Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
AI has been at the center of RSA Conference discussions for years. If you look back at RSAC 2024 and 2025, you’ll see a pattern. At RSAC 2026, held in San Francisco from March 23 to 26, that conversation didn’t slow down. Instead, it got even more specific.
This year, the focus shifted from general AI adoption to operational risk, agent-driven workflows, and how defenders can secure increasingly autonomous systems.
Our team of experts was there, attending sessions, hosting briefings, and talking with the people who build and defend the systems that power modern organizations.
In this post, we share the key themes and trends we observed during the sessions and keynotes.
Standout Trends at RSAC 2026
With more than 660+ sessions and nearly 44,000 attendees, RSAC 2026 was full-packed. However, a few recurring trends across many presentations stood out, and we share some of them below.
Securing the Agentic Workforce
At RSAC, representatives from global market leaders discussed the concept of the Agentic Workforce, which we also covered in the past, particularly in terms of using AI agents in cybersecurity.
Jeetu Patel from Cisco delivered a keynote, “Reimagining Security for the Agentic Workforce,” in which he defined what agents are, describing them as acting autonomously at times but, most importantly, as having access to the tools and systems we use.
So we shouldn’t think of these Agents as tools. We should think of these agents more like digital co-workers that are going to be augmented to our teams and to the tune of thousands within a company.
– Jeetu Patel, EVP and Chief Product Officer at Cisco
He drew a clear line between what AI used to be and what it is now. With chatbots, the worst case is a wrong answer. With agents, the worst case is a wrong, irreversible action. He discussed Cisco’s three-pillar security strategy:
- Protecting agents from the world
- Protecting the world from agents
- Responding to threats at machine speed and scale
Uber’s presentation brought the security challenge down to operational reality. Prompt injection, one of the most discussed agent-level threats, works at the execution layer. An attacker embeds instructions in a document, email, or API response. The agent reads the content, interprets the embedded instruction as a legitimate task, and acts on it using real credentials through a real access path.
There’s no malware or exploit code needed, just text triggering a tool the agent already has permission to use. For this reason, Uber shared its approach, which is focused on real-time behavioral monitoring rather than model-level guardrails alone.
Microsoft also weighed in, suggesting that traditional red teaming isn’t enough when the attack surface includes AI systems that weren’t built with security as the first priority. The company launched Agent 365, a control plane designed to give IT and security teams visibility into what agents are actually doing across the environment.
From a threat intelligence perspective, securing AI agents comes down to a familiar problem — knowing exactly who and what those agents are talking to. That’s where using AI as a component of early threat detection becomes useful. If you can identify and block malicious infrastructure before an agent reaches out to it, you may be able to interrupt the attack chain early.
Identity as the New Perimeter
Another consensus in San Francisco was that the traditional network boundaries are weakening, with identity increasingly acting as a primary control plane. Several presentations focused on how attackers now log in rather than break in.
In the presentation “Chasing Ghosts: Detecting Token Abuse in the Microsoft Cloud,” Maxim Deweerdt, a principal instructor at SANS, walked attendees through how attackers steal session tokens to bypass multi-factor authentication.
The session, which made RSAC’s top 10 list, covered the full attack chain from phishing to account takeover to persistence, along with detection strategies and practical guidance on going beyond standard security scoring to genuinely harden Microsoft Cloud environments. The core message was that MFA alone is no longer enough if attackers can steal the session token that comes after authentication.
This threat makes continuous validation especially important, according to sessions such as “Beyond Zero Trust: Continuous Validation for Modern Enterprise Security.” This talk challenged the assumption that identity verification is a one-time event. The argument is that checking a user’s identity at login and then granting session-long access creates a window that attackers can exploit after the initial check passes.
Security systems need to continuously validate that behavior, location, and device remain consistent throughout the session, not just at the first login.
Even platforms with strong security track records are at risk when identity management and access controls aren’t configured and monitored carefully. This was tackled in a presentation by Varonis researchers Tamir Yehuda and Daniel Reyhanian, who presented concrete attack techniques against Salesforce environments.
The future may also bring more threats, as discussed in a track session by IBM Security, where speakers warned that identity and data protection must evolve now to stay ahead of quantum computing threats that could weaken widely used public-key cryptography over time.
Non-Human Entity Intelligence
When we talk about identity, we usually mean people. But RSAC 2026 pushed back on that assumption and highlighted the explosion in non-human entities.
Many sessions made a point that tends to get overlooked: service accounts, bots, and API keys now make up a large portion of the entities operating inside modern systems. These non-human identities often carry more privileges than the people using the same platforms, but they get far less oversight. Many are provisioned quickly, rarely reviewed, and never deprovisioned.
LinkedIn’s engineering team explained that while Zero Trust is a good start, it’s too static for non-human accounts operating at high speeds across distributed systems. A service account might make thousands of API calls per minute across dozens of integrated platforms.
Static access controls that are checked only once at provisioning time can’t keep up with that level of activity. The speakers proposed a continuous and behavior-aware validation that can flag anomalies in non-human account behavior the same way modern tools flag unusual human login patterns.
Active Defense and Collaborative Disruption
The last major theme on our list was a shift in mindset: moving from passive defense to active disruption. The idea is rooted in something security teams have understood for a while. Every time you block an attack, you force the attacker to change something. Some changes cost them more than others.
The Pyramid of Pain is a useful framework here. It ranks indicators of compromise by how much effort an adversary needs to replace them once you block them. At the bottom are things like IP addresses and file hashes. At the top of the pyramid are the tactics, techniques, and procedures that define how a threat actor operates. Disrupting these indicators forces attackers to change their tools, and that’s where defenders can inflict the most cost on attackers.
Sandra Joyce, VP of Google Threat Intelligence, delivered a powerful keynote titled “Activate Industry!: Moving Beyond Defense to Disruption and Active Defense,” urging the cybersecurity community to move beyond just defending their own networks and sharing intelligence. The goal now is to disrupt the business of cybercrime itself.
These partnerships between law enforcement, tech providers of all sizes, and defenders on the front lines are the only way to build true global resilience. Together, we can finally break this ‘Whack-a-mole’ cycle.
– Sandra Joyce, VP of Google Threat Intelligence.
Her keynote made the case for real-world active disruption, showing how Google is working to impose measurable costs on threat actor operations rather than simply absorbing attacks.
The session “Disrupting Cybercrime Networks, Successfully, Continuously, and at Scale,” hosted by leaders from the World Economic Forum, Microsoft Digital Crimes Unit, Fortinet, INTERPOL, and Cybercrime Atlas, gave a practical blueprint for what that disruption looks like in practice.
Speakers covered how law enforcement and private industry can coordinate to take down botnets and bulletproof hosting providers, the infrastructure that makes large-scale cybercrime possible. The keyword in the session title is continuously. Taking down a botnet once creates a temporary disruption. Building the legal, technical, and organizational infrastructure to do it repeatedly is what actually degrades a criminal operation. This is closely aligned with the model behind WhoisXML API’s Internet Abuse Signal Collective (IASC), a data-sharing initiative that brings organizations together to exchange internet and threat intelligence data and support shared visibility.
Check out where our team is headed next, and catch us at these upcoming events!
About WhoisXML API
WhoisXML API is a seasoned OEM data provider specializing in delivering well-parsed, normalized, and comprehensive WHOIS, IP, and DNS intelligence. With more than 15 years of industry experience, we have amassed a vast repository of data, encompassing more than 23.8+ billion historical WHOIS records, 50+ billion hostnames, 116+ billion DNS records, 10.5+ million IP netblocks, and 99.5% coverage of active IPv4 and IPv6 addresses.
We offer a wide range of domain, DNS, and other Internet intelligence solutions delivered via comprehensive databases, secure APIs, and intuitive web GUIs. Regardless of the consumption model, our intelligence serves as a robust foundation for leading cybersecurity products and services, leveraging AI predictive analytics capabilities and domain telemetry to enable organizations to detect potential malicious web properties early.
Trusted by more than 52,000 satisfied customers spanning the cybersecurity, marketing, law enforcement, e-commerce, and financial services industries, WhoisXML API has consistently been recognized for its rapid growth and innovation, earning multiple accolades as an Inc. 5000 honoree and a Financial Times Top Fastest-Growing Company.