What happens when the New York Stock Exchange rings the legendary opening bell at a cybersecurity conference? You get RSAC 2025 – a gathering of the world’s brightest minds in cybersecurity.
With rising AI-driven threats, ransomware attacks, and workforce infiltration by rogue nation operatives, the stakes have never been higher.
From April 28 to May 1, the world’s best cybersecurity talent gathered in San Francisco, united by the mission to create a safer society and serve as a rallying point for innovation and resilience.
This year, the conference shattered records with nearly 44,000 attendees, 700+ speakers, and 650+ exhibitors.
And of course, LastPass was in attendance. Our booth (the only one featuring live artist renditions of credential chaos) drew unprecedented crowds to our demos of SaaS Monitoring.
If you skipped RSAC 2025, these are the tips and trends you don’t want to miss.
#1 24/7 AI-powered security solutions: How agentic AI is quietly rewriting the rules of security
With 40% of the 2,800+ sessions focused on AI, the message was clear: AI hasn’t just enhanced security, it’s redefined it.
The #1 topic of interest was, of course, agentic (or agentive) AI - fully autonomous systems capable of making split-second security decisions with little to no human intervention.
According to Sunil Yu, CTO and co-founder of Knostic, agentic AI can now handle the full cycle of security tasks based on the OODA (Observe, Orient, Decide, Act) model.
This shift raises big questions: How much trust should we place in AI to make important security decisions safely and ethically?
While the security industry is excited about agentic AI’s potential, the focus is on how to define ethical guardrails for AI-powered Security Operations Centers (SOCs), autonomous incident response tools, and self-healing applications that can fix themselves after an attack.
At RSAC 2025, Google introduced its Agentic SOC. The tech giant’s vision of collaborative operations sees SOC AI agents handling routine tasks, while human analysts focus on higher level investigations that demand true human expertise. Similarly, IBM announced the launch of its agentic AI Threat Detection and Response services for security teams.
The verdict is in: Agentic AI can be a strategic asset – but how we wield it and manage the risks it introduces will define the next era of cyber defense.
#2 Identity access management steals the spotlight: The automated solutions that put you in total control
As the surge in shadow IT and AI dramatically expands the attack surface, manual identity access management for both human and non-human identities is no longer feasible.
Most organizations are tracking less than 20% of their machine identities, leaving massive gaps to be exploited by attackers. At RSAC 2025, Oasis Security announced the launch of NHI Provisioning, a major advancement in non-human identity security.
The solution embeds policy governance, ownership assignment, and least privilege access from the moment a non-human identity is created, eliminating critical security gaps and reducing breach incidents.
Meanwhile, LastPass introduced Secure Access Experiences, with its first capability SaaS Monitoring delivered via the same browser extension already trusted by millions for password management. As the use of unapproved SaaS tools explodes, SaaS Monitoring empowers you to take back control, giving you a holistic view of your entire SaaS footprint.
This allows you to detect & stop paying for redundant tools, enforce security measures like SSO & MFA, and spot compliance gaps before they become problems — all with minimal to no IT effort.
“For too long, solutions that manage employee access to critical systems and data have been overly complex and expensive for small- and mid-sized enterprises. Secure Access Experiences is about simplifying what’s essential. We’re making access control more approachable, more affordable, and more aligned with how most businesses actually work today.” ~ Don MacLennan, Chief Product Officer at LastPass
If you missed it, check out the RSAC 2025 executive interview with our CEO Karim Toubba on how the SaaS Monitoring capability in “Secure Access Experiences” addresses SaaS sprawl and brings clarity to even the most chaotic environments.
#3 Why passwordless isn’t just a buzzword – it’s the next generation of Secure Access
At RSAC 2025, passwordless authentication solutions took center stage, with 200+ sessions focused on how it mitigates the risks of shadow IT/AI.
At the Moscone North Expo Briefing Center, Liz Tippitt (LastPass Director of Product Marketing) and Lou DeLillo (LastPass Senior Principal Solutions Consultant) highlighted the dangers of shadow AI and how to secure it during their “Shadow AI Playbook — Spot It, Stop It, Secure It” session.
According to industry experts like LastPass, RSA Security, and Yubico, succeeding with passwordless involves:
- Implementing phishing-resistant MFA
- Ensuring the passwordless solution you choose is implemented with strong security controls that comply with NIST 800-63B version 4 requirements for MFA, cryptographic protection, and phishing resistance
- Ensuring every request is verified, aligning with Zero Trust principles
- Implementing strong governance and lifecycle management – so you can enforce security policies, meet compliance standards, and always know which users have access to what resources
#4 The quantum threat timeline: What experts are preparing for and what most businesses will miss
Sessions on quantum security and innovations were packed, with experts warning that quantum attacks could break today’s encryption algorithms within 5-15 years.
Speakers stressed the urgency of crypto-agility, where the migration to Post-Quantum Cryptography (PQC) involves inventorying cryptographic assets, conducting risk assessments, and swapping legacy algorithms for quantum-resistant algorithms.
A survey released during the conference confirmed our worst fears: more than 50% of organizations won’t be prepared to meet impending quantum threats. Alarmingly, just 20% of organizations have begun the PQC migration, while 25% have no plans to do so.
The consensus is clear: The time to adopt crypto-agility is NOW. A delay will only compound your risks when quantum computing becomes mainstream.
#5 APT attacks are coming for all of us – and most of us aren’t prepared
At RSAC 2025, sessions highlighted the evolving landscape of advanced persistent threats (APTs) and the intersection between cybersecurity and geopolitics.
Once focused on governments, the military, and large corporations, nation state actors are now targeting SMBs (small and medium sized businesses).
Here’s a frightening statistic: SMBs represent 90% of all companies worldwide but only 13% are prepared for cyber-attacks.
During the 5-day conference, the Symantec Threat Group at Broadcom shared new intelligence on groups such as Seedworm, Druidfly, Shuckworm, Lotus Panda, and Dragon Force, detailing their latest tactics, techniques, and global attack targets.
The company also unveiled the industry’s first Incident Prediction capability to disrupt LOTL (living-off-the-land) attacks.
This capability automates both the identification and mitigation of threats, which means security analysts no longer have to triage alerts and determine mitigation strategies – it's done automatically for them.
According to Broadcom, this is LLM-based predictive security at its best, a critical innovation that detects abnormal behavioral patterns earlier in the kill chain and disrupts them before attackers can reach their end goal of data exfiltration.
#6 Why the human element isn’t dead – and the surprising RSAC solution that still works in 2025
Even as AI-powered threat detection, passwordless authentication, and quantum security took center stage at RSAC 2025, the human element was reaffirmed as a critical focus of cybersecurity.
In their keynote speeches, John Fokker (head of threat intelligence at Trellix) and Kevin Mandia (former CEO of Mandiant and founder of VC firm Ballistic Ventures) both highlighted the traditional risks posed by human behavior.
This includes password reuse, weak passwords, errors, and susceptibility to phishing.
In a week of AI-focused discourse, this “eat your greens” simplicity of proper cyber hygiene was a welcome change.
Ultimately, your people are your greatest asset – and also your greatest vulnerability.
At LastPass, we empower your team to be your first line of defense with:
- Secure, automatic generation of strong passwords, which eliminates human error and guesswork
- Autofill on legitimate sites only, which reduces the risk of phishing and credential theft
- Centralized identity and access management, which offers seamless provisioning and visibility into user password habits
- SaaS monitoring, which alerts you to new or risky apps so your people can work efficiently without putting your business at risk
- Advanced phishing-resistant MFA options, which simplifies logins and provides robust protections no matter where your employees choose to work
As cyber threats evolve faster than ever, both predictive and proactive security are critical to business continuity.
LastPass is your proactive security solution - and combined with the predictive security tools mentioned above - you get a powerful, layered approach that keeps your business safe.
And that’s not all: We’re so confident you’ll love LastPass that we’re giving you 14 days free (no credit card or commitment required). At LastPass, we make credential security easy, secure, and affordable.
Subscribe for the latest from LastPass blog
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
