Share
Executive Summary:
The latest RSA Conference underscored a cybersecurity market in the midst of a structural shift, where AI is no longer an overlay but a force reshaping how security is built, delivered, and evaluated. Agentic AI is redefining the Security Operations Center, moving from alert-driven workflows to autonomous investigation and remediation, though questions remain around differentiation as vendor positioning converges. At the same time, enterprise buyers are demanding greater transparency into how AI models are trained and governed, elevating the importance of proprietary data, human-in-the-loop design, and explainability as core purchase criteria.
The conversation has also expanded to treat AI itself as an attack surface, driving renewed demand in identity, governance, and emerging AI-specific security tooling. These dynamics are reinforcing the long-anticipated shift toward platform consolidation, where integrated data layers and control over telemetry become prerequisites for effective AI deployment, though execution risk remains. Against this backdrop, valuation frameworks are evolving, with investors prioritizing durability of growth, retention, and unit economics over headline expansion rates.
RSA Conference returned to San Francisco last week as the cybersecurity industry's flagship annual gathering. For deal teams evaluating cybersecurity assets, the conference offered a useful ground-level read on market direction and the implications for near-term investment decisions.
Below are five themes that defined the conversation in and around RSA this year, and our take on how each will influence diligences on cybersecurity assets over the next year:
1. Agentic-based security is everywhere - including eating the SOC category.
One of the clearest signals from RSA was that the Security Operations Center (SOC) is being fundamentally reimagined. Vendors are now marketing platforms where AI agents autonomously investigate, triage, and remediate threats in real time rather than simply surfacing alerts for human review. The collective pitch is compelling given persistent analyst burnout and a well-documented talent shortage in cybersecurity. Large-scale enterprise deployments remain early, and the next twelve months will be the real proof of concept for autonomous SOC capabilities.
That said, there was a striking similarity with the messaging across the 20+ AI-enabled SOC vendors on the floor (also plastered on cars and bar front windows around the venue) and they raised questions about the true durability of long-term moats.
Key Diligence Considerations: As agentic SOC platforms proliferate, product capability alone is unlikely to be a durable differentiator. The more important question is how deeply embedded a target is in the customer's operational workflow. Rather than feature parity, assess evidence of sustained usage, customer dependency, and expansion revenue. Winners in this market are likely to be vendors that combine automation with strong customer stickiness, whether through data gravity, workflow ownership, or organizational reliance built over time.
2. AI model transparency is becoming a buying requirement, and thoughtful human-in-the-loop is differentiating
A notable shift at RSA was the level of scrutiny buyers are applying to how AI-driven security products are built. Vendors moved beyond high-level "AI-powered" claims and walked through model architecture, training data sources, and the role of experienced security practitioners in shaping outcomes. What resonated most was an emphasis on human-annotated ground truth rather than undifferentiated historical data. CISOs are increasingly unwilling to treat AI as a black box, and understanding what a model was trained on, how domain expertise was incorporated, and how edge cases are handled is becoming a prerequisite for purchase rather than a differentiator.
Key Diligence Considerations: Push beyond surface-level AI positioning. Does the target have proprietary training data or human feedback loops that would be difficult for a competitor to replicate? Is the domain expertise embedded in the model a durable moat or something that can be commoditized over time? Do customers trust and recognize the value of the ‘AI’ in the solution, or does it potentially create more sales friction? The answers are important signals of long-term product defensibility.
3. AI is an attack surface, not just a defense tool
RSA 2026 made clear that the cybersecurity conversation around AI has expanded beyond its role as a defensive tool. AI systems, including large language models, autonomous agents, and AI-powered copilots embedded in enterprise workflows are increasingly being treated as attack surfaces in their own right. Threat vectors such as prompt injection, agents operating with elevated permissions, models ingesting unverified external data, and dark usage of AI tools across the organization introduce risks that traditional security architectures were not designed to address.
These dynamics are reshaping demand across adjacent security categories and are likely to materially expand the landscape of ‘cyber’ spend. Identity and access management, which appeared to be trending towards maturity 3-5 years ago, is entering a renewed expansion phase as enterprises confront the need to manage machine identities, agent permissions, and more complex insider risk models.
In parallel, a nascent category of tooling focused on AI governance, monitoring, and control is beginning to emerge and drew meaningful attention at the conference. Supporting this shift, AI governance frameworks are also maturing, with standards such as ISO 42001 gaining tangible traction among enterprise buyers.
Key Diligence Considerations: AI security and governance is still nascent, but demand is accelerating as enterprise AI Adoption outpaces the development of appropriate guardrails. For assets operating in adjacent spaces such as identity, data security, or application security, a key question is whether AI risk is meaningfully on the product roadmap or represents a gap that a better-positioned competitor could move into.
4. Platform Consolidation: The value proposition is stronger, but execution remains to be seen
Platform consolidation has been a theme in cybersecurity for years, with buyers consistently expressing a desire to reduce tool sprawl without meaningfully following through. What feels different heading into 2026 is that the rationale has sharpened. Fragmented toolsets produce fragmented data, and AI-powered security capabilities are only as good as the telemetry feeding them. The desire to consolidate around integrated data flows to fuel AI gives buyers a more compelling reason to actually act. Whether purchasing behavior catches up to stated intent remains the open question.
Key Diligence Considerations: Assess whether a target is positioned as a consolidation winner or a point solution at risk of being rationalized out of the stack. Customer retention trends and expansion revenue are useful signals, as is whether the product sits within an integrated data layer or operates in isolation from the broader platform environment.
As AI becomes more embedded across security workflows, proximity to core telemetry and control over data flows increasingly influence a platform’s ability to sustain relevance and defend its position. With AI integrated into development, well-capitalized platform leaders hold an advantage in replicating functionality, raising the bar for emerging and scaling entrants to demonstrate a durable moat beyond near-term tailwind-driven growth.
5. Valuation is being driven by business quality, not just growth
Perhaps the most relevant takeaway for investors is how the market is currently pricing cybersecurity businesses. Data discussed at RSA reinforced that revenue growth alone is a weak predictor of valuation in this sector. Companies commanding premium multiples are demonstrating strong retention, healthy margins, and capital efficient go-to-market motions. The market is increasingly rewarding durable growth over fast growth as investors seek to avoid overpaying for tailwinds that may prove transient.
Key Diligence Considerations: Growth rate is a starting point, not a conclusion. The more important questions are whether growth is driven by expansion within existing customer relationships or by aggressive new logo acquisition masking elevated churn. Investors should also assess whether the go-to-market unit economics remain durable at scale and whether performance is supported by true commercial differentiation or simply favorable market tailwinds that could fade as the rapidly ‘rising tide’ slows, and supply/demand dynamics approach parity. At current deal multiples, the quality of growth matters as much as its absolute pace.
Conclusion
RSA 2026 reinforced that the cybersecurity sector is moving quickly, and the strategic and technological shifts underway have real implications for how investors evaluate assets in this space. How a company is building its AI layer, whether its product position is defensible in a consolidating market, and whether its fundamentals hold up under scrutiny are the questions that will increasingly separate premium assets from the rest of the pack.
To learn more about Grant Thornton Stax and our cybersecurity expertise, visit our Insights page or contact us directly.
Read More
