Reflections on RSAC 2025: Agentic AI, Automation and Ransomware Chaos

Honestly, I cannot remember how many RSACs I have attended representing a cybersecurity vendor, but if I had to guess, I would say more than a dozen. I remember when the rise of the next-gen AV vendors had everyone talk about how they used AI/ML to power their products, whatever their products did.  

I was at a SOAR vendor when that was the talk of the show a few years back, before that market got swallowed up by the SIEM vendors of the world. Then I remember you couldn’t walk five feet on the exhibit floor without seeing a vendor claiming they were the XDR to beat all XDRs.  

Last year, we all remember the talk of the show: Generative AI as the savior to all cybersecurity problems. I say all this to say that, regarding RSAC, and any big cybersecurity industry show, you get a live and in-person look at groupthink.  

This year, as I roamed the massive exhibit hall, I lost count of the number of vendors touting their Agentic AI product and how it would “change the game.” Now I am sure some of these products deliver some value, but I am also old enough to know that often vendors get way out over their skis trying to attach their company and brand to the latest buzzwords that might drive better booth traffic.  

I also know that savvy cybersecurity buyers are not wowed by flashy demos or promises of benefits that they know are unachievable. Time will tell if any of this Agentic AI buzz delivers real value, but just as the hype around GenAI had died down by the time Black Hat came around last year, don’t be surprised if you see some vendors pivoting their message away from Agentic AI come August.  

Very closely aligned with the Agentic AI messaging was the use of Autonomous by a wide range of vendors, from well-known endpoint vendors to other companies that many people have never heard of. In my nearly twenty years in the cybersecurity vendor world, I have met with more CISOs and SOC managers than I can remember and have talked about automation with many of them.  

My takeaway from these discussions is that while automation is certainly needed in some areas of cybersecurity, we are miles away from most security teams willing to hand over the keys to their security to a fully autonomous SOC. “Eyes on glass” will always be required for organizations to secure their environment.  

This is why here at Halcyon, while most of our anti-ransomware platform is fully automated, we couple it with the Halcyon Ransomware Detection and Recovery (RDR) Service at no additional cost. Halcyon RDR is a 24/7/365 monitoring and response service staffed by ransomware experts who meticulously triage every alert generated by the platform for all our customers.  

They will then investigate legitimate ransomware threats and respond on behalf of our customers as required. We believe this coupling of automation and human expertise is the only way to deliver a solution that will make security teams confident in the security we provide.  

Last but certainly not least, there was no shortage of vendors touting the ability of their products, ranging from EPPs to immutable backup providers, and everything in between, as being able to protect against ransomware. Here at Halcyon, we know a thing or two about ransomware, and as I walked around and saw some ransomware messaging, I could only shake my head.  

I feel bad for the attendees earnestly seeking a solution to improve their ability to protect against ransomware attacks because, based on who they talk to, they will leave RSAC 2025 with disparate approaches to combat ransomware. For instance, if a potential buyer talked with an EDR vendor, they may have thought upgrading their EDR might solve their ransomware problem.  

Unfortunately, many attackers routinely bypass EDR products today, shutting them down before carrying out their attack. For that buyer, upgrading their EDR wouldn’t do much to help them fight ransomware.  

For other buyers who left thinking deploying a new immutable backup solution would be a great failsafe in the event they are hit with a ransomware attack might be up for a rude awakening when they realize that one of the first things attackers do is corrupt or delete backups as part of their attack to ensure the victim has no choice but to pay the ransom.  

Still, other buyers may have been intrigued by solutions like Automated Moving Target Defense or using Decoy environments to lure attackers away from their real environment. Even better is seeing a vendor who last year had no discernible ransomware protection product make a 180-degree pivot to focusing on nothing but ransomware.  

The long and short of all this is that you cannot change your website and messaging and suddenly end up with a ransomware protection product.  

To deliver sustainable ransomware protection, you must understand that the advanced ransomware threat is not just malware or an encryptor. Today’s advanced ransomware threats are complex attacks, carried out by skilled personnel working in an organized approach to inflict the maximum damage possible on their victims.  

They know how to bypass common approaches to defeat them and are relentlessly seeking to move money from your company’s coffers to theirs. To combat them, you need a solution that delivers three key capabilities. First, the solution must be able to identify malicious executables and files that EDRs commonly miss and prevent them from running. However, prevention alone will not be enough to defeat these threats. A ransomware protection solution must also be intimately familiar with how attackers behave in your environment and be able to identify and disrupt their actions.  

Finally, suppose the savvy attackers can hide their executables and behaviors and get to the point where they are exfiltrating and encrypting data. In that case, the solution should detect the movement of data out of your environment in real time, signaling an attack, and recover your encrypted data without you having to pay a ransom. If the solution claims to deliver ransomware protection without these three core pillars, you are still exposed to the impacts of an advanced ransomware attack.  

I would be remiss if I didn’t mention something I was honored to be a part of at RSAC 2025. I attended the SC Media Awards Reception on Tuesday night, representing Halcyon. Along with well-known vendors CrowdStrike, Splunk, and Proofpoint, we were nominated for Best Enterprise Security Solution and walked away with some nice hardware.

I’d like to personally thank the panel of judges for bestowing us this prestigious award, which recognizes the value and comprehensive ransomware protection Halcyon delivers.  

Now that everyone is back to their regular duties of protecting their environments, if you have any questions or want to learn more about Halcyon, feel free to reach out and schedule a demonstration. Until we meet again in the hot desert sun of Las Vegas for Black Hat 2025, I bid everyone a good day.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.