Semgrep
GitHub
Snyk
Endor Labs
AWS
I went to my first RSAC over 10 years ago, and with all the movement in the space and updates from StackHawk, this one is definitely worth commemorating with a little recap post. So here we go! Jump ahead for a recap of our week off the show floor, recordings of our onsite interviews, and our main takeaway.
AI has reshaped how software gets built, and the security industry is still working out what that means for the rest of us. From where we stand, application security is playing catch-up to a development process that barely resembles what it looked like two years ago. Code is being generated faster than it can be reviewed, and most security programs are still relying on tools that analyze source code without ever testing how it actually behaves. That gap between what’s written and what runs is where we think the most important work is happening right now.
The weeks before the conference had a chaotic energy. The “SaaSpocalypse” discourse, cyber stocks tanking after Anthropic released Claude Code Security, and the ensuing LinkedIn thought leadership echo chamber. I was expecting panic in San Francisco.
In many ways, though, it was business as usual. AppSec booths were packed. BSides talks on finding and fixing vulnerabilities were at capacity. RSAC week announcements were aplenty. We booked dozens of meetings where teams were eager to solve new challenges with new solutions. And the panels I sat in on were mostly (and surprisingly) anti-hype.
Honestly, I expected a lot more performative AI-washing. Most booths (we see you, AI-SOC) delivered on that front, sure, but the off-floor content was doing real work. People were cutting through the noise to talk about the risks and priorities that actually matter. For AppSec, that means rethinking programs: the people, processes, and yes, technologies. At RSAC, it’s easy to forget that this is all just people…with a little bit of software sprinkled in.
Sometimes it takes a paradigm shift to ground us in what actually matters. The existential question this year wasn’t whether AppSec still has a role. Most people I spoke to or heard speak recognized outright that security software is more important than ever. The question then becomes: how does AppSec evolve?
What stuck with me most was how much the conversation kept coming back to collective responsibility. Not just securing AI, but educating teams on when to use it, which risks to prioritize first, and how to start building what some are calling the AI-DLC (AI-driven development lifecycle). Nobody has that figured out yet, but the willingness to work on it together, with curiosity (which I heard more than once), was genuinely encouraging.
Our Highlights
The StackHawk team was out in full force. Our RSAC week unfolded in meeting suites, restaurant happy hours, hotel lobbies, off-floor fireside chats, Broadcast Alley, our partner’s offices, and second row at Busta Rhymes. IYKYK.
Purple Book Community Connect at RSAC
Led by our friends at ArmorCode, this event brought together practitioners and leaders to learn from one another about how software security is evolving. The standout was Anthropic Deputy CISO Jason Clinton’s session. It was under Chatham House rules, so I’ll keep it vague, but his frankness about how tools like Claude Code are both helping and hurting AppSec teams (his phrase: “vulnerability tsunami”) was refreshing.
Cuppa Joe CISO Breakfast with Endor Labs
We opened the conference with a small breakfast for security leaders, co-hosted with Endor Labs. Joe Sullivan, who recently joined our board, hosted a fireside chat with StackHawk Co-Founder and CEO Joni Klippert and Endor Labs Founder and CEO Varun Badhwar. The conversation kept circling back to how AI is reshaping expectations for the CISO role, whether that pressure is coming from boards, engineering teams, or their own organizations.
Demos with Semgrep
Our joint mission with Semgrep is to cut triage work so AppSec teams can focus on what matters, and our integration puts that into practice by connecting StackHawk’s DAST runtime findings with Semgrep’s SAST code findings. Two duplicate alerts, correlated into one. Showing it off on the show floor was a ton of fun for me. StackHawk Co-Founder & CSO Scott Gerlach also sat down with Semgrep Solutions Engineer Kyle Northcutt to talk RSA trends, which you can watch here.
The Women in Security Documentary
We were honored to sponsor the premiere of The Women in Security Documentary alongside Sentra, Skematic, Semgrep, NeXasure, Delinea, HiddenLayer, Defy Security, Corelight, Armis, Aryaka, Amazon WWOS, and Command Zero. The film highlights the voices of women shaping the security industry today to rewrite the narrative of representation. Aarti Gadhia and Kristen Rank sat down with TechStrong onsite at RSAC to share more about the film’s mission.
Our Interviews
Between meetings, panels, and hallway conversations, we recorded three interviews worth a listen.
Cloud Security Podcast with Ashish Rajan
StackHawk Co-Founder & CSO Scott Gerlach and Joe Sullivan, former CISO at Facebook, Uber, and Cloudflare and StackHawk board member, joined Ashish Rajan to talk about what AI is actually doing to AppSec. Developers are shipping 10x the code. The old model of security pushing back isn’t working. Runtime testing is how you keep up.
theCUBE with David Vallante
StackHawk CEO Joni Klippert and Joe Sullivan joined theCUBE to talk about why the bottleneck has shifted from finding vulnerabilities to fixing them fast enough to keep up. (Plus, a great toddler metaphor for AI agents)
TechStrongTV with Alan Shimel
StackHawk co-founders Joni Klippert and Scott Gerlach joined Techstrong’s Alan Shimel live from RSAC to talk about the evolution of StackHawk and how our vision from day one has positioned us perfectly to help AppSec teams keep up with the pace and complexity of AI-generated code.
Our Team’s RSAC Takeaways
Every paradigm shift brings fear, and this one is no different. Attackers are adapting faster than defenders, breaches and zero-days are climbing, and while the vendor market is trying to keep pace, most AppSec teams aren’t prepared. The tools and the urgency both exist. What’s missing is the operational shift — figuring out who owns what, how testing fits into AI-accelerated pipelines, and how to actually reduce risk.
But there’s a deeper problem hiding inside that operational gap. Teams are pouring resources into securing AI-powered systems while the foundations underneath them — attack surface visibility, preventative guardrails, reactive processes — still aren’t in place.
“The thing that I loved and found ironic is that so many folks are trying to secure AI that can autonomously take actions, but if the preventative guard rails and seamless reactive processes aren’t in place, the AI will unexpectedly act outside of security’s visibility. To an extent, that’s already happening! So why isn’t there more emphasis on attack surface discovery and runtime testing to address the security risks of code generated by AI? The move to autonomous AI code generation, vibe coding, etc. will unexpectedly and silently expand/increase your attack surface and no will never know it! Silent killer!”
David Geevaratne, EVP of Sales at StackHawk
And while attack surfaces grow silently, the other side of the equation is shifting too. The same AI tools accelerating development are also accelerating exploitation. Vulnerabilities that used to sit at the bottom of a backlog because they were “low severity” are now cheap to weaponize — and most teams haven’t adjusted to that reality yet.
“Here’s an uncomfortable truth: AI just made your vulnerability backlog a liability.
The attack economics have flipped. Threat actors are using AI coding tools to build novel exploits for vulnerabilities we collectively wrote off as “low” or “medium” severity — at a fraction of the cost and time it used to take.
AppSec teams have the exact same tools at their disposal. The difference is most haven’t picked them up yet.
That needs to change. Fast.”Joni Klippert, CEO & Co-Founder at StackHawk
Runtime testing is what connects these two problems. It’s how you move from “we scanned the code” to “we know this vulnerability is actually exploitable in a running application.” It’s how a single AppSec engineer scales coverage across dozens of dev teams without becoming a bottleneck. And it’s the layer that catches what static analysis structurally cannot: business logic flaws, broken auth flows, and the runtime behaviors that only surface when an app is actually running.
But here’s the catch: the people most worried about all of this are often the ones who haven’t gone hands-on with the thing they’re worried about. That gap between anxiety and action came up constantly at RSAC.
“My favorite trend was security people being extremely worried about agents like open claw. I would ask them, What is the name of your agent? They would also say I haven’t used it yet. AI isn’t going anywhere. We sort of failed at when cloud rolled out and now is the time to get deep into what agents can do and LLMs can do and how to use them to empower the business.”
Scott, CSO & Co-Founder at StackHawk
I feel like we have all taken a solid first step at RSAC by acknowledging that things will probably get worse before they get better. Now it’s time to get to work. For us, that means making runtime testing the default in how AppSec programs respond to AI-accelerated development, and ensuring it fits as seamlessly into the new ways developers work.
If you missed us last week, we’d be happy to hop on a Zoom. Get in touch.
