Reporting from RSAC

by Tanya Reddy Sattineni

At this year’s RSAC Conference, cybersecurity once again proved to be less an industry and more a personality type. The 35th edition of this renowned cybersecurity conference—drawing over 43,000 attendees—kicked off with a keynote by Kevin Bacon on "Six degrees of Kevin Bacon", a trivia game based on the “small-world” theory that every Hollywood actor is connected to Bacon within six roles. From a cyber context, the analogy made perfect sense: We are all connected and, by extension, equally vulnerable. 

For a first-time RSAC attendee like myself, Bacon’s musical cameo captured the conference’s essence: earnest, slightly surreal, and forever straddling the line between a tech symposium and a live production. It set the tone for the weeklong performance that is RSAC. 

RSAC CEO Hugh Thompson followed Bacon, asking attendees to reflect on their “why.” It was a rare moment of introspection in a sea of ransomware and zero-day chatter. Cybersecurity professionals are prone to describe their work as a calling—often in the same breath others reserve for medicine or public service—yet sharing our “why” with sleep-deprived peers at 10 a.m. felt as risky as any red-team exercise, exposing motivations and vulnerabilities we are usually trained to conceal. The whys ranged from “protecting vulnerable families” to “making bank.”

While the keynotes were philosophical, the rest of RSAC was unapologetically operational—and dominated by AI. Across sessions, AI was both hero and villain: automating detection, scaling attacks, and occasionally making humans feel obsolete. Vasu Jakkal of Microsoft warned of “agentic AI”—autonomous systems that act rather than assist—turning security into something omnipresent, self-optimizing, and slightly terrifying. As she put it, "Security must be ambient and autonomous, just like AI—always on, always there, everywhere,” implying that AI is now a participant in the arms race and security measures must keep up.  

Yet in the world of cybersecurity, humans remain the most fragile element. Nicole Jiang of Fable Security, an AI human risk platform that directly shapes employee behavior, highlighted this vividly, noting that “no amount of automation or AI can fix the fact that human behavior remains the primary attack surface.” Employees click links in phishing emails, reuse passwords, and generally make the cybersecurity world more accessible to threat actors than anyone would like. 

Gal Perl of Teramind pointed to the company’s increased investment in behavioral monitoring and insider threat detection. Perl noted that these tools are especially critical amid the rise of deepfakes and other AI-driven disruptions: “Understanding what users do, at a granular level, is now as critical as understanding the network itself. You have to double-check everything.” The juxtaposition of human fallibility and automated vigilance felt like the theme song of the conference—slightly manic, and impossible to ignore. 

Meanwhile, cybercrime itself is becoming a business school case study. Mounir Hahad of Hewlett Packard Enterprise described the professionalization of attacks: “Adversaries now operate like legitimate companies, with structures, processes, and operational rigor. We’ve seen attacks within hours of a proof of concept being published, but organizations still take weeks or months to patch.” This drives the industry toward “active defense,” necessitating coordination and intelligence-sharing, to impose costs on attackers without ever touching a keyboard. 

After the formalities, I stumbled into the Women in Cybersecurity after-party, a room buzzing with energy that briefly erased the three days’ worth of ransomware and AI-driven phishing. I met cyberintelligence officers, cryptographers, and other professionals whose LinkedIn profiles could double as action movie character sheets. The conversations all delivered with a mix of rigor and drunken humor, ranging from the granularity of threat detection to “how the hell did we survive this week?” 

The exhibition floor delivered its own theater. The CEO of Cork Cyber, Dan Candee explained how the company is translating cyber risk into financial terms and quantifying the unquantifiable for executives: “It’s about making cybersecurity legible to decision-makers. If you can’t put it in the language of risk, it doesn’t exist for leadership.” Startups and established vendors tried to outdo each other with dashboards, AI demos, and over-the-top giveaways ranging from DIY T-shirts to plushies and lightsabers. The underlying goal was clear: Make complexity feel manageable. 

If I had to use one word to describe what the RSAC 2026 Conference showcased, it would be transformation. Automation is accelerating, AI is omnipresent, humans are as fallible as ever, and quantum threats loom quietly in the background. Yet, amid the celebrity appearances, after-parties, and agentic AI of it all, the most important lesson remains fundamentally human: Behind every system is a person, and behind every defense is a choice. The conference was undoubtedly an unparalleled initiation into cyberspace for this graduate student—and I’m not just talking about watching Hugh Thompson and Hugh Jackman break into the worm.