The RSAC 2025 Conference talks worth catching

It’s almost that time again. As part of what’s becoming an annual tradition of sorts around here, we’re using the last few weeks before the RSAC Conference officially kicks off in San Francisco—talks start first thing Monday morning, April 28—to comb through this year’s agenda for sessions we think will be worth your time.

This year, there’s a grand total of 527 list items spread across five days. While they run the gamut from traditional track sessions, seminars, learning labs, keynotes, and informal and interactive “Birds of a Feather” sessions, for this blog we’ll look at talks we think that full conference passholders should prioritize.

This being RSA, there’s a dizzying number of talks this year revolving around buzzy takes on machine learning and artificial intelligence. There’s no shortage of sessions on quantum computing, deepfakes, and identity security, too. That said, the tides are turning. Believe it or not, there’s fewer talks on zero trust than you’d expect (only 10!) and even less on IoT (just two!)—a far cry from just a few years ago.

For this list, we looked through this year’s schedule to find interesting sessions on adversary emulation, threat detection and response, and other topics that can help defenders. Read on for a dozen talks that we’d like to catch, along with a brief summary of what we expect the talk to include.

12 RSA talks we want to see

The Cybersecurity Framework and AI
Monday, April 28 | 8:30 AM – 9:20 AM PT

Kat Megas of the US National Institute of Standards and Technology and Julie Snyder of MITRE will share progress on NIST’s new plan to create a “Cyber AI” community profile. Similar to NIST’s Cybersecurity Framework, the goal for the completed profile is to help organizations better understand what’s needed to secure systems against AI tools and promote safer AI implementation.

Defensive Tensions in Critical Infrastructure Cyber Defense
Monday, April 28 | 9:40 AM – 10:30 AM PT

While it’s a bit of a nebulous term, CISA has long defined “critical infrastructure” as those whose destruction would have a “debilitating effect” on the economy, national security, public health, and safety. The agency divides critical infrastructure into 16 different sectors: Energy, healthcare, transportation, and so on. But as friend of Red Canary Joe Slowik sees it: “If everything is critical, then nothing is critical.” What makes something truly critical? How exactly are these lines drawn? In this talk, Slowik plans on probing this among other questions, along with some of the tensions that stem from this discussion.

Suspicious Minds—Hunting Threats that Don’t Trigger Security Alerts
Monday, April 28 | 9:40 AM – 10:30 AM PT

Leveraging legitimate binaries, complex redirection techniques, call stack spoofing, sleep obfuscation—there are plenty of ways that adversaries try to evade detection. In this talk, Tal Darsan and Etay Maor promise to look at some of these approaches, activities “that by themselves may be benign but when closely inspected reveal the attack vector.” They’ll also break down ways to hunt and triage these suspicious activities.

So You’ve Deployed Kubernetes Everywhere, Now What?
Monday, April 28 | 1:10 PM – 2:00 PM PT

All of these years in the industry and I’m still not sure I could explain to you in plain English what exactly Kubernetes is or how it works. Thankfully there are professionals out there like Rory McCune who can. If you work with Kubernetes or if you’re considering deploying it across your environment, you’ll want to make time for this high-level look at the system’s security architecture and how businesses can secure their cluster with configuration best practices.

The Always-On Purple Team: AI Agents on the Loose
Tuesday, April 29 | 2:25 PM – 3:15 PM PT

Instructors from the SANS Institute first popularized the concept of the “Always-On Purple Team”—that purple teaming doesn’t have to be a standalone activity—in RSA 2023 and 2024 talks. Erik Van Buggenhout, a fixture on both those sessions, will be joined this year by another SANS instructor, Jeroen Vandeleur, to push the narrative forward and outline how AI agents can help when it comes to adversary emulation and detection engineering.

A Year(ish) of Countering Malicious Actors’ Use of AI: What Have We Learned?
Tuesday, April 29 | 2:25 PM – 3:15 PM PT

While the benefits of advances in artificial intelligence (AI) have been well-documented across the industry at this point—we’ve seen firsthand how AI agents in SOC workflows can boost speed without compromising accuracy—let’s not forget that adversaries are leveraging it as well. What are defenders seeing when it comes to how AI is used maliciously? Officials from the private sector (FBI, DOJ, and US Cyber Command) will be joined by Microsoft’s Sherrod DeGrippo (whose Threat Intelligence Podcast is worth subscribing to) in this session to share the lessons they’ve learned over the last year.

The Role of AI in Detection and Response
Wednesday, April 30 | 9:40 AM – 10:30 AM PT

Forgive me for including another AI talk here but this one, which will look at how AI and machine learning (ML) are being integrated into detection and response tooling, piqued our interest. It’s worth noting that this talk, given by Robin Franklin Guha, a Security Engineer at Meta, will be in the Birds of a Feather (no, not that “Birds of a Feather”) format, meaning attendees can participate in a free flowing discussion on what they find is and isn’t working when it comes to integrating AI in detection and response.

The Future of Threat Detection and Response
Wednesday, April 30 | 10:50 AM – 11:10 AM PT

While the logline on this talk is scant on details, its title is enigmatic and forward-thinking enough to catch our eyes. In this session, the second keynote on Wednesday, Tom Gillis and Mike Horn will look at new ways to bolster infrastructure security to better enable SOC teams when it comes to responding to threats.

Greetings from the Red Team!
Wednesday, April 30 | 2:25 PM – 3:15 PM PT

Our friends from Black Hills Information Security—the folks behind Backdoors & Breaches—are keeping details around this talk close to the vest but the summary on RSA’s agenda certainly got our attention. Michael Allen, a Red Team Practice Lead with Black Hills, promises to walk through a “new social engineering attack that has been used to breach countless, high-security environments over the last year” and give guidance on how to defend against it.

The Value I Bring Is that I Don’t Know Anything
Thursday, May 1 | 8:30 AM – 9:20 AM PT

We’ve heard time and time again over the years that effective communication and so-called “soft skills” like active listening, problem solving, and adaptability matter in cybersecurity. In this talk, which has to be a contender for best session title this year, Lisa Plaggemier and Jenn deBerge will highlight why it’s so important to have a person who can communicate on your team.

Walk Through Eight C2 Tools in 50 Mins
Thursday, May 1 | 1:30 PM – 2:20 PM PT

Even if you’re familiar with command and control (C2) infrastructure, defending against C2-based attacks requires continued awareness of how these tools work and knowledge around how they can be used by adversaries to maintain persistent control on compromised systems. This talk by Hubert Lin will give you a crash course on eight of these tools as well as tips on how to defend against them.

Hello It’s Me, I’m the User: DBIR Insights on the Use of Stolen Credentials
Thursday, May 1 | 1:30 PM – 2:20 PM PT

The Taylor Swift fan in us gravitated towards this session title. It also doesn’t hurt that it promises to dig into the seedy underbelly of the stolen credential ecosystem, a leading source of identity attacks. By our count, this is one of three different talks at RSA that will go over soon-to-be published findings from this year’s DBIR, long the gold standard of annual infosec reports.