RSAC 2025: An Insider’s Guide to the World’s Largest Cybersecurity Conference

Yes, you guessed it, the dominating topic at next week’s RSAC 2025 Conference will be AI – with exponentially more sessions, vendors, discussions, and panels devoted to it than ever before.

Other on-trend topics in RSAC 2025’s lineup include big changes in the federal government’s role in cybersecurity; how to secure cyber/physical systems (think operational technology and IoT devices); and – the dark-horse topic increasingly on the minds of CISOs and other security pros – identity management.

I’ve covered the show for 27 years, I’ve dug into what’s in store this year, and I’m here to give you an RSAC conference veteran’s preview – not only ID’ing noteworthy sessions and speakers but also recommending events and places that aren’t on the official schedule, where you might want to drop by to network or recharge your batteries.

TANIUM AT RSAC 2025: Head to the Four Seasons San Francisco to unwind at Tanium’s Recharge Lounge or catch demos of Autonomous Endpoint Management and security solutions with Microsoft and ServiceNow. Register here, April 28 – 30

There are also several changes to the conference, running April 28 to May 1 at San Francisco’s Moscone Center, you should know about. (For starters, they changed the name this year to “RSAC 2025.”)

Dig in to the key themes of RSAC 2025 Conference

MONSTER AI: The emergence of artificial intelligence as the prevailing theme for RSAC 2025 Conference marks a dramatic shift in the industry’s focus. While AI-related submissions accounted for only about 5% of conference talks in 2023, they now represent over 40% of the more than 2,800 proposals submitted for the 2025 conference, organizers say. This shows how rapidly AI has moved from an emerging technology to a central consideration in cybersecurity.

Melinda Marks, practice director of cybersecurity for research firm Enterprise Strategy Group, told me she’s hoping to dig deep into AI security strategies through sessions and vendor discussions during the show. “The big topic is AI and how to keep up with scale, both for how security teams can scale to support the increased usage of AI and all the elements that will also scale with its usage,” says the longtime RSAC attendee.

“For example, how does this impact access and authorization, data, APIs, and the complexity of the software supply chain? I’ll also be looking at the security applications of AI – GenAI and agentic AI – to help security teams scale with increased assistance and automation to speed up remediation, detection, and response,” she adds.

[Read also: What is agentic AI? Learn how this new AI type is revolutionizing processes with autonomous, intelligent workflows]

Those interests reveal how AI security isn’t a single monolithic topic. It’s a series of issues that span enterprises’ need to bring governance, privacy, and security to AI systems and data, as well as the use of AI to help better defend systems and data, and coming to understand how adversaries use AI to attack targeted enterprises and more effectively exploit people and systems through social engineering and technical attack techniques.

The big topic is AI, [including] applications of AI – GenAI and agentic AI – to help security teams scale with increased assistance and automation.

AI GOVERNANCE: As businesses weave AI into their operations, AI governance becomes a critical discipline that demands the same rigor as cybersecurity or data privacy. Essentially, AI governance is building the frameworks, policies, and oversight mechanisms needed to ensure that AI systems are developed and deployed responsibly, transparently, and in alignment with both regulatory mandates, ethical expectations, and key enterprise needs. Plenty of RSAC sessions will focus on this aspect of AI.

• WORTH ATTENDING: “What Directors and CISOs Need to Know About Cyber Mandates for AI Systems,” moderated by Scott M. Giordano, partner and co-founder of The CISO Law Firm PLLC.
  Monday, April 28, 8:30-9:20 a.m. PDT, Moscone West 3014.
• WORTH ATTENDING: “The Future of Tech Policy: Balancing Innovation, Security, and Regulation,” which includes Paul Nakasone, director of the Institute of National Security, Vanderbilt University, and Chris Krebs, former director of Cybersecurity & Infrastructure Security Agency.
  Monday, April 28, 2:20–3:10 PM PDT Moscone West 3018.

[Read also: Racing to deploy GenAI? Security starts with good governance]

AI FOR DEFENSE: Want to get up to speed on using AI to improve your systems’ security defenses? Plenty of practitioners will showcase innovative approaches, including AI-adaptive behavioral analytics to identify and contain malicious or negligent insider threats before damage occurs; using large language models (LLMs) to assist with malware binary detection and APT identification; AI-enabled threat intelligence; and automated security operations.

• WORTH ATTENDING: “The Cybersecurity Framework and AI,” with Kat Megas, program manager, cybersecurity, privacy & AI, U.S. National Institute of Standards and Technology; and Julie Snyder, principal, privacy architect/(NCF) privacy domain capability area lead at MITRE.
  Monday, April 28, 8:30–9:20 a.m. PDT, Moscone West 3001.

ADVERSARIAL AI: It’s impossible to understand how to adequately defend systems without understanding the tools, tactics, and procedures of your foes, and there will be plenty of talks covering adversarial AI and attack vectors. Critical topics to look for include sophisticated methods for compromising LLMs through prompt injection techniques and jailbreaking, as well as “guardrail bypasses” that expose vulnerabilities in AI systems, and the strategies attackers employ to “poison” data models to create biases or backdoor openings.

There will also be discussions on bad actors’ techniques to leverage LLMs to generate new malware iterations. Security experts will explore how threat actors leverage AI technologies for malicious purposes.

[Read also: Machine learning in cybersecurity: a primer for beginners]

RSAC 2025 Conference’s hot topic 2: identity management

Identity management has become increasingly critical today due mainly to the rise of AI in the enterprise, and that’s why it’s expected to be a hot topic this year – and why there will be 332 sessions dedicated to identity security at RSAC 2025 Conference.

Key discussions will cover why identity-based attacks persist despite extensive investments in identity protection, offering practical steps to identify and remediate exploit paths before attackers can leverage them. They will also explain why identity-centric security is essential to defend against AI-driven cyberattacks.

• WORTH ATTENDING: “Rebooting America’s Identity System: AI as the Catalyst,” presented by Caleb Sima, chair of Cloud Security Alliance’s AI Security Alliance.
  Wednesday, April 30, 8:30–9:20 a.m. PDT, Moscone West 2022.

Sima stresses why identity is crucial right now: “The systems we rely on today – largely Social Security numbers and birth certificates – were never designed for the digital age. Frankly, they were never designed for identity to begin with. They represent a ‘broken foundation’ that creates the incredibly frustrating and insecure online experiences we all endure daily,” he says.

Generative AI has now become the unavoidable ‘forcing function’ that makes addressing [identity management] urgent.

Prepare for such experiences to get more frustrating and even less secure, thanks to Gen AI.

“Generative AI has now become the unavoidable ‘forcing function’ that makes addressing this urgent,” Sima says. “GenAI fundamentally attacks our ability to know who is real and what is authentically authorized online. Deepfakes can convincingly impersonate people, destroying trust in visual or audio verification. At the same time, AI agents acting on our behalf make it critical to verify if an action was truly intended and authorized by the human user, something SSNs obviously can’t do. Our legacy systems offer virtually no defense against these AI-driven threats.”

[Read also: What is identity and access management (IAM) – check out the basics, benefits, and best practices]

My favorite spots to hit at RSAC 2025 Conference (and every year)

The show floor officially starts with the welcome reception, 5:30-7 p.m. Monday, throughout the Moscone North and South Expos, with drinks and hors d’oeuvres and a chance to socialize with the more than 600 security vendors with booths on the show floor.

Now in its 15th year, the Securosis Disaster Recovery Breakfast remains a tradition I hate to miss.

If keynotes are your thing, you’ll find them at Moscone West starting Monday afternoon. Most are too product- and vendor-oriented for my taste, but I will definitely want to hit this year’s Cryptographers’ Panel at the YBCA Blue Shield California Theater. Here, such cybersecurity luminaries as Whitfield “Whit” Diffie and Adi Shamir, as well as other cryptographers and computer scientists, discuss (often debate) the pressing cybersecurity issues of the year.

While the official agenda dominates the schedule, the conference comes to life for me at sanctioned but social affairs – from networking breakfasts to industry parties, great opportunities to build relationships and networks. For instance, now in its 15th year, the Securosis Disaster Recovery Breakfast (hosted by the security research and advisory firm) remains a tradition I hate to miss. Their event space near Moscone Center on Thursday, May 1, is at 1 Yerba Buena Lane, and this low-key gathering is designed for attendees to “drop in and out” while they chat about industry challenges.

What’s new this year (besides the branding)

RSAC 2025 Conference organizers announced quite a few new events this year, such as the DARPA AI Cyber City, which is billed as an “immersive experience” that explores AI’s impact on cybersecurity and gives attendees a walk through a simulated city and see AI applications in different scenarios.

There are also capture-the-flag sessions with a new interactive focus on cybersecurity skills and challenges across various domains, such as cloud security and gaming. Finally, there’s the Early Stage Expo Area, which hosts 78 innovative companies. Many will be focusing on AI security this year. Also, look for new networking spaces in the form of lounges and open areas spread across the campus.

With the new events, the conference campus has expanded to a few additional venues, like YBCA and YBCA Blue Shield of California Theater (right next to Moscone), to provide more space and unique programming.

How the RSAC 2025 Conference got here

Conceived in 1991 by RSA Security’s then-CEO Jim Bidzos, the original, modest conference focused on digital signature standards and drew fewer than 200 attendees. Spirited debates on encryption policy marked its early years — notably in 1995, when the conference took a public stand against the U.S. government’s Clipper Chip (which would have given the government a backdoor on telecommunication devices), rallying industry opposition with the famous (at least to old-timers) “Sink Clipper” slogan.

The 1990s were a fascinating time in cybersecurity – called “information security” in most circles back then – with the rising popularity of the internet (remember dial-up?), U.S. bans on essential encryption algorithm exportation (which threatened the success of e-commerce), and computer scientist Phil Zimmermann under federal investigation for his release of the Pretty Good Privacy (PGP) encryption program (which then violated the Arms Export Control Act).

[Read also: What will soon be making history? The world’s first Q-Day and quantum computing’s threat to cybersecurity]

As the digital threat landscape expanded, so did the conference’s scope and size: By 1997 (my first RSA Conference was in 1998), attendance had surged to 2,500, and in 2000, RSA expanded internationally with its first European event. A pivotal moment came in 2005 when Microsoft’s then-CEO Bill Gates delivered the keynote, signaling the conference’s transition from a niche cryptography forum to a comprehensive IT security summit. This broadened focus attracted a more diverse audience and a rapidly growing vendor presence, with attendance reaching 17,000 by 2008.

And it soon became known for headline-making moments in cyber – such as the 2010 unveiling of the Obama administration’s Comprehensive National Cybersecurity Initiative.

As for that rebranding? Once known simply as RSA Conference (RSA being an acronym for the names of RSA Security’s three co-founders: Ron Rivest, Adi Shamir, and Leonard Adleman), the event has become more than just a conference. For that reason (and since RSA Security sold its remaining interest in the conference events business in 2022), the org has renamed itself RSAC, with the extra “C” standing for content, connection, culture, conversation, and “above all, community,” explains Ben Waring, RSAC’s director of global PR and communications. “Everything we do,” he adds, “is to enable collaboration and foster growth.”

While we can’t predict just how history-making this year’s gathering will be, for cybersecurity professionals, RSAC 2025 Conference represents the essential opportunity to understand how technological innovations – AI being just one of them – fundamentally transform security practices while gaining practical knowledge to implement effective defenses. I certainly find it worth the trek year after year. Hope to see you there.