We just got back from RSA Conference 2026 in San Francisco. If you've been before, you'll know the drill: Hundreds of vendors, wall-to-wall keynotes, and enough buzzwords to fill a bingo card before you've finished your first coffee.
This year, the word was agentic. As in agentic AI, agentic SOC, agentic everything. Walk the show floor for an hour, and you'd be forgiven for thinking the industry had collectively decided that slapping "agentic" in front of an existing product was a go-to-market strategy.
To be fair, some of it is real. But the most valuable conversations we had at RSA this year had very little to do with AI. They were about something much more straightforward: security teams who are stretched, buried in findings they can't action, and desperately looking for outcomes rather than another dashboard.
That was the signal. Here's what we found.
The 451 Research breakfast
On the morning of March 25th, we sat down with the 451 Research information security team for their annual RSAC breakfast briefing, always one of the more grounded ways to start the week, given that analysts tend to be rather more measured than vendor keynotes.
A few things stood out.
The analyst team's platform map for 2026 now explicitly names "agentic vulnerability management" as part of the exposure and risk management domain, alongside CTEM, RBVM, and ASM. Worth noting not because of the AI angle, but because it signals that the market has moved from experimentation to expectation around automated remediation. That's the part that matters for practitioners.
The data on AI-generated remediation confidence was also interesting. 76% of security practitioners surveyed said they'd be at least somewhat open to applying AI-generated code fixes to address vulnerabilities. A third would implement them automatically. Less a story about AI, more a story about how tired people are of finding vulnerabilities that never get fixed.
And improving risk and vulnerability management ranked in the top three strategic security objectives for 2026, sitting alongside securing cloud architecture and integrating AI into security tooling. Our market is front and centre on the priority list, regardless of what's trending on the show floor.
A real-world moment cuts through
While the AI messaging was reaching peak volume inside the conference halls, something was unfolding that provided a rather more concrete illustration of what's actually at stake.
A supply chain compromise in Trivy, one of the most widely used open-source vulnerability scanners, went public just before the conference. For a lot of teams, that kind of news lands quietly and gets triaged later. For us, it was a moment to move quickly and be genuinely useful.
We were ready to help immediately. We had cnspec migration guidance for affected teams. We heard in person from large enterprises using Trivy who suddenly had a very real problem to solve. Many unsure if and to what degree they were impacted. The conversations that followed were some of the most direct, high-intent interactions we had all week. No AI narrative required, just a real incident, real risk, and a team that was ready to help.
What we actually heard at the booth
We gave away a lot of swag this year. The lucky key challenge winners know who they are. But what we'll remember about this RSA is the conversations.
MSSPs and enterprise security professionals told us the same thing, over and over: security teams are stretched. Not in a vague way, stretched in the very specific sense of more findings than they can action, more tools than they can manage, and more pressure from leadership to show that any of it is actually moving the needle on risk.
Nobody came to the booth wanting a feature walkthrough. The questions were almost entirely outcome-oriented. How do we get things fixed, not just found? How do we demonstrate progress to the business? How do we improve our remediation rate without growing the team?
That last question keeps coming up, and it's the one Mondoo is built to answer. Security theatre, scanning everything, fixing nothing, producing reports that gather dust, is something practitioners are increasingly unwilling to tolerate. Several of the MSSP conversations we had this week went well beyond the introductory stage, and we're looking forward to sharing more on that front soon.
Where we go from here
RSA always generates momentum that can fade fast once everyone's back at their desks. What felt different this year wasn't the AI messaging; it was the underlying urgency. Security teams aren't looking for more technology to evaluate. They're looking for fewer problems to deal with.
That's a conversation Mondoo is very comfortable having.
If you were at the show and we crossed paths, it was great to meet you. If we didn't, let's fix that — get a free security assessment at mondoo.com/assessment.
