Once a year, the cybersecurity community converges on San Francisco. From the expo floor to vendor pop ups in Yerba Buena Gardens, the SOMA neighborhood is abuzz for four days with hackers, researchers, and government policy experts eager to share insights. But this year, the din was a little different.

Though this was my first time attending RSAC, returning attendees described this years’ conference to me as “muted” and “lethargic.” In a time where AI is front of mind for both vendors and customers, there wasn’t a whole lot to differentiate one booth – or product – from another. Nearly everything is AI-enabled, but to what end? The question on many minds was clear: where do we go from here?

RSAC has long been a major cybersecurity touchpoint, but as the AI and cybersecurity market continues to evolve at lightning speed, I found few panels or presentations addressing the most pressing, relevant concerns as of March 2026, such as the growing gap between the cyber haves and have-nots. 

Can conferences in general keep up with the speed of AI? What topics, conversations, and observations stood out? What did IST’s experts have to say about their panels and events?

I sat down with Chief Strategy Officer Megan Stifel, Executive in Residence for Public Safety & Security Josh Corman, Senior Vice President for Policy Nicholas Leiserson, and Senior Director for Preparedness and Response Michael Klein, to hear their post-conference takeaways. 

What felt different about RSAC to you this year?

Joshua Corman: I think Haroon Meer said it best: the conference “felt subdued”. For me, the expo floor felt less bombastic, hyperbolic, or assertive than previous years. 

At a time when we’re seeing cyber used as a weapon of war from the likes of Russia, China, Iran, and a shift away from data breaches to more disruptive and destructive attacks, RSA has not pivoted—or hasn’t had time to. There’s such ambiguity and uncertainty about what comes next, so I sensed a lot of passive behavior or lethargy. It’s almost like we’re caterpillars going into a cocoon. Importantly, I think we can come out different and better on the other side.

I was frustrated, but not surprised, to see or hear very little outside of our talk about the Typhoons. If you’re looking for something to sink your teeth into, and you think AI is too ambiguous, leaning into cyber conflict or the Stryker conversation might have been a good answer. Granted, it may have been too late to change booths and adjust talks, but I was struck by the lack of hallway conversation, for example, about critical infrastructure disruptions surrounding the Iran War.

I found that absence kind of remarkable. While we wait for the future with AI in it to unfold, I think focusing on critical infrastructure presents an opportunity to find purpose and take action.  It could be a chance to explore new stuff for water, for your hospital, for your crisis management plans. While we wait for things to go “back to normal,” I think there’s a lot we can be doing and focusing on in the meantime.

As someone who cares deeply about this space and this conference, I hope in the future we can focus less on holding patterns and more on evolving to meet the moment.

AI was a hot topic at RSAC this year, perhaps more than ever. What were your takeaways on how the cybersecurity community is utilizing this technology?

Megan Stifel: The cybersecurity community has been using AI for years, under the artist formerly known as machine learning. This year the conference was definitely abuzz about AI, from bold proclamations of it being the secret sauce powering everyone’s products to discussions about it being the capability that we must buy products to defend against. I’d categorize the conversations around AI use into the following: 

• vendors, to make their security products more capable; 
• developers, to write more secure software; 
• defenders, to red team their own networks;
• attackers, to better phish us, map our networks, and monetize exfiltrated data – that list goes on, sadly 

Above all, I heard one common observation across many of the experts at RSA: attacker use of AI will make matters worse from a cybersecurity standpoint for anywhere from 18 to 24 months. But after that point, most seemed to agree that AI for defenders will have caught up and cleaned up.

At RSAC, you sat down with Congressional staffers to hear straight from the experts on the current situation in Washington. What were your thoughts after the discussions?

Nicholas Leiserson: It was a bracing conversation. All of the panelists emphasized challenges with transparency from the administration when it comes to cybersecurity issues. The lack of coordination—as well as the significant reduction in the federal cyber workforce—have left members and staff concerned about our cybersecurity posture. I don’t know that I’ve heard that degree of frustration from staff before.

On a more positive side, the recent announcement that CISA will be hiring 300 new personnel brought plaudits from the panelists. I was also impressed by the range of legislative activity we can expect to see from Congress on everything from reform of the CVE Program to authorization of the Joint Cyber Defense Collaborative (JCDC).

Still, the story that stuck with me most came from an Oversight Committee staffer analogizing DOGE to a junior consultant coming in, being granted root access to all systems, and then making a series of undocumented changes before disappearing. I have a lot of empathy for the folks in agencies picking up the pieces and trying to get systems back on firmer footings, and for the Congressional committees attempting to oversee that process.

Your panel, How 3rd Party Risk & a Teen Hacker Got K-12 Cyber into the Situation Room, was one of the only panels at RSAC on the education sector. What did you hear from practitioners about their concerns?

Michael Klein: The 60 people who showed up at 8:30 am told me everything I needed to know before the session even started. I saw current school district IT directors, former staff now working on the vendor-side, and even parents worried about their kids’ data, all of whom were excited to be focusing on a topic of personal and professional importance for them.

What came through clearly to me: practitioners below the “cyber poverty line” need spaces at conferences like RSAC that center their reality, not just as a side conversation, but as a core track. They need practical strategies they can actually implement when they get home, not enterprise solutions repackaged with an education label slapped on. 

The contrast hit hardest in the exhibit hall. Vendor after vendor struggled when I described what “below the cyber poverty line” actually means: a school principal who drives the bus and fixes printers on the weekend in the same battle as a Fortune 500 company against transnational criminal organizations. But unlike a Fortune 500 company, they have no Security Operations Center, no dedicated security staff (sometimes even no IT staff), and a near-total reliance on third-party SaaS providers for core operations. When I asked vendors in the exhibit hall how their products might be able to help those entities that are “target rich, cyber poor,” I found myself met with blank stares or pivots to enterprise pricing that deep down, they knew didn’t actually fit the need. 

The energy and concern for protecting schools, towns and small businesses is real. I saw it in that excited room at 8:30 am. But here’s what we actually need: vendors who understand that the highest impact way to help organizations below the cyber poverty line isn’t selling them tools they can’t staff and maintain, but shoring up the third-party SaaS providers those organizations depend on for critical infrastructure. 

Case in point: A vulnerability in PowerSchool affects millions of students across thousands of districts simultaneously. That’s the leverage point, and that’s where efforts like the K-12 Cyber Defense Coalition are here to help.