, security services (MDR), CISOs, and security platforms
What I hope to see: For securing AI, I hope to see agent security with a realistic definition that includes identity, policy, and runtime security capabilities fused together, not as disparate capabilities. I want to see runtime security treated as measurable and actionable and not a “trust me, we scan prompts” offering as it is for so many vendors today. Finally, for managed detection and response, I hope to see agent actions included as an input to detection and response and how agent actions are improving outcomes for customers, not just vendors. For CISOs, I hope to see the securing of AI open doors for real business impact.
My 5-second assessment when I encounter a new vendor or offering: For me, this is simple: What does this replace? If it doesn’t replace existing spend, then it’s a year away (or more) from being a budgeted item. After that, I want to know whether it adds: 1) observability; 2) control; or 3) enforcement.
David
This will be my first time back at RSAC in quite some time and the first as an executive partner at Forrester. I am looking forward to joining clients and making new connections, as well as catching up with some great folks I have not seen in many years. In addition, I will be looking for new and innovative solutions, along with approaches to leveraging these solutions that help solve my clients’ real-world challenges.
Merritt
Coverage: identity and access management (IAM), identity security, cybersecurity M&A and startups, and physical security
What I hope to see: I am returning to RSAC after a one-year hiatus, and even though I have been going to this conference since the late 1990s (back when it was held in San Jose and not in the sea of humanity that Moscone has now become during RSAC), I always find that RSAC serves as a useful barometer for the current state of the cybersecurity market. I’m looking forward to catching up with established vendors as well as startups to see how they are helping organizations address the ongoing challenges around identity security. How are orgs and vendors addressing the challenge of managing agent identities? What areas of IAM are experiencing the biggest leverage and value creation from agentic AI? I’m also looking to examine the current state of cybersecurity innovation and the areas of cybersecurity that are attracting investor interest. The Innovation Sandbox is always a good starting point for that, but I plan to assess the exhibitors in the Early Stage Expo.
My 5-second assessment when I encounter a new vendor or offering: I’m looking for how the offering is deployed and integrated across the cybersecurity ecosystem. Is it replacing an existing capability or complementing one? How does it create value for the security organization? What is the path to market, and what is the planned growth trajectory and/or exit strategy?
Allie
Coverage: security operations, detection engineering, security analytics platforms, XDR, and the use of AI in security tools
What I hope to see: I hope to see true, legitimate efficiency gains from AI agents and tools. One of the biggest issues with how AI is used in security tools today is that it relies on input from the user to execute, especially prompts. The most effective AI capabilities on the market do something different. They use agents, which run automatically to perform specific tasks based on specific inputs, such as AI agents for triage or investigation. I hope that vendors are starting to build these capabilities into their tools for low-risk, high-reward scenarios. With that, I also hope to see more vendors discuss trust and its importance when using AI effectively. Trust is one of the three most important elements that users need to evaluate when it comes to the AI systems they are adopting: specifically, the accuracy, repeatability, and explainability of the tool. Otherwise, security tools with AI will produce incorrect outputs and degrade the analyst experience instead of improve it.
My 5-second assessment when I encounter a new vendor or offering: I’m looking for how effectively the tool fits into the analyst experience. Every tool in security operations should be: 1) effectively solving a practitioner problem; 2) helping the analyst accomplish their work faster; and 3) helping the analyst solve their challenges more accurately and completely.
James
Coverage: Zero Trust, security architecture, network security, and microsegmentation
What I hope to see: I want to see Zero Trust positioned more as a means than an end. Although it’s common to talk about Zero Trust as both a strategic priority and a product or solution, it exists to make organizations safer. I want to see vendors that are helping make Zero Trust implementation easier in the service of better outcomes, as opposed to ticking some Zero Trust box. What I want to hear about: 1) how organizations are addressing the gap between Zero Trust reference architectures and the practical limitations of security products and standards and 2) the application of AI to Zero Trust and the application of Zero Trust to AI. What I (cynically) expect to see: a lot of marketing copy that doesn’t make a whole lot of sense when you really consider the specific meaning of the words in the sentence or tagline.
My 5-second assessment when I encounter a new vendor or offering: I run things through a filter of novelty, importance, differentiation, and practicality. Does this solve a new problem, or is it a better way to solve an old problem? If it’s the former, how urgent is it? If it’s the latter, how is this better than existing alternatives? In either case, how easily and quickly can a customer deploy and start to see value?
Jitin
Coverage: threat intelligence, NAV, Zero Trust, and deception technology
What I hope to see: I’m interested in emerging startups that are tackling known cyber challenges in different ways – bonus points if they are closely aligned to my coverage. For more established vendors, I’m less interested in feature checklists and more curious about user feedback and experience throughout the journey for their upcoming RSA launches.
My 5-second assessment when I encounter a new vendor or offering: I look for clear, jargon‑free specificity on what’s different now compared to before with all the new launches. Additionally, I’d like to prioritize insights from practitioners and professionals (outside of product and marketing experts) who would normally not have the opportunity to interact with Forrester analysts, in order to view perspectives from a different lens.
Heidi
Coverage: Zero Trust data security, including data classification, DSPM, DLP, secure communications, privacy-preserving technologies, and other data-centric security controls
What I hope to see: I’m looking for security vendors whose offerings improve collaboration and alignment between security and data governance outcomes in a meaningful way. What I want to hear about: 1) how people are thinking about data and digital sovereignty and their expectations for how they aim to achieve these goals and 2) examples of how vendors are helping organizations today with PQC migration, quantum security, and cryptoagility. What I expect to see: innovation for securing data for AI use.
My 5-second assessment when I encounter a new vendor or offering: Is this something that delivers data security as an outcome or data security via a data-centric control? The ones with data-centric controls are the ones I will take a closer look into. Looking forward to connecting with new names and faces!
Madelein
Coverage: CISOs and security leadership, security organizational structure, European cybersecurity regulation, operational resilience, and API security
What I hope to see: I want RSAC Conference to live up to its “global community” promise. The CISO questions are not just technological; they are organizational, regulatory, and geopolitical. Who owns resilience when it crosses business units and borders? How does the changing wave of regulations translate into actual risk strategy? And as geopolitical tensions continue to redraw the map of digital trust and data sovereignty, are vendors helping CISOs navigate that complexity or just showing up with a regulation-shaped sticker on an existing product? The ones that can honestly place themselves inside a CISO’s strategic reality, rather than just their budget cycle, will be the most interesting conversations I have all week.
My 5-second assessment when I encounter a vendor or offering: Where does this sit when things go wrong at 2 a.m., or who in the organization owns it? If a vendor can’t clearly answer which team uses this, who’s accountable when it fails, and how it fits into an incident response workflow, it’s not ready for a CISO conversation. Resilience isn’t a feature — it’s an organizational outcome.
Janet
Coverage: securing agentic software development, DevSecOps best practices, software supply chain security (yes, that includes AIBOMs), and application security
What I hope to see: I’m looking for solutions that provide security for AI coding assistants and agents as code is being generated and suggested by AI; security solutions that secure and protect the AI software supply chain, both for AI application dependences (e.g., libraries, models, MCP servers) and the AI software development tooling to build and deliver AI applications and agents; and software supply chain solutions that go beyond SBOMs to create, analyze, and manage AIBOMs and cryptography bills of materials. What I want to hear about: 1) How are enterprises thinking about the security and operational concerns of utilizing AI coding solutions? 2) What types of security tooling and processes need to be augmented to keep up the pace of agentic software development? and 3) How can enterprises secure AI-native applications and AI agents early in the SDLC? What I expect to see: application security vendors utilizing MCP servers to embed security capabilities into agentic software development workflows; the necessity of AIBOMs to help meet global regulations and industry recommendations (but few vendors that serve all three use cases, e.g., producer, operator, and consumer); and AI to fix all the findings.
My 5-second assessment when I encounter a new vendor or offering: What is the vendor’s core proposition and differentiation? Who are the primary buyers versus users? Where does the solution fit into the agentic software development lifecycle?
Here’s Where We’ll Be Speaking At RSAC 2026 Conference
A few of us were fortunate to have our conference talk ideas accepted. You’ll find Forrester analysts speaking at RSAC Conference on topics including AI security and our AEGIS framework, insider incident response, security platforms, and the EU Cyber Resilience Act. If you’re attending RSAC 2026 Conference, be sure to preregister for our sessions.
Building and Maturing Insider Risk Programs
Joseph Blankenship
Monday, March 23 | 8:30–9:20 a.m. PDT
This “Birds of a Feather” session is targeted for insider risk management leaders and professionals. The discussion will include program recommendations, tactics, and best practices for maturing the insider risk management function.
Disgruntled Employees to Deepfaked Identities: Navigating Insider Response
Jess Burn and Joseph Blankenship
Monday, Mar 23 | 9:40–10:30 a.m. PDT
This session will detail the essential elements of insider threat response and help attendees define an escalation path for insider incidents and clarify roles and responsibilities between security, legal, HR, and third parties during an insider incident.
Platform or Pipe Dream? Strategic Tradeoffs of Cybersecurity Consolidation
Jeff Pollard and Jess Burn
Monday, March 23 | 2:20–3:10 p.m. PDT
This session will help CISOs and security leaders separate true integration from vendor marketing, understand the real costs of consolidation, and make smarter platform decisions.
Prepare for the EU Cyber Resilience Act in Five Steps
Madelein van der Hout
Tuesday, March 24 | 8:30–9:20 a.m. PDT
This session will offer a strategic lens on the act’s impact, helping business leaders anticipate disruption, manage risk, and turn regulatory pressure into competitive advantage.
AEGIS: Guardrails for Securing Agentic AI in the Enterprise
Heidi Shey and Jeff Pollard
Wednesday, March 25 | 8:30–9:20 a.m. PDT
This session will present AEGIS, a practical framework that CISOs can use to secure agentic architectures, mitigate emergent risks, and align AI adoption with enterprise trust and compliance goals.
