Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.

I have been going to RSAC for years as a practitioner. This year I went as both practitioner and vendor. That changes everything. Running a booth, doing over 20 demos, having 50+ conversations just around the booth. To speak as a vendor I needed to reverse engineer what I was doing as a practitioner, what I wanted to hear, how things needed to be explained so they resonate with everyone. Seeing the conference from both sides gave me a perspective I did not have before, and I think it made this one of the best RSACs I have attended.

More about the vendor experience in a dedicated blog on BlinkOps. Here I want to share from the practitioner lens. What I saw, what got validated, and what the industry is still getting wrong.

The quality of talks this year was solid. I have not been on the talk tracks since 2020 when I gave a talk on Intelligent Threat Intel: Lead Framework, so it was good to be back in the sessions.

My favorite was Anton Chuvakin's STR-W08: Shadow Agents: A Pragmatist's Guide to Governing Unsanctioned AI. It triggered some thoughts on how to build better governance around agents. I already drafted a high level design and will release it soon. What made it even better is that some of the things we built at BlinkOps are aligned with how you can actually do better governance for agents and how you can organize them more efficiently.

Beyond the talks, I had a ton of meetings and caught up with a lot of peers. Amazing conversations, great ideas exchanged.

One theme came up over and over in those conversations. In the past we were able to build tech and say with confidence this is the future and it will be used in the next 3-5 years. Now it is hard to predict how the tech will look in 1 year, all due to the pace of developments around AI and agents.

But here is the interesting part. Not many are at the stage where they implement it at scale. The majority are using AI mainly around copilots. Agentic implementations are still early days and getting traction only between early adopters.

The main issue persists: adoption is messy. It is like we learned nothing from moving from on-prem to the cloud.

I will keep this short because I could rant. As usual the floor was full of shiny distracting booths that make you feel like you are in a theme park. If I can't understand what you are selling from a single sentence at the booth, for me that is a no-go. Your booth can have the most awesome visuals and bring cool attractions, but if the messaging is lost then what is the point.

Interesting enough, the smaller booths had better messaging than the large ones. Many of the big ones would just display the vendor name with no context(this works for large well known brands). If I was not stopping to get scanned and watch a demo I had no idea what their product does. That tells me they are not aware of their own brand awareness gap.

This is probably my hottest take from the show, so let me just say it clearly.

AI SOC or Agentic SOC is not a product. It is a feature.

What I saw on the floor is that AI SOC has become a core functionality embedded in many platforms. Almost every SIEM (if not every) now has some form of AI SOC capability. Some are better than others, some are more of a checkbox exercise. But the autonomous triage and base analysis that was initially pitched as a standalone product category is becoming just another feature layer.

On top of that, SIEM vendors all started adding the response (SOAR) piece as well. Elastic for instance announced their Automation capability.

What I heard asked quite often around AI SOC was: How can you give feedback? How does it learn from past experience? Can it be customized? And what else beyond triage can it do?

Those are the right questions. And the vendors that can answer them well will be the ones that survive the consolidation wave.

Now here is where it gets real. The area where I see most AI SOC vendors struggle is response.

Getting a UI where you can build automations is not going to cut it. And doing the lazy route of saying you can connect to MCP and call it a response layer is not going to cut it either. MCP is a protocol not a response strategy.

To do response properly you need a solid integration layer with deep connections into the tools your SOC actually uses. You need orchestration logic, error handling, feedback loops, and many other components that make the difference between a demo and a production deployment. And yes, to be truly functional in this space you need to be able to build agents. Not just use them, build them. That is where the real differentiation lives.

Triage is getting commoditized. Response is where the hard problems are. And most vendors are not there yet.

For me RSAC was also a validation moment. Seeing my predictions play out on the floor is a testament that the analysis work we do at SecOps Unpacked holds up.

Prediction 1: AI SOC becomes a feature. Covered above. It is happening across the board.

Prediction 2: AI SOC acquisitions start this year. Not one but two happened already. Culminate was acquired by Datadog. Kenzo Security was acquired by Rapid7. More will come. My bet is we will see at least 5 AI SOC vendors acquired this year.

Prediction 3: AI SOC vendors shift towards MDR or detection engineering. And that is exactly what is happening. The ones that don't go the MDR route are pivoting towards detection engineering. Two clear lanes forming.

Another topic that persisted through RSAC was Shadow IT and Shadow AI. I think the vendors that will have the most success going forward will be platforms that can govern both shadow IT and shadow AI. The components needed are identities combined with MDM, SSE, ZTNA, and DLP. That is a lot of tech converging in one place, and it probably deserves its own in-depth blog.

I want to give credit to some teams building impressive things that caught my attention during the show.

Spectrum Security - Finally had a chance to meet with the founding team, Dylan and John Meny. What they are building is super cool and I think it is the kind of tech that could reinvent how we do threat detection.

Above Security - Aviv and his team have some really interesting tech around insider risk. Huge potential there.

Alpha Level - Joshua Neil and his team are building alert management done right. I really like their approach of combining ML and LLM in a smart way. I think this is how you build real IP around AI SOC.

Tracebit - Andy Smith and Sam Cox are building really cool deception technology platfrom.

And yes, for anything else you need BlinkOps. 😀