2026: The Year of "Now What?" Mastering the threat landscape to engage the board on risk and AI Register For Webinar

Dark teal and black gradient

Webinar

Innovation 2025: What to Look for at RSA Conference This Year

With over 41,000 attendees and 600+ exhibitors, RSA Conference continues to set the tone for where the cybersecurity industry is headed next. But with so much happening, how do you know what’s worth your time? In this pre-conference session, Tevora’s RSA veterans—Ben Dimick, Mark Broghammer, Josh Johnson, and Ayo Adeusi—share their insider picks on what to watch for at RSA Conference 2025. These industry leaders have combed through the agenda and exhibitor lineup to spotlight the trends, technologies, and breakout vendors that are set to make waves.

Key Takeaways:

  • Key trends we expect to define the conference
  • The product categories gaining momentum
  • Startups and innovators who are doing things differently
  • What we’re most excited about from the Innovation Lab

Whether you’re attending in person or tuning in from afar, this is your roadmap to RSA 2025.

Good afternoon, everybody. I think we’ll go ahead and jump in and get started. I appreciate everybody taking time this afternoon. I’ve got a couple of my esteemed colleagues on. I’m Mark Broghammer with Tevora, head up our security, pre-sales architecture team. On with me, I’ve got Josh Johnson, our principal architect and senior pre-sales architect as well. Today we’re going to talk about what we’re looking for at the RSA Conference, innovation 2025, just in terms of, some of the agenda. We’re talking about interesting trends from the conference product categories, to keep an eye on exciting developments from the innovation lab. Then we do have a Q and A as well. You’ve got question and answer, please pop those into the chat, and we’ll try to respond to those as we get time at the end. With that, let’s go ahead and dive in and get started. We’ll start with an easy one. Let’s just say, what’s the one lesson learned, or one ritual maybe each of us has from RSA, knowing outside of taking a bigger suitcase for those that collect the swag, not myself, but any traditions?

One of the things I always like to do is I like to make sure that end up at either the W or the St Regis bar on Monday or Tuesday night, that’s usually the best time for a good networking reunion activity. Everyone tends to be at those places, at least everyone I know. Those are the general places that I’ll find myself on a Monday or a Tuesday night of RSA. It’s been that way for the last 14 years.

Similarly, I like to do the same things. I would advise that you wear comfortable shoes, stay hydrated and plan ahead. The conference tends to be a very, very busy time in the city and traffic, pulse to a crawl, again, from point A to B becomes pretty challenging if you’re going to take a vehicle. So, walking becomes the best possible option. I also do try to catch some of the interesting vendors at the expos, particularly like the RSA innovation sandboxes, one of my favorites that I have to attend every year. Good point.

I think for myself, I tend to arrive early and depart early, just for a little bit of sanity’s sake, but walking around and making sure I kind of have a plan. I do like to try to outline which vendor specifically I want to speak to, just based off topics and themes. With that, looking at some themes this year, I think the first one for me is really, it’s AI powered everything. It’s around Gen AI, governance tools, bots, etc. Josh, maybe you can start us off, what do you think companies are really looking for out of Gen AI solutions, controls, how to vet it? Let’s start there.

I mean, there’s, it’s such a broad topic, when we start to get ourselves into a conversation about Gen AI, there’s all of the different providers out there that are offering commercial level Gen AI. And then there’s the Gen AI that you can get when you’re an enterprise, whether you’re purchasing from Microsoft or Google or AWS or SAP or Salesforce. All of these different Gen AIs are out there in the world and enabling what they ultimately are good at, is enabling productivity inside of your workforce. As a security organization, one of the things that we globally need to think about is, what are we doing to enable our users to be successful, while at the same time making sure we don’t compromise the security of the organization. One of the things that really has jumped out to me, and I think will be a big kind of topic of conversation during the RSA Conference, is about these different platforms that interject themselves at the prompt level. They’re adding at this next layer of security. I wrote a blog for Tevora recently. You’ll find it on our web page, but it talks about from my perspective, what I see as the next evolution of this layer of security into enabling the Gen AIS for your organizations, whether that’s through an API connection, whether that’s through a browser plugin that you install, just enabling your users to be able to successfully get the productivity aspects of these tools without compromising your Security. The conversations will obviously start to lead into the different governance conversations, the difference compliance conversations, whether we need to make sure PCI data is not going out, PII data, healthcare data, or even just company secrets. Here at Tevora, if I’m helping one of our customers with a project, and I put that straight into an AI engine, I’ve compromised the security of both Tevora and my customers. Finding a way to enable those for the users is what I find to be the most important as we talk about this conversation. I’m really interested to see what the litany of vendors who are going to be at RSA have to say for this part of it.

I think one of the things for me there is, like, some of the local LLMs that are being deployed is still having governance around those specifically. Start talking about PCI. It’s not really about third party risk at that point, but we still want to make sure that if we’re putting data into that. LLM, what else is everybody else be able to see from that, right? I think that’s the concern, is those internals. Obviously, there’s the externals, but the internals, for me is kind of where I’m looking to lean into a little bit more specifically.

That branch is an interesting conversation off there. As we look at, if we’re developing our own LLMs, what access does it have, from a data perspective, that kind of branches into the DSPM conversation, and it starts to become a much larger sphere of, what am I talking about. Is it just data security? Is it just LLM security? Is it just enabling my users? Is it just preventing data leaks? There’s a lot that comes into that. You’re not wrong. I’m very excited to see what we have, or what we’re told about from these various vendors at RSA.

I think it’s going to be pretty telling, based on what we see the vendors provide, or what they’re looking at as priority elements to sell to the public. AI, is, as you know, unavoidable. It’s a hot topic. It’s been for a couple of years more. Every organization doesn’t want to be left in a lurch by not being AI enabled, especially if the competition is, because they understand that there’s magnitudes of efficiency that can be plugged in using these technologies. Unfortunately, do come the risks involved with it, because it’s an asin space we’re involved in the utilization and absorption of mass amounts of data into what could be akin to a black box. Organizations now are having to ask serious questions about whether or not they enabled for this AI journey, and what getting enabled for AI even looks like. How do we determine if we’re prepared, and what’s the governance around it? Typically, in AI, we’re talking about things from a governance standpoint, it’s risk reduction, so you can identify, assess, and mitigate all the risks that come AI, or data loss prevention, DLP. You can protect access to and anonymize your data to ensure that data is not leaked when it goes into these ai, LLM generated AI platforms that could be also accessed by bad actors. And then, to Josh’s point, there’s also the compliance area. We see new AI mandates are coming up pretty rapidly to combat this uncertain space. Standards like GDPR and CCP are coming up, in addition to, I believe, the new EU AI act that’s currently being ratified.

Shameless Tevora plug, ISO 40, 42,001 we are a certifier, and that is one of the standards that can be used for your AI system.

The other kind of thought on this, and I appreciate the conversation around compliance frameworks and things of that nature, is just the amount of vendors themselves. We saw last year, and even a little bit the year before, in innovation sandbox, how many are claiming AI versus ml, right? I think we’re really to the AI piece now, how can we go about or how can one go about discerning how they’re leveraging AI, what their claims specifically, and how they’re handling any thoughts specifically around that, as we’re as people are talking to vendors, how to handle those conversations?

There are different evolutions of where an AI itself can be at. I think we’ve made it to the place where we refer to everything as agentic AI, meaning that it’s an agent based. From an understanding what the vendors are doing, it’s just asking them more questions, like, are you leveraging your own custom LLM, are you using someone else’s LLM, do you have an agentic function with this LLM that’s back there? And if they can’t answer those three questions pretty commonly, they’re using machine learning, not what we would refer to as AI or large language models or even small language models. At that point, it just becomes, I’m using machine learning, I’m not using the next evolutions of it. I think that’s the easiest way, in my opinion, to discern what they’re doing right at this point. Like I said, everything’s kind of moving towards that agentic AI. The marketing is a flood, and it’s starting to become maybe too much, but that’ll be the main term that they’re starting to lean in on.

I think that the genie is out of the bottle right now, and every vendor is going to be touting AI or something as an enhancement to the solution. And I would say, you have to take that with a pinch of salt. As a security leader, I advise clients to just first focus on your traditional security. You know, principles. Prioritize data security because that’s essential. The AI is very data hungry. You have to realize that ensuring that you know that the data that goes into those AI systems will help make them more efficient and less likely to have like bias or errors are essential for you. Where you can, you have to demand that those AI systems are transparent, which is tricky, but the transparency and explainability of AI definitely does help, you know, with the comfort level, I think we have to be skeptical because AI doesn’t solve all the problems, and it’s all the glitters, isn’t gold. So, ask many questions and don’t take anything you know as a given, which means that during your evaluation and testing of these solutions, you need to be very rigorous in your testing and validation of those platforms. And most importantly, I’d say, educate yourself and your teams on this new space and what it means, and all the possible challenges can be faced.

How the education platforms adapt to this, as that evolves as well to those models, since we’re talking on kind of that, AI, and the benefit, is I start to think about the other theme for me, which is automated SOC specifically. And how a lot of the automated SOC vendors or MDR vendors, etc., are saying, the promise of AI is going to help us resolve threats in minutes instead of hours or days. Maybe not days anymore. But do you feel that that claim is accurate? Do you really think it’s going to help speed up investigations? Is it going to help automate some of the tier one things? Where do you think the market is on that?

What are we looking for? I do think there’s merit there. I would tell anyone that you should consider it more of an evolution than a revolution. There’s definitely changes here. AI is capable of sifting through massive volumes of data. That would typically overwhelm most security analysts. In that way, it can help identify subtleties that could easily be a missed, which can help reduce time in detecting issues or threats in the environment. Then there’s also the element of this also leads into minimizing the amount of time involved in doing things like tier one, tier zero, security operations and triage, because it can quickly filter out false positives in this data. This is also a time saver. Then there’s also the enhanced time and accelerating correlation and enrichment of this data, in addition to other benefits. The automation that we see in our security operations, like in store platforms, where you can quickly ramp up orchestration and response, in browser blocking IPs or isolating hosts, or even quarantine and suspicious payloads. There are benefits there. I will say, though, there’s caveats, right? You should never leave out the human element, because human oversight is still required today. AI is not perfect. It’s only as smart as data that backs it. There are areas where unknowns will be a black box, even to AI, and you should definitely have security analysts who are trained enough to look for those nuances in the kind of data that they’re sifting through.

I think just from an automation perspective, having that human element still kind of a critical piece. That isn’t going to be a question I’m asking specifically of vendors is like, how are you handling it? What is the model? And because it’s so new, there’s no metrics really behind it. So how are they going to do that? Validation on the back end is a very specific question for me. Then what other tie ins they might have from an integration perspective? I think those are a couple of the questions I’ll be asking of those particular vendors.

I think the big thing for me is, how transparent are they about what the AI themselves are doing, if I’m an MDR provider and I’m taking tier zero and tier one, maybe even tier two alerts, and running them through these AI automation platforms, and discovering a false positive, false negative, nothing to work on, escalating it correctly, building these workflows. How transparent are those workflows to the users? So that as the security organization, I can attest, yes, I know that this system is actually doing X. I know that the system is actually doing Y, and we’ve created an oversight layer at V, because we think that there’s a potential for this to be a problem. Every organization should probably take a measured approach. When starting to implement these AI engines, I usually tell them, let’s play and test execute. We want to try this out, see how it’s working, make sure we have the transparency we need. Make sure we’re comfortable with the way that it’s working, and then we can start to execute with it. Similarly to soar, we want to build soar playbooks that help us with automation, that the concepts of hyper automation. Those things are amazing, but we have to make sure that we have tested them out, we have a good understanding of them, and we can explain what we’ve done. If someone comes back to ask, the worst thing in the world would be for a breach to happen. Your AI missed it, and you don’t know why, and you can’t explain it. The liability lies with you. Those are the things that scare me about this job.

Interesting to see how it falls for the SecOps consultants. I think one of the other themes that I see as kind of a major theme, is going to be the vendors that are coming into the NHI space. So, non-human identity. It’s a bit nascent, but I see a lot of players coming into the market. As you see some of the platform players out there, there’s also a lot of emerging vendors there. And what I’ll be looking for specifically is, we’ve had some capabilities today from a privileged account management. We’re going to do NHI, or they’ll say they’re doing NHI, they’re just looking at Secrets, or they’re just looking at service accounts, it’s more of like, I’m looking from a key capability perspective, how are they performing, discovering and inventory? That’s table stakes at this point. What are they doing from that perspective, looking at what integrations they have specifically, are they going to fit my model, what I’m using? How are they doing anomaly detection, looking at bots, agents, and who’s accessing that data, and effectively, kind of getting a baseline for that. It ties back to total exposure management, or what we might be doing from an MDR perspective, how are we tying those types of things in, from human identity into the SOC, I love to think about life cycle management very specifically. Human owners are very well known. Typically, most organizations have good offboarding, onboarding that does not really exist today, around NHI. That is kind of another key piece I’ll be asking about. I think the one for me that I really want to key in on is just in time privilege. Specifically on these secrets, and when you’re calling them, there’s this term that’s kind of in going around secret list. Where to you and when you inject credentials into an access request without exposing the application itself. You start talking about putting secrets into a vault, or how that’s handled, versus, how can you streamline this? How can we get more efficiencies from that, especially as you start talking about kind of credential management, and then I think about PCI compliance specifically as well, and what machine identities are doing from a zero trust. Some of the new PCI for DSS, there’s new requirements around that. I think asking some vendors specifically about that is going to be important for me. Those are my kind of my thoughts on that space, Josh.

I just want to understand how holistic their platforms are. There’s a lot of new entrants to the space, like emerging vendors, then we have some of our legacy vendors who are starting to come into the space as well. And for me, the biggest thing is understanding how verbose and how holistic this platform is. I don’t think I have a single customer that is cloud only, and I don’t think I have a single customer that is on prem only, and so. For me, understanding how I can blend those two together. What integration points exist? Where can I look for these non-human identities? Traditionally, it would be service accounts and different applications that run internally, and then there’s secrets, there’s all the things that can happen with API keys as we move ourselves to the cloud. Just getting that full picture so I can clearly state when someone comes to me with a requirement stock, this is the one or the three that fit this very well. Because they meet your integration points, they meet your requirements. And then it’s starting to get into the deeper conversation. You and I have talked about this a number of times. It’s just been based on the some of the things we’re doing internally. I just want to understand how their platforms really add value to me, because it’s great that you can discover these things. But what are my next step actions? Can you remediate them? Are we able to automate that in one of our SOAR platforms? What continues to happen? It’s really cool to alert, but just like everything else, we have to do something with it.

Yeah, I think, I hate to say the proof is in the pudding, right? I’ve even had our clients asking us to, it’s a great space, and I get it, and I need to understand it, but where’s the value behind it? It becomes about, what is that? What does that remediation look like? How are you helping my posture score increase because of it? Yes, there’s risk elimination there, but showing that value is something we should be diving into specifically on that.

There’s also another way to look at it, from a client who is trying to figure out how to determine value. The truth is that non-human identities outnumber human identities. I’ve read anywhere from a factor 30 to 145, to one, 300 to one. In many organizations, especially as we move towards a more you know, cloud adopted framework where it’s my machine identities talking to each other, API credentials going up through different solutions, cryptographic key certificates. All of these are happening basically autonomously because that’s basically what these identities are. They’re happening machines, machine services, service with no human intervention. Many of these credentials that are using don’t get rotated frequently. They’re static, which is always a target for bad actors. Asking these solution providers exactly how they’re tackling these challenges, knowing that even the current IAM space is still very tricky. We still have challenges just managing human identities. You can imagine what that looks like at a multiple of 300 and above. We need to be more mindful of what a good NHI system will look like to you. And Josh’s point how they integrate with the current systems today. Because there has to be that kind of like a single pane of glass where you can manage the non-human identities and human identities, you know, you know, basically together, and then things like, how are these, you know, identities audited and monitored? What breast what best practices are we aligning with? And to your point, also, like the inventory and visibility is going to be key. Appreciate that if we’re playing RSA bingo, you just hit single pane of glass. I struggled to find another phrase, and I couldn’t.

Nice one, Josh, you hit on something. I think those are some of the major themes that I see. But as you talked about PQC that is kind of one of the additional themes that I’m really looking to learn more about this year. There are a couple of vendors that I want to go take a look at, just see how this is evolving, especially over the next 12 to 18 months. It’s kind of like, what do we think organizations should be considering? Are they putting this into, not necessarily putting into budget cycles yet. Are we at just a discovery stage. What’s out there? How should we be preparing things of that nature?

I mean, post quantum, post quantum, post Quantum. Cryptography is a big problem, right? I’m going to say PQC now, I just want to make sure I got those words out one time. But PQC is something that it’s on the horizon, but I worry that we might focus a little bit on it too much as an industry or as an organization, versus what the actual threat landscape looks like right at the current state, at least from my understanding of it, most of the people that are going to be able to do the things that post quantum photography kind of it starts to defend against our nation state actors. Unless you’re a target for a nation state right now, or you happen to be one of the people who’s gotten caught up in the data exfiltration and there’s holding it, hoping to decrypt it at a later point, right? I don’t know that it’s necessarily on the bleeding edge for you. I think that it might be a little bit further out, but everything is going to change as these quantum computers start to ramp up and cryptography becomes obsolete in the way that it is. Shor’s algorithm will essentially eliminate our ability to be able to use the cryptography standards that we we’ve used so far. One of the things that we recommend to our customers is just, try to fully understand what your cryptography life cycle is. What are your certificates doing? What standards are you using? Just so you can set up a strategy as this becomes a bigger problem but just having that full understanding and mapping of what those problems could potentially be in the next 357, 10 years, whatever it ends up being, so that you are able to rapidly make those changes as it becomes a bigger problem.

Yeah, I wouldn’t totally agree with that. Josh, I have anything there,

It’s an interesting one for me. Not a cryptography you won’t by any stretch your imagination, but this whole concept, that sure is algorithm, which I guess is based on a polynomial, mathematics versus like exponential, will be able to easily break, our current algorithms, like RSA and ECC. It’s definitely frightening, and I can definitely understand that there is concern there. I do still feel, though, that we’re ways out as well, just because the amount of resources and an effort it takes to spin up quantum computers as today, makes it not very viable solution for most organizations right now.

I think, like, there’s a couple of industries that are probably leading in the direction, specifically financial services.

I think that it makes sense, because financial services heavily regulated industries, governments that can basically afford to build up the resources to ramp up to those quantum computing are definitely front and center for PQC. I think that it makes sense for organizations to be forward minded, and I know at least one organization that will be showing some of their PQC offerings at RSA this year. I’ll be eager to see what they have to offer and see if it’s something that I should basically put on the forefront of my thoughts for the future. Just for learning. That’s kind of where I am. Are there any other themes you’re looking for, or specific topics you’d like to dive into a little bit deeper while you’re at RSA?

For me, I’m interested in, what AI enhanced stem, or continuous threat exposure management looks like. The idea that you know the forefront of threat exposure management is always having the most complete inventory. You want to know where all your resources are, be it on prem or cloud, IoT, hardware, software, databases, everything. And I think that AI has the ability to help quickly, detect and categorize those resources and assets in a way that current technologies may have some challenges doing. Which leads to real time monitoring and change in the environment, which can host also affect your risk posture. There’s also the ability to use AI and ML to do better predictive risk scoring, so you can do like on the fly controls tuning. I’m curious to see what solutions vendors are going to be providing along those lines?

I’m curious as well. I think the thought I have is this another tool. Is this just another console that I’ve got to look at that is exposing more data. How it integrates into other platforms? I think is going to be my biggest question, because I don’t think folks need another console, and maybe they do. Maybe it ties into a larger goal management type of program. I don’t know that they needed a console of like saying, here’s your risks based off of this. How they integrate in is going to be a critical piece for me. Asking some questions with the vendors on that, did mark just avoid, say, single pane of glass? I did.

He did sidestep that one. Well, he did a good job. I failed that one a few times. I think for me, the big one is, and it might be a little bit fringe, but I’m really interested in what deep, deep fake prevention looks like. I know last year’s innovation sandbox winner was kind of a specialty vendor in the deep fake prevention and deep fake detection. I just want to understand exactly how they’re doing these things, how we would implement them as an organization. My biggest fear, I’ve said that twice, one of the things that I worry about significantly when I think about running a security organization is, how do I prevent some of these hiring mistakes that have happened in the last 18/24, months, where we end up with North Korean hackers who are inside of security organizations working as developers for months before they’re detected. How are we going to really work to defend that? We did a podcast a couple months ago where we talked about this. I don’t have a great answer for it. There’s all of the validation steps you can add. You can try to do ID validation, you can try to do biometrics data, but not, none of that stuff is perfect. If I can fake a video and do a deep fake video, get on a zoom interview with you guys right now. What stops you from hiring me? If I have an AI engine that’s answering all of your questions successfully, and we’ve generated an image of me that looks like nothing like me, you may hire me, right? So how do we as organizations ramp up our security to prevent those types of things, so that we’re not exposing ourselves to an insider threat? We had no idea was coming, and so that, for me, is a really interesting topic. I hope I have time to go sit and actually dig into that one, because that’s the one that I really want to but again, it’s kind of a little bit on the outside of our traditional security model stuff and the things that we would typically focus on. But for me, it’s, I think, really cool and interesting.

Yeah, time is the most valuable asset, so I got to spend it wisely. Those are some of the things I think we’re potentially wanting to look at or investigate a little bit more. Is there one that you’re not interested in, or that maybe you’re just don’t want to invest in any time in this year. It’s kind of my next question. I’ll frame up and I’ll start. I think I’ve got two, I think one is on DSPM specifically. I think that last year there was probably 30 vendors right around the DSPM space, and everybody’s kind of doing things the same way. State of discovery, its data classification, until they evolve a little bit more in terms of, this is a whole data security program, how it might tie into DLP, which I know some of the vendors are starting to do. It just feels like it’s not an area I want to spend my time necessarily diving into more until they mature a little bit more, until the market gets a little bit more evolved. I think it’ll probably be some consolidation in that space as well, just given how many vendors we saw last year. That’s one for me. I think the other is just around the devsecops space. There are so many tools around that do SAS desk. SCA, it’s fairly commoditized. There are some new vendors that are out there doing some newer things around, let’s you know specifically control your container images. That takes away a lot of zero risk or zero day type of stuff. I think that is an interesting play. It might be an area I do spend some time, but in general, probably won’t be spending a lot of time. Spending a lot of time in a dev stock, ops space because of those things. You guys have any on your side.

I didn’t have a good answer for this one. We talked about it a bunch, and the problem I have is I’m interested in everything, and I find myself really having a hard time with that. I’m really, for me, the thing that I’m not interested in is, I’m not interested in a lot of the marketing stuff that we’re going to see at RSA. The one downfall of this giant, amazing conference that we all get to attend is that there is a lot of very fluffy marketing that’s pushed out that doesn’t necessarily answer our questions, and some of it just creates fear, uncertainty in depth. For me, that’s kind of the thing I’m not looking forward to. If I had to pick something that I’m probably not going to spend too much time on at RSA and is not a huge topic of conversation in my current opportunities, is SIEM, I don’t think there’s been a huge evolution in what’s happening with data lakes and SIEM. I think we all kind of know where they are. There are things that change as the next gen Sims come out, and they make their way down there, but we’ve been seeing that for the last five years, so I don’t think I would invest too much of my time to go look at a sim vendor this year, just based on what I’m doing, but that’s probably my best answer.

Like Josh, I tend to want to take a peek at everything, just to give myself a sense of what to look out for. That’s one of the reasons why I always suggest the innovation sandbox, because I tend to see that the contestants in that contest tend to set the tone for what you know, we can expect going forward in from a lot of technology solution providers. I will say that I am not as interested in compliance vendors. I feel as though that many of what’s offered, should first be backed by really good best practices and good security hygiene on the client front, and not over promising a solution can help them do what they need to do right off the bat in their own general maintenance of their policies and procedures, and then use the tools to help them enhance that. So, less compliance for me.

That makes sense. You hit on something that I want to talk about a bit about more, which is on our agenda is the innovation lab itself. How do you see one getting kind of the most value of attending that? What do you like about it? What do you not like about it? What are you looking for this year?

When I like the format, it’s kind of like a shark tank where the contestants have a limited amount of time to get on stage. And, you know, I think it’s usually three minutes. And they basically speak to the benefits of their solution, the problem space, where they’re in an issue they’re trying to solve, and why they do it in a unique and refreshing and efficient manner. Then they’re judged by basically a panel of very, very strong industry insiders, who can tout the effectiveness of the solutions. What I like about that is it is indeed innovative. Many of these solutions have been hand-picked to show that they’re resolving issues, some new, some not so new, in unique and interesting ways. As we’ve seen in the past, there’s several innovation sandbox contestant winners that have wound up literally redefining the space, like the exonius and the chasm arena. It gives me an idea of getting a better handle on what security would look like in the next five to 10 years, and things I can start talking to my clients about to get them ready for any new changes that might be coming down the pike?

I think for me, there’s a couple of different spaces like, I think if anybody doesn’t look at the list of finalists, take a look at the list of the finalists and what they’re doing. I do think that’s a little bit on the cutting edge, like I think there’s down to eight or 10 finalists now, so I do plan on spending time with those. I think that’s always a good starting point. I think also, there’s a couple of interesting folks from the Gen AI adoption, which goes into the one of our themes. There’s a couple on deepfake technology. There’s a couple interesting from supply chain and identity that I’m also looking to kind of get some conversations going. Think about how you’re handling IGA today. Maybe there’s a different way to automate those processes or capture some of that other low hanging fruit. I think there’s some very interesting vendors in the identity space for that right getting total visibility and handling those access requests a bit better. Those are the vendors. I’ll be taking a look at the themes anyway, and the 20th anniversary of the innovator sandbox. They’ve changed the dynamic a little bit for everybody who is, who’s actually participating. I think, don’t quote me on this, I may be actually wrong on the actual numbers, but I believe that they all now receive $5 million as part of a seed investment from safe investments for participating in the innovator sandbox. The innovator sandbox always has interesting things. I like to follow it. I mean, I did a little bit of research a couple years ago on what actually happens with these companies after they exit the innovator sandbox. It’s a pretty interesting trend. About 55% of them get acquired, and get acquired relatively quick. There’s actually only two that have ever from the current set where we stand today, gone public, and that’s Sentinel one, and sumo logic. And then sumo logic actually went back when they were acquired by Thoma Bravo, or whichever one of the PES did that. It’s interesting to see what dynamics come out of those things. I think Talon was recently acquired by Palo Alto Networks right after competing in the innovator sandbox. Wiz was a finalist innovator sandbox. They just got acquired by Google. Prior to that, they acquired an innovator sandbox finalist Das. There’s a lot of consolidation that ends up happening right after you compete in the innovator sandbox, which is very interesting. It’s a feeder into some of our larger security platforms, and kind of how they’re going to evolve. When we get to watch the innovator sandbox, or get to see kind of what these vendors, what these vendors are doing and talk to them, it really is what’s going to happen in security in the next 3/5/7, years, right when I think it was security, AI won the DSPM one in 2020, if I remember correctly. And now DSPM is a huge topic of conversation. We’re starting to see a lot of projects that happen. So potentially, maybe that is what happens with the company who won a couple years ago.

I think what will be interesting is, and we haven’t talked about, so I think that’s really good on the innovation lab. I think for me, as I start looking at some of the bigger vendors, we go look at the innovation sandbox. Obviously, there’s going to be some big analysis, or some buzz around the big vendors as well, which we don’t really touch on too much. I do think understanding what their roadmaps are, how they’re making that move to platform play. You’re starting to see a gap in the platform take a look at what’s in the innovation lab. Maybe that helps them fill in. I think that’s one piece. I am curious to see what the buzz and FUD will be going around, given the ways acquisition from Google. I do plan to try to get an update from all the vendors in those spaces, right, and how they’re kind of pitching against it, and what their kind of road maps and plans are. Those are conversations I definitely want to have. I think CrowdStrike is probably another vendor that I’ll take a look at, specifically from the big name vendors. Any thoughts?

I was going to say I think I’m interested to see what some of our bigger name vendors in the kind of that sassy SSE space are starting to do. I’m starting to see a little bit of a migration on their side, over towards some of them started as CASB solutions. Some of them started as secure web gateway solutions. They’re kind of merging them. Merging that all together and going with a DLP solution that then can be paired with your with your DSPM solution. So, kind of interested to see if we hear anything of note from like the Z scalers and the net scopes and the Cato of the world. I know that avatar was a company I really liked when it was coming out, and their centralized vulnerability management, graph database function, and Z scaler acquired that, and I hadn’t really seen what Z scaler is doing with that technology. Be interesting to see if there’s something that they announce at RSA, or if they have kind of this new view of how they’re prioritizing risk in the rest of their platform. I’m kind of interested in those that’s really what I’d like to see out of our big vendors. I mean, obviously we know that the Palo Altos of the world are going to do something with AI. They announced that CrowdStrike is one of the bigger vendors in this space. And actually, I’m interested to see what Cisco is going to do. They’ve been hanging around for a while as a very big vendor in the space. They bought Splunk, but I haven’t really seen anything that keeps them sticky. A lot of a lot of their stuff is continually being replaced, and so I’m interested to see if they’re going to do anything, or if they’re just going to take the Broadcom path.

What I’m interested in is trying to understand, what happens with the in-betweens? And by that, I mean, on one end, we’ve got a larger set of security companies that are just acquiring a bunch of solutions now. It’s got larger companies going through with the platform play, and they’re acquiring smaller technologies to kind of ramp up on their offerings. That leads to smaller companies that are viable, likely or not will wind up being acquired. Then we’ve got companies in the middle who, for whatever reason, maybe they’re just mid-sized, are not getting acquired. What do they do to ramp up and be competitive? And will we get the same of those features shown, during RSA this time around, just to see if, as competition ramps up and the bigger companies get bigger, how are the companies that are, you know, not quite that size, adopting to the changes in the market, and how are they trying to ensure that they continue attracting more clientele, for the security offerings. Appreciate that. I’m deliberately not naming names because it I don’t want to call any company Big or small, but I think we know who the big players are in the space.

Tonight, the big players are very well known, so understood. Listen, I appreciate the conversation Josh, very much today. I want to thank everybody who’s attended as well. I do think that we have a couple of questions that came in just try to address those, and we can wrap up. I do appreciate the time. Hope everybody’s kind of prepped and ready for San Francisco next week. Rest up. Looks like one of the questions is the ASPM space seems credit and there’s more new entrants. What should I be looking for? And what topics should I be looking at from an ESPN? Is it DevOps, shift, lift, container, scanner, space, visibility, space, and how this ties into third party risk?

Well, I’ll take a crack at that one first, I think that it ultimately, it comes down to what your needs are. As a business, there are vast sides of the spectrum of what our customers need. We have some customers who are very, very heavy into the DevOps space, and they have a bunch of developers, and they’ve started to shift left. That then becomes more important to them, is understanding how these ASPM vendors will integrate pull from their existing scanners, replace their existing scanners, and give them the contextual data around that. Then the other side of the spectrum is we have these customers who just simply aren’t that far ahead into the development space, and most of what they care about is just, I have cloud resources that are out there. I have my on prem vulnerability management. How am I pulling that together, assigning who the owner is putting the appropriate risk to it, and then automating my next step actions. That is a very different conversation than the one that we started with. From your perspective, whoever did ask us this question, what is your business need. If we look at those two dichotomies, which one fits you the best. Then I would go to the various ASPM vendors. If you’re interested in recommendations, please come to us and ask them the questions about solving your business case. None of these vendors in the world solve everyone’s business case every time. I always like to start with the here is my business problem. Let’s see how you can address my business problem. And then we pick the best fit for you.

Honestly, I’m going to talk on what you said, Josh, in that this conference is going to attract different personas across the gamut of security. My answer to the question, Mark, will be for any other technology, which is first, start with your needs. What are you really, really looking for, and why, which should hopefully be informed by security program and some kind of priority that lets you know, these are the technologies that will solve this specific challenge that I have. And if you don’t have that information then luckily, you have Tevora to help you, chart that path. Aside from that, every vendor is going to try to attract you by saying they can solve all problems. That’s not the case. Understanding typically, where your challenges lie is the first step in knowing exactly whether or not there’s any relevance in attracting talking to any vendor, be it as PM or DSPM or any of those other solution providers. And then hopefully, using the ability to discern between what they’re offering and how real it is, when compared to what your requirements are, is also going to help you decide whether or not you want to prolong your relationship with any of those companies.

Yeah, I appreciate that. I and I think this ties into kind of the next question in my perspective on it. If you have to understand your priorities first. The question that came in was like, how should I be vetting, platform convergence in cybersecurity, or is it best of breed. I think that ties back into, what are your needs specifically so if you’re looking if you already have a platform of some sort in place, obviously need to evaluate what they have. My consideration is like, go talk to those bigger vendors. From that perspective. If you’re not looking at, what’s my specific use case? What is my specific need? Is it third party risk? Is it exposure management, how I’m really prioritizing those risks? I think that there has been a large move into the platform play, but I still think that there is, I don’t want to call it best in breed, but there is still a place for individual tooling to be put in place as well. I think that ties into what we see a lot in market, which is around tool optimization, tool rationalization as well, which we obviously can help with. There are 60 to 100 tools in most organizations. Looking at the platform, it can cover 80% of my use cases versus a 20% and what is enough coverage? I think it kind of ties into that what you’re speaking to.

I was going to say I agree completely. I mean, the ultimate goal of just about everyone who’s in cybersecurity leadership right now is, how do I solve my security needs with flat budget or less budget than I had last year? I’m not going to continue to see this 20% growth that we saw for a very long time after 2019, 2020, so what am I going to get the best value for? I need to understand my needs, and then I need to figure out how to extract value from the vendors that I’m working with, and then potentially put best of breed technologies in place, like building a layered approach is a very traditional standard data security or the security model we should work with some of that, but the same time, it doesn’t make sense in every situation to buy a point product to solve one problem. When one of my platform products can solve that same problem, I should be looking at the other use cases and try to find the best way to optimize my team, optimize my tools, optimize my spend and optimize my controls. There’s some vendors out there that have software that does controls, optimization, tools, optimization that are going to be at RSA and are interesting and that can help a lot with some of the organizations that we’ve seen them implemented.

Great comment, Josh. Well, with that again, thank you very much, Josh, and I appreciate it. I appreciate everybody joining from the audience as well. We are around at RSA. We do have a post RSA happy hour as well. If you’d like to connect with myself or the team, please reach out to us via the [email protected] email alias, and we can get you to the happy hour. We can try to set up some time to connect with each of you individually to talk about these topics or anything else specifically that you may like. We appreciate everybody’s time, and with that, we’ll see you all next week at RSA. Thank you.

Back to Resource Center