Attackers didn’t wait for RSA to start. They set the agenda.

Handala used infostealer malware to steal credentials and wipe 200k devices at Stryker; TeamPCP executed a sophisticated supply chain attack to inject credential-stealing malware into Aqua’s Trivy scanner; and then a threat actor leveraged a third-party vendor incident to breach Crunchyroll.

We’d shared what we were interested in, and most of those themes were already being exploited before even day 1 of RSA.

Between our CISO breakfast, a packed slate of founder meetings, and dozens of discussions across events, the expo floor, and around San Francisco, there were a plethora of learnings. To spare you a laundry list, we condensed it down to four.

Here’s what stuck with us.

Key Takeaways

Third-Party Risk is no longer just a Compliance problem

In nearly every conversation, CISOs expressed how hard it is to answer a simple question: What is the real vendor attack surface inside my company, and how do I continuously secure it?

Crunchyroll and Aqua’s breaches exemplified the risk, but ~35% of data breaches already originated from third-party compromises. This number is on the rise because today, TPRM is a static, manual, checkbox process. A vendor may pass an assessment on day one, but over time, permissions sprawl, integrations deepen, and their effective blast radius balloons, often invisibly.

The combination of an exploding vendor landscape (many CISOs pointed to having 500+ third parties), more sophisticated attackers, and a fundamental lack of visibility has made third-party risk a core security concern, not just compliance.

What was once TPRM is evolving into something much broader. Static assessments and annual reviews are giving way to continuous visibility, monitoring, and enforcement. Call it Third-Party Security Management (TPSM) or something else, but the takeaway is clear: this is no longer a compliance workflow. It’s an active, dynamic security category.

The Identity Stack is overwhelmed

Walking around the expo floor, identity booths were flooded by practitioners and CISOs alike. But this wasn’t just the NHI craze we saw last year; practitioners were gravitating toward larger vendors or those that emphasized being a platform or unifying all identities.

Naturally, we asked a few folks at these booths questions, and it became clear why identity was inflecting. The explosion of agentic use cases has expanded the identity landscape with different types of identities, but at the same time, the identity stack has gotten incredibly fragmented.

Enterprises have an IdP and authentication layer like Okta, an extension of it with Silverfort, typically a PAM solution (Cyberark etc.) for enforcement, and then, on top of all that, an IGA like SailPoint for continuous governance. Whether it’s in volume of identities or identity vendors, enterprises are overwhelmed.

We saw a huge pull for identity solutions that offer consolidation, intelligence, and unified visibility and enforcement across this stack. When the perimeter is expanding exponentially, the solution isn’t more point solutions. It’s unification.

Endpoint Protection is moving up the stack

AI and productivity mandates have driven an explosion of software that doesn’t compile down to the OS in the traditional sense. Developers install what they need (npm modules, VSCode extensions, AI agents), and knowledge workers often rely on browser plugins and productivity applications from third-party marketplaces.

We also saw emerging players leaning into this shift, focusing on visibility and control at the application and extension layers, not just the OS. It’s an early but important signal of where the market is heading.

Incumbent EDR and EPP solutions weren’t built for this world. They were designed for the OS and binaries, not for activity in the software layer that doesn’t need to compile to binaries.

While this was always a blurry area, the usage patterns have flipped. Enterprises now have an order of magnitude more non-executable software than traditional executables, leaving CISOs with limited visibility and enforcement for a large portion of tools.

Koi (acquired by Palo Alto Networks) was an early signal of this shift. Now, with a new wave of endpoint solutions reaching parity, the real question is scope. Do they extend into runtime behavior, converge with software supply chain security, or evolve into a broader control plane for how software is actually used?

Leveraging runtime to monitor, secure, and enforce AI Agents

If you were relieved to not read about “Agentic Security” for the 19th time, sorry to disappoint you. The throughline across all these themes (whether endpoint, identity, or vendor behavior) is AI agents. Everyone has a slightly different definition of “Agentic Security.” That ambiguity was one of the biggest unresolved questions at RSA.

One vendor sounds like endpoint security. Another sounds a lot like a new identity solution. But ultimately, you have to drill into the pain point. CISOs’ biggest worry is that visibility into what agents are running isn’t enough. Agents are fundamentally non-deterministic, so the ability to monitor and enforce them at runtime is paramount.

We saw dozens of creative approaches to monitoring, securing, and enforcing agents in this way, but it remains to be seen which approach will win. Some focus purely on internal use cases, monitoring agents interacting with tools within your company. Others go after customer-facing agents, deriving intent at runtime to prevent issues like agent jacking. Even seemingly benign examples, like Chipotle’s agent being repurposed for answering coding questions, highlight how quickly things can go off track.

These emerging vendors address different problems and often have different competitive sets, making it critical for vendors to clearly articulate what they solve and for whom. In a market flooded with impressive technology, buyers need clarity, not just capability.

Final takeaways

With 649 Exhibitors at RSA (and dozens with creative alternatives to booths), the reality of today’s market was on full display: saturation.

Nobody is going to sift through 100s of competitors to decipher who’s the best fit. If it takes more than a few minutes to understand what you do and why it matters, you’ve already lost them. The burden is on the companies to be crystal clear on the problem they solve and who they solve it for.

This came up repeatedly at our CISO breakfast, cohosted with Runtime Ventures and Wells Fargo at Zazie. CISOs don’t reward complexity. They reward clarity.

We saw this play out in real time with portfolio company Above Security, which announced its funding on the first day of RSA. In a crowded category, they stood out not just by being explicit about the problem they solve, but by delivering an immediate “AHA” moment through the product itself. CISOs could quickly see the value without needing a long explanation. The combination of clear positioning and fast time-to-value cuts through noise.

One other thing stood out this year: the presence of Israeli founders and VCs. Despite everything happening globally, they showed up in force, leaned into conversations, and brought real energy to the ecosystem. It didn’t go unnoticed.

In a market full of strong technology, the companies that win won’t just be the most innovative. They’ll be the ones that are easiest to understand.

This article is for informational purposes only and does not constitute investment advice. Views expressed represent the opinions of Jump Capital. Jump Capital may have investments in or pursue investments in the security technology sectors and companies discussed. References to specific companies do not constitute investment recommendations.