First, attending B-Sides and RSAC this year was an awesome opportunity to meet the many people who invest in Latio’s content. It was awesome to meet so many talented engineers and builders in person, please always feel free to say hi or schedule time with me.
I’ve never been more convinced of the importance of what Latio does—help engineers find the right security tools— especially as the blizzard of high-level pitches and yacht-side schmoozing only intensifies. RSAC is also an ever present reminder of why Latio doesn’t take equity in any customers we advise, and why our number one value is “Don’t Sell Out.”
I often get asked, “did you see anything cool?” and my answer is usually “not really;” It’s hard to get too excited about something without seeing it.
Two exceptions to that were MazeHQ (AI Native vulnerability management) and Heeler (ASPM with runtime context). I saw MazeHQ after a practitioner suggested I check them out (a rare thing!), and it got me excited about what products built from the ground up with AI are capable of. Heeler impressed me with their remediation focus and the amount of code to cloud data they could get via their legitimately innovative data solution. I’d say more about how that works but need to make sure I’m allowed to first!
Now for the takeaways:
1. Marketing is Nuts
In a sea of noise, marketers are under a lot of pressure to stand out, so I don’t ever want to shame people for hard choices done under stress. But can we generally agree to stop having live animals at our cybersecurity trade shows? This was the third event I’ve seen actual puppies at, and the first where I’ve seen goats. Please make it stop before we’re bringing elephants and reinventing the circus.
So whether we’re dressing up mascots, hanging astronauts from the ceiling, bringing in monster trucks or wrapping cyber trucks, let’s remember that a good message carries more weight than an irrelevant gimmick. If you’re looking for an example, I heard a lot more about Aikido’s Anti Magic Quadrant Club than any crazy booth designs.
2. Buyers Have a lot of Options
A lot of people have been saying “there are more vendors than buyers;” however, I think the reality is that there are a lot of vendors and buyers. It’s clear that security products continue to have solid growth trajectories, and it seems very doable to have a profitable security business.
However, venture capital isn’t primarily interested in building a sustainable or profitable security business—it’s interested in businesses that promise surreal returns and a high-multiple exit. Unlike having a profitable security business, having a billion dollar plus one is becoming a challenge due to the high volume of vendors with only minor differentiation. To be clear, there are real differences, the kind that I try to help people navigate, but they’re becoming very minor for most buyers. While I wasn’t able to attend his talk, I have a suspicion Ross Haleliuk made a similar point in his B-Sides talk “Not Every Groundbreaking Idea Needs to Become a Billion-Dollar Startup” which I’d suggest once it’s posted!
3. Therefore, Brand is Everything
When you’re in a market flooded by vendors with minor differentiation, nothing matters more than brand. As a security engineer who loves evaluating products, this is a painful statement for me to make, but I’ve seen it too many times now.
Every time I talk with practitioners doing tool selection, I get really excited. After all, I spend almost all day every day using different tools and comparing them. One thing I’ve found absolutely incredible is my inability to overcome brand perception in any conversation. I had multiple conversations this RSAC with buyers in the midst of evaluations and at most I could get one additional tool on their radar, but the tool they were evaluating was almost always due to the perception of the brand and how they were “the best at” solving the problem more than any particular reality about the tool.
ProtectAI (acquired by Palo Alto) is an example of this - I was unimpressed with their open source solutions, and I had never heard a customer tell me why exactly they used them; however, they were undoubtedly the biggest brand presence in the AI security space.
4. There wasn’t actually too much AI
While everyone was certainly talking about AI, there wasn’t actually too much “We’re AI but for X” messaging happening, for which I’m grateful. My hope would be that teams are learning that AI disconnected from any customer outcomes doesn’t lead to sales. The pitch that raised your funding round won’t be the pitch that lands you ARR.
While at this point I’m a documented MCP denier, I was at an event where a vendor showed one off and there were audible gasps of amazement from some of the CISOs in the crowd - and that’s why people will push them even if there’s not a sale on the other side. There’s a lot of work between “gasp” and swiping the business credit card.
Finally, What was the buzz?
People seemed to not care too much about Palo’s acquisition of Protect AI, summarizing it as “Palo bought another platform” and moving on. I think it’s likely we see an attempt at an “AI-NAPP” category creation, which once again becomes a big bloated mess (looking at you AI-TRiSM)
Upwind’s acquisition of Nyx should be the biggest acquisition news of the week for anyone paying attention. It gives them great positioning to sweep the runtime market if the CADR execution happens.
Chainguard’s living in everyone’s head rent free, including mine unfortunately. Technical product folks are befuddled at the success because of the smoke and mirrors, but I’ve never seen marketing be so impactful to a company’s success. If people want I’ll do a full breakdown on Chainguard and why it’s successful for compliance, but I did a bit of that in this article
Some small personal observations:
San Francisco companies want different security tools than the mass market. SF SaaS companies have much more rigorous developer cultures than most of the market, and their security teams tend to be mostly developers
Everyone agrees AI security isn’t ready for primetime - developers are focused on building, with security being a best effort for now
No one knows what an AI agent is but they know their definition is the only right one
Speaking of AI agents, I guess we have to begrudgingly call endpoint agents sensors now as I heard multiple people refer to the AI ones only as “agents.”
In undefined markets, brand matters more than product (but product experience is part of the brand).
Oligo’s airborne vulnerability disclosure is really cool and a big deal
ARMO’s io_uring rootkit is really cool
> But can we generally agree to stop having live animals at our cybersecurity trade shows?
I can't agree more. It was absolutely ridiculous to see this on a convention floor. Especially the puppies were scared as hell from all the people. Where is PETA when you need them? :)
It was great running into you at BsidesSF. And please write a deep-dive on the Chainguard (and Minimus).