Andy Cao and Hugh Thompson: Inside RSAC 2025’s biggest moments and boldest ideas
Download MP3Welcome to Inside the Network. I'm Sid Trivedi.
Ross Haleliuk:I am Ross Haleliuk.
Mahendra Ramsinghani:And I am Mahendra Ramsinghani. We have spent decades building, investing, and researching cybersecurity companies.
Sid Trivedi:On this podcast, we invite you to join us inside the network where we bring the best founders, operators, and investors building the future of cyber.
Ross Haleliuk:We will talk about the hard parts of the founder journey, launching companies, getting to product market fit, raising capital, and scaling to an exit.
Mahendra Ramsinghani:And, yes, we will also be talking about epic failures.
Sid Trivedi:But, Mahendra, we're here to make the founder journey easier.
Mahendra Ramsinghani:That is correct, Sid. But we cannot make it too much easier because startups are hard, And, of course, you already knew that.
Ross Haleliuk:Alright, you two. Enough. Let's get started with this week's episode.
Mahendra Ramsinghani:Welcome to this RSA special episode of Inside the Network. Today, we bring you two guests, Andy Kao of Project Discovery, winner of the Innovation Sandbox Award, the coveted award as the most innovative company of 2025, and doctor Hugh Thompson, executive chairman of the RSA conference. We will understand what sets Project Discovery apart and how this most innovative company of 2025 is tackling AI driven challenges and what's next for this rising star in cybersecurity. Then the doctor Hugh Thompson will understand what it takes to lead the world's largest security conference and how RSA continues to evolve in these times. Let's get started.
Mahendra Ramsinghani:Andy, congratulations. The RSA Innovation Sandbox winner for 2025. Nobody guessed in this day and age of AI that Project Discovery would end up being that winner. Not even ChatGipity, not even Grok. You know, we we ran a little poll with these different models, and Project Discovery was, like, number three with all the models.
Mahendra Ramsinghani:Tell us more. How did you make it?
Andy Cao:Well, I think I think vulnerability management is still a big problem. And and AI is absolutely a big problem. But I think if you sit down with CISOs and you ask them, where are they spending their dollars? Where is their team getting bogged down? Vulnerability management is still top two, top three.
Andy Cao:And so I think it was an opportunity to tell a story about reinventing a decades old industry with an approach that with community, I mean Doug was on here in the recent podcast talking about how community really powered security industry in the early days. And I think it's, you know, between solving a really big problem, automating it in a way that it's not magic AI, it's you can see these templates, you can touch them, you can edit them, and then you have this community backing behind it. Think it really creates an inspiring story around innovation that I think the judges could really rally behind. So we're we're really thrilled that they they saw what we were doing.
Sid Trivedi:You know, we it's funny. In advance of this, Andy, we actually went and we pinged one of our former speakers, one of our guests, Ron Gula. You mentioned Tenable and you mentioned Vesis a couple of times in your presentation, your three minute presentation. I I texted Ron last night and I said, hey Ron, like, we have Andy on the show and we wanna, you know, have ask him a few questions and just imagine as if you were one of the judges, Ron, what would be the big question you'd ask? And so he sent me like 10 of them and I'm gonna focus on just one just to to start.
Sid Trivedi:He said, look, Project Discovery is really focused on this open source model. Right? Like that's what differentiates you in the vulnerability management space. And that was something that he was very much pushing in the early days. He talks about this on the show.
Sid Trivedi:He said, Starbucks submits a scan template today on project discovery, who owns a scan? Is it you? Is it Starbucks? The customer? And the reason he flagged this was he said, well, in the future, let's imagine a world where project discovery potentially gets acquired and there's technically IP.
Sid Trivedi:Who owns the IP? Is it your customer? Is it the potential acquirer? Where does that that IP sit?
Andy Cao:We're a open source and community first company. So if you look at our Nuclei templates repo, it's an MIT license. It belongs to the community. And we and this is the only way you can get 10,000 detection templates. It's it's because people know that when they contribute a template, it it can help everyone around the world.
Andy Cao:Now every contribution is reviewed by our internal team because our enterprise customers need to know that there's quality behind that. But ultimately, the only way we can build a sustaining ecosystem of innovation with our community is to make sure that this still belongs to the community. So the answer to that is if it's an MIT license and it's still out there. Now where we're going with this, and and I kinda talked about it a little bit in the talk is vulnerability management is not just CVEs. It can be findings from a bug bounty program, a pen test report.
Andy Cao:Your red team might find something. Nuclei templates, the customizability of these templates, plus the ability with AI now, we can generate Nuclei templates for any vulnerability. And now you have vulnerability detection as code, and our customers own these custom detections. I'll give you an example. One of our customers, Vercel, actually is using us to create a regression automation program around these vulnerabilities and detections that they have, and this belongs to them.
Andy Cao:So I think the community templates is a starting point, but the the opportunities are endless in terms of what companies can really do with the syntax of these templates and really making their own kind
Ross Haleliuk:of customized vulnerability management program. Vulnerability management has a large number of incumbents. There is Tenable. There is Qualys. What was the key challenge that enabled the creation of your platform?
Andy Cao:I mean, you think about it, these scanners were built twenty years ago. I was in high school twenty years ago. And the world is so different today. And, you know, maybe twenty years ago, looking at versions, outdated versions in particular, were enough for vulnerability detection. But today, with the ex I mean, you look at how many CVEs are released every year in 2025 versus twenty two thousand and five, it's just it's a different landscape.
Andy Cao:And security teams need to know what is actually exploitable. And I think what excites me is what we're doing with the Nuclei templates, it's not rocket science, it's not a big complex LLM behind a in a black box. You can see exactly the steps that we're automating that any security engineer, pen tester would do otherwise. And we're just unlocking all this automation that we feel like should have been automated years ago. And I think that's the foundation for us is starting with accurate detections.
Andy Cao:Because no matter what prioritization engines you buy, what vulnerability aggregators you buy, if you're starting with hundreds or thousands of false positives, you're just gonna end up with a lot of manual work.
Mahendra Ramsinghani:You're a star now. You know, we could see the halo, the glitter around you after having won this coveted award. But every company goes through tough times. I mean, you have seen some dark days at Project Discovery. Help us appreciate the ups and downs that you have been through leading up to this day.
Andy Cao:So in our talk, on the final team slide, if you noticed, we used Studio Ghibli images of our team. And we wanted to go in that direction because we are not ex Palo Alto Executives who built security companies. And when I said we're hackers, misfits, dreamers, that's really who we are. Our CTO was top three in the world on Hacker One. He's the hacker.
Andy Cao:Wow. Our CEO is a dreamer. He's got the vision. And I'm the misfit. Like, I dropped out of VC.
Andy Cao:I was unemployed four years ago building a camper van, and and we're just figuring it out. And I think what unites us is this common drive, this grit, this resilience to solve this problem and to know that no one can come in and solve this ourselves. And I think that was one of the things that we learned is, like last year we had one of our early POCs with a large global financial institution. Team invites were not working, scans were failing, and we were getting messages that has like 10:11PM my time and you know, God knows what hour in India for them. And it was there were definitely some pretty dark days of, oh my god, can we build this?
Andy Cao:But I think it's that journey that founders need to go on to learn that that gives you that confidence that yes, you can disrupt a billion dollar industry. You gotta just like focus on the thing at hand, solve this problem for the customer. Hey, if you didn't go well, what did you learn from it and do better next time. And you know, this is this goes out to all the early people who believed in us, who continue to share bugs with us and, you know, but I think it's that focus on growth and learning that has really allowed us to get to where we are today.
Sid Trivedi:On the topic of misfits, you talked a little bit about, you know, your career and the the the awesome thing for our listeners is Andy and I have known each other for a decade and, you know, he started off in Venture. It was pretty awesome. You were at Trident Capital with one of our dear friends Will Lin and then subsequently you joined Sunstone and then after that Comcast and you took a little bit of time off after you know Venture and you described being on in the camper van with your partner and spending a year off away from security, away from software. What did you learn from that experience and what did you bring back after that sabbatical?
Andy Cao:Yeah. I I love to tell you that there was one day that I woke up during my sabbatical where everything was just super clear and and I tell you, still remember the first few weeks after I started, we'd like we just bought this camper van brand new. It's like this empty shell of a thing. And I had just gone to Home Depot and and this was when my wife had just started going back to work. It was like in January.
Andy Cao:And I was unemployed. The whole world was moving on from the holidays and I was like, what am I doing with my life? And it it didn't come overnight as I mentioned earlier, but just, you know, I worked twelve hours a day on that van, seven days. I worked harder on that thing than I did in in Venture.
Sid Trivedi:And Yeah. You DIY ed that van.
Andy Cao:I DIY ed it. It has a huge shower. It it has a bro it has a stove, a fridge. If you go
Sid Trivedi:to Andy's LinkedIn page, you can actually see the picture of the van in Quick Aid and see the, you know, all the details.
Andy Cao:You can see it. Yeah. And I think I came out of that realizing that I'm a builder. I and the venture is an incredible industry and I have so much respect for what you do, Sid. But I think after the many years of being in venture, came away building that van saying, you know, I wanna I wanna build something.
Andy Cao:And I think that was a really I realized what made me tick. I'd always been passionate about cyber security. So when I got introduced to Rishi and Sandeep, I just I felt this kinda drive that I just I hadn't felt ever in my life professionally, and the rest is history.
Ross Haleliuk:AI and automation is is the talk in town. Everybody is is talking how AI is transforming transforming the future of cybersecurity. What is working in AI in your opinion? And what is fluff? What is buzz?
Ross Haleliuk:And what are the overstatements?
Andy Cao:Yeah. I think we have this vision of AI as empowering the people, our users. And I think if we take any inspiration from the dev and infra community, what has worked well with AI there? Engineers get code at the end of it that they can modify, that they can improve replacement. And I think when we see AI in security, we we wanna continue to provide ways where the solutions can be transparent and customizable and empowering.
Andy Cao:So if you look at our AI solutions, it's not a black box. We are generating nuclei templates that clearly outline for a security engineer what we think we need to do to test for a vulnerability. And then we're empowering them to say, okay, if you wanna make any change, can make you can update the template, you can learn from this to write another one. Right? I mean, that's how we are all learning from LLMs.
Andy Cao:I think we should take inspiration from what dev and infra companies have done with AI to really empower security teams, not provide more black box solutions, which I think we've seen has has really been frustrating for many security teams.
Mahendra Ramsinghani:And as we in closing, you look at the future, you look at the crystal ball and say, what would the next twelve, twenty four months look like? What are some things that excite you? What are some things that scare the bejesus out of you as you look at the in the near future?
Andy Cao:I mean, we we're the Davids against the Goliaths here. Right? And if you look at Tenable, Qualys, and Raffet seven combined generate over 2 and a half billion in revenue a year. They are massive businesses, but they're built on foundations that I think many security teams are excited to move on from. And so we get excited about the opportunity to go against those those giants in the industry and and provide an opportunity for security teams to build on something modern.
Mahendra Ramsinghani:Well, Andy, that's the fun part. Tell us what scares you.
Andy Cao:The same thing. We've got we're a team of 35. We I had my first call with Gartner a week ago Oh, wow. Staring with them our vision. And, you know, most people know us as an open source tool.
Andy Cao:And I think this opportunity with RSA is is absolutely incredibly helpful for us. But, I mean, you see, you can go on the expo for this this the security vendor landscape is filled with lots of dollars, marketing buzz. We gotta find a way to cut through the noise. And so thank you for this opportunity to share the story a little bit, but we've got a lot of work to
Sid Trivedi:do.
Mahendra Ramsinghani:There are bunch of VCs that are hunting for you with 50, hundred million dollar term sheets. Just warning you that they'll be thrusting those on you anytime soon here on the on the floor as you walk around. We walk in Vegas in Vegas or in in Times Square when you're walking around, there are people that are shoving these cards in their hands. There are term sheets being shoved in founders' hands around here.
Andy Cao:Well, we'll take the order forms from CSOs first, but and then and then we'll get to the term sheets.
Ross Haleliuk:One last question from my end. You've won the Sandbox. If you were on the on the on the panel of judges, who would you be voting for?
Andy Cao:Let me tell you, Ross. This was such a deep field. I mean, I sat through all those presentations and I wow. What all these teams are building, the opportunity ahead of them, I think it's incredible what this innovation sandbox does. I think if I had to choose one, I think it'd definitely be the runner-up, Calypso.
Andy Cao:They I had a chance to talk with the team at the X Lounge last night. They're up to some really really great stuff and I'm a huge fan of the team, the mission there. And we've already set up some time afterwards to compare notes. I mean, is a community effort. We gotta work together.
Andy Cao:So huge fans of them along with the other eight contestants.
Ross Haleliuk:Awesome.
Sid Trivedi:Andy, thanks for joining us. Huge congratulations again. We're very excited for you and, you know, everything you'll build as you continue to go on this journey. And as a as a fellow former, you know, you were a former VC, it's it's great to see that you've kind of had this second career. It makes it a little bit easier for Mahendra and myself to know that if we are terrible in our job, which we may be, we still have a second job to be founders and hopefully win RSAC.
Sid Trivedi:But Andy,
Mahendra Ramsinghani:you know, you're probably the only VC who's giving respect respect to the industry by becoming a founder.
Andy Cao:You know, there's a question on there about what comes over from VC, and I if I have time, I'd love to just share one thing. Some of the VCs I know are the hardest working people. I don't think VCs get enough credit.
Mahendra Ramsinghani:Nobody's gonna believe you when you say that,
Ross Haleliuk:but please, Thijs, continue. Continue. But remember, he said only Sam.
Andy Cao:But no, I think the the work ethic, the grind, the willingness to sell to founders, the hustle, I mean, so much of that carries over to being, you know, a leader and a startup. So I have so much respect for what you all do, and I think there's a lot more that we share in common than I think people think.
Sid Trivedi:Well, thank you. Thanks. Thank you. Kind words. Yeah.
Sid Trivedi:Thanks guys so much.
Andy Cao:Thank you both. Thank you all of you.
Mahendra Ramsinghani:Yeah. Now that was a fun conversation we recorded with Andy Cow at the Moscone Halls amidst the buzz of RSA. Let's shift gears to the heart of this conference itself. Up next, we're joined by doctor Hugh Thompson, executive chairman of the RSA conference, the world's largest cybersecurity gathering. Now RSA began thirty four years ago as a user conference for the customers of the company RSA.
Mahendra Ramsinghani:The first conference in 1991 had just one panel. And I would guess it probably had no more than forty, fifty attendees. And this year, it has 400 panels and over 40,000 attendees. And this year, another interesting post has been added to the name. It is RSAC, where c stands for content, connection, culture, and conversation.
Mahendra Ramsinghani:It gets beyond the word conference. Let's dive in with Hugh to take a look at these four c's of the RSA c.
Sid Trivedi:Hugh, we're so excited to have you here on Inside the Network during RSA conference. Like
Hugh Thompson:I am happy to be here.
Sid Trivedi:So, you know, let's start with kind of the early story of Hugh and the involvement with RSA conference.
Hugh Thompson:So Okay. How far back do you wanna go, man?
Sid Trivedi:I'm gonna go I'm gonna try to go a little bit back.
Sid Trivedi:So Alright. Go And You
Sid Trivedi:know, in 2022, you led the acquisition of a significant interest in
Sid Trivedi:Oh, say car. Back
Hugh Thompson:to No. Elfhood.
Sid Trivedi:I said No. No. No. No. We'll we'll go we may go there, but we only got twenty minutes.
Mahendra Ramsinghani:So we'll we'll
Sid Trivedi:try to Oh, good.
Sid Trivedi:Sorry. We'll try to be excited. Yeah. Yeah. Go ahead.
Sid Trivedi:So 2022, you led the acquisition, significant interest of RSA Conference Yes. Through your private equity firm Crosspoint. And you've been on the program committee for RSA Conference for sixteen years. So it was Yeah. Yeah.
Sid Trivedi:2022. Yeah. Yeah. I've been the chairman of it for sixteen years, I could say.
Sid Trivedi:Pretty crazy. But over the past three years, you've really gotten involved. I think the new title is executive chairman.
Ross Haleliuk:Oh, yeah. Wow. Yeah. That's how you
Sid Trivedi:the special how they added the Yeah. I mean, that was that was the cost. That was the extra cost to buy RSA conference.
Sid Trivedi:You got ex executive in there.
Sid Trivedi:What has kept you excited about this conference and staying involved? And why did you decide to go and, you know, purchase a significant interest in the conference?
Hugh Thompson:It's a great question. Yeah. And and like you said, I've been involved with this conference. It feels like my whole life actually, but definitely my whole professional life. And when I was a professor at Columbia through, you know, work for a vendor called Blue Coat, CTO there, CTO at Symantec.
Hugh Thompson:But during that whole period of time, it was a passion for cyber. Like a passion for how to help people defend and how to connect people. And I felt that every year at RSA conference, you know, when it was 5,000 people, when it was 10, when it was 15, when it was 20, and you know, now it's 44,000 people. That passion is exactly the same. And why would we purchase it?
Hugh Thompson:Right? Which is a great question. I see this as an institution that must be preserved. It serves a vital function for this community. It connects people in ways that I think are so important, especially in these times.
Hugh Thompson:Text changing all the time, as you know. And when folks are thinking about new dilemmas, like what policies do I set on my AI agents, for example, you don't wanna go out on a limb. You wanna find out what some of the other verticals and some of the other players are doing in the space, and you wanna collaborate as a community. This is a place where people do that. And so we wanna grow it, we wanna invest in it, and we wanna make it bigger and better.
Hugh Thompson:And this year, we launched a community platform with the goal being to connect people not just for one week, but try and get them connected for the rest of the fifty one weeks of the year. So passionate about the space.
Ross Haleliuk:So awesome. Yes. This is the twentieth anniversary of the RSA Innovation
Hugh Thompson:Thank you, man. Thank you for highlighting that. It is.
Ross Haleliuk:And one of the major changes you did this year is introducing a mandatory $5,000,000 investment for each finalist. Take us like, could you talk through this history of how this decision came to be, and what were the outcomes?
Hugh Thompson:Yeah. No. Happy to. So, you know, one of the things and, obviously, I've been I've been running this innovation sandbox for that period of time. Right?
Hugh Thompson:And you get to see a lot of things. You see how these companies then play out afterwards, what happens to them. One of the biggest challenges that we've heard from them isn't so much raising capital afterwards because typically, this at least in the last ten years, it's become a platform platform that says, yeah. That's an important company if you got into the top 10. So will they be able to raise capital?
Hugh Thompson:Yes. They probably will. Will they be heavily distracted during that capital raise? Yes. What tends to happen is those companies get in a a massive amount of inbound interest right after they appear on the stage for ISB.
Hugh Thompson:How do we help them capture that interest, and how do we give them funding right away? So we worked on an instrument that we thought was the most founder friendly way to provide them capital, an uncapped safe based heavily off of Y Combinator. And so the thought was, here's an instrument. It's gonna be very palatable to those entrepreneurs, but as important, it's gonna be very palatable to the venture capitalists that are already invested and the ones that might invest in the next round. So we're not setting a price, uncapped safe.
Hugh Thompson:We don't set valuation. Well, we're making a bet because we're not involved in the selection of those companies. It's selected by an independent panel of judges just as it always has been. So that was the thinking, how can we help these entrepreneurs?
Sid Trivedi:And just to clear up any rumors Okay. There were no changes, there was no negotiation after that.
Hugh Thompson:We published a safe. We put it online. Yep. This is the safe. This is the side letter.
Hugh Thompson:And we did get some feedback. We did get some feedback from the community.
Sid Trivedi:Including myself. And from yes.
Hugh Thompson:And to some unnamed people that may or may not be on this couch, which is actually very valuable, which is very And as you know, we made a couple of tweaks, which we publish back out. And you know what? We learned a lot. We learned a lot during the process. This is something, and I know, Sid, you and I have talked about it.
Hugh Thompson:This is not a twentieth anniversary, let's do a $5,000,000 investment each. This is an ongoing program, and so we're gonna learn a lot as we kinda reflect on this cohort of top 10. But what I thought was amazing is same process that's been happening for twenty years. Judges adjudicate. They show up.
Hugh Thompson:Here's 10 companies. We're like, okay. That's great. All 10 companies have accepted the SAFE, and the feedback that we've gotten from those companies has been great. And I'd encourage you to talk to some of those companies and talk to the judges too.
Hugh Thompson:See what their experience was like.
Mahendra Ramsinghani:You know, Hugh, when you look at the way the 10 companies rise up to the top amongst a pool of what? About two, three hundred companies that applied this year?
Hugh Thompson:Yes. Over 200 this year. About a 40% increase. 40% increase.
Mahendra Ramsinghani:And obviously, the $50,000,000 that is being deployed into these 10 companies, 5,000,000 each, becomes a significant pool of capital. If I wear the venture capitalist hat Yeah. The steps that a VC has to take to earn the trust and respect of a founder, you know, they're as follows. They'll wait till the announcement is made. Once the the winner is announced, they walk up to the founder.
Mahendra Ramsinghani:They share the history of, I've invested in 25 cybersecurity companies. These are all the ways I will add value. Will you give me the privilege investing in your company? So that's the dance a typical VC has to do to earn the trust of a winner. You've kinda completely turned the game around in a way where they get the money right out of the gate or even before they step on the stage.
Mahendra Ramsinghani:What would you say to, let's say, Ashim, if he was not on the judging panel, to say, I'm trying to put my money into this company Yeah. And you are competing with me now?
Hugh Thompson:Yeah. No. Great question. And Ashim, who's a really good friend of mine. Yes.
Hugh Thompson:Yes. And who I have talked to
Andy Cao:about this?
Mahendra Ramsinghani:Yeah. And I'm sure he counseled as the process was being designed because he has to straddle both sides
Hugh Thompson:of this equation carefully. Right? You know, everything we do here at RSAC is with the community. Yep. So we went out and we talked to so many of the previous ISB top 10 finalists as well as a ton of folks in the venture capital community and asked, what is the kind of instrument in here that would not impede your future ability to invest?
Hugh Thompson:Yep. That was a core design principle for us. Yeah. And, obviously, you're gonna see this now play out in real time. Right?
Hugh Thompson:You know, experiment year one, and let's see how that goes. I think though when they apply, they know the institution at least, which is RSAC. Yeah. And what what I saw, which is interesting behavior, all of those companies I can't say all. There's just 200 of them, I haven't talked to, you know, the 200, but many of those companies then went out and they reached out to former ISB top 10 finalists, and they just asked them.
Hugh Thompson:It's like, look. I like this competition. I know it's good, but I want you to tell me, like, really what happened to your company afterwards? Like, how transformative was it? And, you know, if you're a founder, one of the big questions you ask is what are you bringing to the table as an investor?
Hugh Thompson:I think one of the things that comes with this competition is great exposure. Yeah. Right? And you get great exposure plus an instrument that is not just friendly to the founder, but also friendly to the venture capital ecosystem around it, I think you got something great. We're gonna continue to get feedback, but I can tell you that the feedback that we've gotten so far now that we've actually done it from both the companies to participate in and the folks that are investors in those companies has been very positive.
Hugh Thompson:And again, I would encourage you to talk to those folks. Talk to the top 10. Talk to the judges. Talk to other folks who were investors in it, and you'll hear right from the horse's mouth, pick anyone. I'm not even suggesting anyone for you to talk to.
Hugh Thompson:I want you to pick at random and see what they say.
Mahendra Ramsinghani:If you add up the all the winners across the twenty years
Andy Cao:Yes.
Mahendra Ramsinghani:If you just do a blind pool, think of it as a mutual fund. I'm sure the numbers look pretty solid as an investor, I would imagine.
Hugh Thompson:It does. It really does. You know? And you can imagine, you know, we're not going into this thing completely irresponsibly. Right?
Hugh Thompson:So what we're what we're betting on is a process, process, which is truly a bet on the community. Yeah. So for every year, we follow the same process. We have a set of judges. Those judges view have a set of criteria that they look at, same criteria, things that you would expect, you know, I'll list all five of them, but what's the market potential?
Hugh Thompson:Is it a new solution? You know, how are you gonna go to market? Who are the founders? That type of thing. And then they adjudicate it, and it gets down to this top 10.
Hugh Thompson:We then back tested. Well, what would it feel like to these companies if we had invested in this cohort and that cohort and the cohort before it? And the numbers were really compelling. They were really compelling. And why is that?
Hugh Thompson:You never know for sure. Right? Like, example, is it that the judges in the process are so good that they pick the best ones? Or is it semi causal in the sense that these companies now get a stamp of being an innovation sandbox top 10? And thus, if you're trying to get a meeting with somebody, like a prospective buyer of the product, is it easier?
Hugh Thompson:Yeah. Don't
Mahendra Ramsinghani:know. I'll just share one side note about the Please. Winner. We interviewed Andy Cow yesterday. Okay.
Mahendra Ramsinghani:Okay. And prior to that, we did a little bit of a fun experiment. Oh, boy. We we ran the top 10 into three separate LLM models, Chad GPT.
Sid Trivedi:Oh, boy. Okay. Okay. Tell Chad GPT. Knock in perfect ideas.
Mahendra Ramsinghani:And guess what, Hugh? Project Discovery was in all three, but it was ranked as number three by each of those.
Sid Trivedi:Really? I guess there
Sid Trivedi:is Interesting.
Mahendra Ramsinghani:So I guess there is some human involvement that elevated that number three to number one.
Sid Trivedi:Apparently. Yes. Maybe you don't need judges anymore. Yeah. That's And that's gonna be your three judges will be the three foundation model company.
Sid Trivedi:Yeah. Three foundation models and just have
Ross Haleliuk:a say, we'll throw deep seek
Sid Trivedi:in there. Hey, you just survive. Let's hear it
Sid Trivedi:out. Yeah. This is a Chinese angle here.
Sid Trivedi:Oh my gosh. Well Yeah. Let's talk a little bit about,
Sid Trivedi:you know, other topics. One of the taglines that I remember from an old RSAC conference was Oh. RSAC is where the world talks security.
Hugh Thompson:Yes. Thank Thank you. Like an amazing guy. I'm really remembering that title.
Sid Trivedi:But, you know, that 44,000 people who are here and they're founders, they're operators, they're customers, they're investors, you're at the center of it all. You're talking to a whole bunch of these folks. What's the one or two key themes you're hearing again and again for this year? Everyone likes to talk it on LinkedIn, like, what's the theme of RSAC? What does Hugh think is the theme?
Hugh Thompson:Look, I mean, of course, it's not gonna surprise you. It's AI, AI, AI, AI, AI. Okay. But that's okay. It was like that last year, but now it's getting a lot more nuanced.
Hugh Thompson:It's getting operational. It's like AI has made it operationally into our business. Like, it's in here. We've either used it in a customer support case. We're using it in a code generation augmentation case.
Hugh Thompson:We're not letting it run wild, but we're helping it assist. Having it assist our developers. So it's real. Like, it's it's in. How do we govern it?
Hugh Thompson:What about identity of, say, an AI agent that we deploy? How do we have traceability on how this thing is operating inside of the business? So it's amazing. You saw the same kind of progression with cloud, just not as quickly. Yeah.
Hugh Thompson:It's, oh, cloud. Is that good or bad? And then it's like, oh, cloud. We're up there. Now how should we think about configuration?
Hugh Thompson:And, like, which problems go away and which problems get introduced? You're seeing us go through a maturity cycle of AI in terms of cyber, and it's interesting to see that play out. So that's a big topic. Obviously, there's speculation about regulation. Which regulations may be relaxed?
Hugh Thompson:Will Europe, for example, take an increased role in regulation during this next period of time? That's a big question that's opened up. And then, you know, I'd say another one is that people are getting more practical and real about a potential switch out of some of the older cryptographic algorithms. Yeah. You know, it seemed like Yeah.
Hugh Thompson:Twenty thirty something was a ways away, right, you know, when NSA put a stake in the ground. But I think practically now people are thinking about what will happen? How do I do it, how long is it gonna take to move into a post quantum environment. And those are some of the big things that we're seeing.
Ross Haleliuk:Our SA conference has always been about learning. Yes. What is one cybersecurity or maybe leadership book or resource do you find yourself recommending to everyone and also to founders?
Hugh Thompson:Oh, that's a really, really good question. Okay. So I've written many books, but I'm not going to recommend any of those. So,
Mahendra Ramsinghani:you know,
Ross Haleliuk:I I
Mahendra Ramsinghani:I mean, there are two authors on this panel here, Hugh, just to say.
Ross Haleliuk:Yeah. Oh,
Sid Trivedi:these two. These two are that.
Hugh Thompson:I'm also not gonna pander to the panel and recommend How disappointing. Panelist books. Although although that's a good strategy in general. But, you know, what I would say is I think about some of the books that sort of really helped me through. At the beginning, I was very focused on secure coding.
Hugh Thompson:Right? So my first book was on how to break software security, so security testing. But a book that was fundamental to me was writing secure software, and this was actually Michael Howard who was at Microsoft at the time, still at Microsoft. I get it. It's on coding, so it's only one tiny piece.
Hugh Thompson:But if you understand the kinds of errors that happen in code, it helps explain a bunch of other problems that happen downstream. So I think that one is very fascinating. I actually think some of Bruce's books are really interesting. Bruce Schneier. Because he takes a step back view on how the ecosystem really looks like around cyber.
Hugh Thompson:I found those incredibly practical for somebody new that's coming into this space. And, you know, the truth is we're in a new world. Right? We've got agentic AI. We've got these LLMs all over the phone.
Hugh Thompson:It's amazing how much you can learn to get up to speed with some of these things. And in fact, in the membership platform that we have, one of the things we've tried to do is create a rag model where people can learn at their own pace, but it's grounded in talks that have already happened at RSA conference. So I think there's lots and lots of good resources for folks to get up to speed in cyber.
Mahendra Ramsinghani:So, Hugh, when we walk around the floor, there are several large companies that have very large footprints. You know, you could take an example of Cisco. I think they have two floors in the closest hotel booked completely to bring in their guests and CSOs, etcetera. I'm sure if you look at Zscaler, if look at any of these large companies, this becomes kind of a central influx point for all the customers, partners to come. But there is the elephant in the room.
Mahendra Ramsinghani:The big one that is missing here is Palo Alto. And if you see, let's say, Nikesh or Nir walking by Yeah. What would you tell them? If they're not here, what would you, as executive chairman, tell them?
Hugh Thompson:I would tell them, we welcome you back. We welcome you back. No. I know. I say that and I say that honestly because they're an important player in the cybersecurity ecosystem.
Hugh Thompson:No question about it. Right. And this, first and foremost, is a community. Yeah. Right?
Hugh Thompson:Security really is a community.
Mahendra Ramsinghani:We learn from each other during this
Hugh Thompson:We learn from each other during the week, and, you know, there is not one person that you can't learn something new from. I don't care who you are. I don't care how much you think you know. And I would invite all of the participants that are the big ones in the space to participate in this community. Because I can guarantee you many of the vendors, even if they aren't on the show floor, they are going to be right around San Francisco right at this time.
Hugh Thompson:And it's a challenge for them and also for us. Right? Because at RSAC, we are never satisfied. Like, if you tell ask me, hey. How'd this conference go?
Hugh Thompson:I mean, like, okay. Great. Like, it's the biggest one ever, which it is. And, you know, really happy with, the talks and the caliber and the keynotes and all of
Sid Trivedi:it.
Hugh Thompson:But what I'm also gonna tell you is we're never satisfied. And so we're constantly looking for feedback from our sponsors as well. How can we better serve you? And that will be an ongoing mission. So I welcome the discussion.
Sid Trivedi:Maybe one last question to end it all. Tell me. All four of us are Bay Area based. Yeah. So
Hugh Thompson:That's right.
Sid Trivedi:Outside of this week, we're all here. We're here. Here in the here, you know, not just in the city, but in the region. RSAC has been here in Mosc Moscone forever. There've been rumors of move in, moving out.
Sid Trivedi:Just give us the update.
Sid Trivedi:Like, are
Sid Trivedi:you gonna stay in SF, and we have a new mayor? What's the what's the plan? What can you share with us?
Hugh Thompson:It's amazing. You know, so I'm gonna share a story with you. So last year at a dinner, right, at at at at RSAC, there's a dinner, and somebody comes up to me and they don't ask me that question. Right? But what they instead say is, oh, RSAC is moving to Las Vegas in year.
Hugh Thompson:It to you. Right. Right. They've announced it to me that it's moving in 2025 because this is in twenty four, twenty twenty five. What was ironic is we were standing right next to a poster that has the dates of RSA twenty twenty five in In San Francisco.
Hugh Thompson:Right. Okay. So so these rumors have gone along for a long time. Like, look. I think that the city is making an earnest effort to continue to improve.
Hugh Thompson:I'm I'm very optimistic. We had a great relationship with mayor Breed. We have a great relationship with Daniel. He was here earlier this week, you know, walking the show floor. He understands the importance of RSAC into this environment.
Hugh Thompson:This event is massive. You can't just take an event and move the thing. And also Silicon Valley has a special place in technology. And so when we think about those questions, RSAC is here. Yeah.
Hugh Thompson:In 2026, you're gonna find us right here. Actually, not right here right now. I think it's like, you know, five weeks earlier, but you're gonna find us here. And we're gonna continue to work with the city to make things even better for our attendees. Now, you know, one of the biggest challenges is how big could or should the conference get.
Hugh Thompson:And it's for that reason that we spend a lot of time thinking about this platform. How do we help people that really internally can't get travel budget more than anything else to come? Right? So we're continuing to find new ways to serve folks.
Mahendra Ramsinghani:Hugh, three of us here on this side of this table are Champions for Founders. Our request to you is to continue to find ways to make RSA more and more relevant, more and more attractive to the founders that are just getting started or going through the early phases. You know, Innovations Handbooks is a great forum, but we hope that there'll be more such programs that'll be built into the the broad spectrum of four or five days that we have here.
Hugh Thompson:And and we can't wait to go on that journey. In fact, we've got Innovation Sandbox. We've also got Launchpad, which is for companies that are sage earlier. We formed something new this year, which is an off shoot of Innovation Sandbox. It's called the founder circle.
Hugh Thompson:Very exciting. Right? There's only one way to get in, which is to be in the top 10. And it's all the top 10, not just the one from 2020, all the way going back. It was so inspiring to see those folks getting together, up.
Hugh Thompson:We are 100% supportive in an innovation. We have to have it in cyber or we're gonna lose. Yeah. Right? So Not as a conference, as a society.
Hugh Thompson:So anything that we can do, any ideas that you guys have of things we can do, we're completely open.
Sid Trivedi:Thank you so much, Hugh. Thanks for joining us. Okay. Thank you.
Hugh Thompson:Thanks for having me. Thanks for having me.
Mahendra Ramsinghani:Now that was a fun conversation with Hugh. By the way, not many know that he has a PhD in mathematics, hence, doctor Hugh Thompson. And, oh, he's also authored four technical books and over 100 papers. But we just see him on the stage as the host of the Innovation Sandbox. As the executive chair of this entire conference, Hugh has done a lot for our industry.
Mahendra Ramsinghani:If you, as startup founders, feel like RSA should do something more, something creative, or different for startups, please let us know, and we will do our best to share it with Hugh, and rest of his team. Now as we wrap up this episode with some of our own observations, Sid, Ross, and I, we walked the floors. We did our 10,000 steps, many founders, CSOs, and VCs, and here we share some observations. And the best part, Ross saw the goat on the exhibition floor. Let's hear about the goat.
Mahendra Ramsinghani:Alright, gentlemen. Here we are. RSA twenty twenty five is over. Two questions for both of you. What is one thing that you observed, a major trend, a theme?
Mahendra Ramsinghani:And what is one funny thing that occurred during these past few days?
Sid Trivedi:Well, it was it was a fantastic week. My it was so good that I can't even speak anymore. My voice is completely gone. So for all of our regular listeners, if I sound weird, it's because I've been talking too much this week. And Mehedra, before I answer that question, I think the most important thing, given we have you on this episode, is it's no longer RSA.
Sid Trivedi:It's RSA c. And I think,
Sid Trivedi:you know, we wanna make sure we get that right.
Mahendra Ramsinghani:So sorry. I see. I see. Now I see. RSAC twenty twenty five.
Sid Trivedi:Yes. RSAC twenty twenty five. Well, you know, maybe I'll start with the funny thing. I think that probably the there were a lot of funny things that happened over the week with both of you as well. But in my opinion, the funniest was, you know, I had my dear friend Rob Rob Gilduda bring his humanoid to an event we hosted at Foundation Capital's offices on Wednesday, and both of you were there.
Sid Trivedi:And it was just pretty crazy to see this humanoid walking around amongst CISOs, CIOs, founders, you know, kind of heads of m and a, and it became the kind of the star of the of the entire kind of night. Everyone wanted to take a selfie and shake its hand.
Ross Haleliuk:It almost wrote a check. It almost wrote a check. Almost wrote
Sid Trivedi:a check. I did the you know, Robert pasted a QR code on it, and I was hoping that, yeah, you know, people were adding it on LinkedIn because it was definitely you know, it's one of those cool things to see.
Mahendra Ramsinghani:So so wait. Wait, Ross. Did founders start to ask this humanoid for money? Like, what are you talking about? You wrote a check.
Ross Haleliuk:Well, I don't know if they did. But, you know, as it happens with VCs, you don't have to ask them for money in order for you to get the check. They come to you.
Mahendra Ramsinghani:Yeah. The humanoid the humanoid was was wandering around, and and I think a few founders might be disappointed they didn't get a term sheet from humanoid.
Sid Trivedi:I think I did the funniest part was we had, you know, a panel as part of the session, and there were three CSOs, Subrakumar, Swamy, the CSO of Visa, Ben Debont, the CISO of ServiceNow, and Mike Elmore, the CISO of GSK, and myself. And the humanoid was next to us, and we were all laughing and saying, you know, this is gonna be the future CISO and and investor on the room. So, you
Sid Trivedi:know, kinda like the the the past, the present, and
Sid Trivedi:the future all just, you know, sitting sitting up on stage.
Mahendra Ramsinghani:And then Maybe the
Sid Trivedi:the funniest thing was right at the end, you know, I helped Rob kind of with two of my founders. I helped him take that humanoid back to his house, And, you know, he called the Waymo. So we had a Waymo, and we are trying the four of us were trying to put that, you know, that humanoid into the back, you know, the the the boot, you know, the the Waymo. And you should have seen there was this, like, robotic, you know, humanoid car, basically. You had a humanoid, and then you had the four of us.
Sid Trivedi:And we were trying to kinda put it in, and it was the the funniest thing on the street. I mean, there are people taking pictures of us as one of those, like, odds odd evenings. Just so Silicon Valley. You don't see it anywhere else.
Mahendra Ramsinghani:Yeah. Like, what are the human beings doing here? The Weibo should automagically talk to the humanoid. The humanoid should automagically go inside the Weibo, and the two of them should take care of themselves.
Sid Trivedi:Like, come
Mahendra Ramsinghani:on, guys. Get get on with the program.
Sid Trivedi:Maybe in a year. Maybe by our SAC 2026, that will be happening. And I hope not will be happening. That that may be the end of the three of us three anything of of of of real prominence. You know, interesting kind of learnings.
Sid Trivedi:I mean, there are lots of learnings. Clearly, agentic AI was the talk of the town, and Hugh talks about it in in our show in this episode. But maybe the the other interesting thing for me was I was pushing CSOs and CIOs on what they were seeing in terms of, you know, spend and and how spend was changing. And in the past few years, we've seen kind of the security budget grow very consistently between kind of high single digit percentage to low double digit percentage, so in the range of kind of five to 15% growth per year. And several CSOs and CIOs highlighted that given the macro conditions, given everything going on, we were likely gonna see at least, you know, a cut.
Sid Trivedi:And the biggest question was, was that cut gonna be half of what it was in the past? So if you're, you know, growing 8% annually a year, was it looking more like 4%? I think that that is a big conversation point. And for founders, you know, who listen in on this show, I think it's a big factor for all of us to consider because the flush budget, the increase in budget is typically the budget that a new startup goes after. Right?
Sid Trivedi:That is the budget that's not been assigned, and that allows you to go after, you know, a net new budget item and and create a net new spend. So I think in that world, we are gonna have to think about, all of us, how to adapt to this kind of new spend changes. I think the biggest advice I'd have for founders as they're thinking about that adoption and and and how that may change is is really, you know, factoring in that we have a big demand supply imbalance in terms of human talent in cyber. And what AgenTik AI and LLMs allow you to do is, you know, take some of the services spend, the human spend, and convert it to software. And so, you know, as you think about building new tooling, think about how can you go and automate portions of the security workflow, and then think about how can you go and effectively market that automation to the customer so they understand that, hey.
Sid Trivedi:By using this software, I'm actually gonna save money, and that will be a huge factor. By using the software, I won't need to hire this additional talent because that budget, you know, increase even if there's a shortfall, that's a total shortfall. That's gonna be both software and services budget. And there's an opportunity to go and take some of that services budget and move it to software. Those were the the two interesting facts.
Ross Haleliuk:Yeah. For me, I think the funny thing is just how screwed up our perception of risk is. Think about it from this perspective. Every single attendee of the RSAC was incredibly excited about Waymo. So every single one of us was getting into those cars and entrusting the machines with our lives.
Ross Haleliuk:At the same time, a good number of people are still skeptical about the future of AI with respect to cybersecurity and whether or not we should be trusting AI to automate some of the tasks that humans humans are doing. So to me, it's almost like it's just fascinating the degree to which we are willing to risk our lives, but we are not willing to trust this, you know, robotic process automation with a few triage tasks in the SOC. Something that is in terms of learnings, think two two bits for me. One is that in 2025, it is no longer possible to scare scissors into buying a new product. You have to communicate real ROI.
Ross Haleliuk:You have to explain how does this product make them more efficient? How does this product help them save money? How did this product help them do more with less? And to your to your previous point, using AI to automate forecloses is most certainly one way to do it, but there are many there there are plenty of other ways to do it as long as the founders keep the ROI equation in mind as they're thinking about about building something new. The other bit for me is the growing gap between the discourse on social media and the real life.
Ross Haleliuk:For example, there have been a ton of people on social media leading up to the to the RSAC week talking about the questionable value. Hey. Should we go to the conference? Does it make sense? Does it have a good ROI for founders?
Ross Haleliuk:Does it have a good ROI for for security leaders? And then you show up at the event and you talk to the actual attendees and you realize that the the ones who are able to plan their time well, know where to go, know whom to meet, they're getting a tremendous value out of that event. Like security practitioners, security leaders are able to meet their peers, are able to understand, to benchmark their security programs against their colleague security programs. They're able to meet new innovative startup founders. They're able to understand how the industry is shifting, how the trend landscape is shifting, what they should be paying attention to, a ton of value.
Ross Haleliuk:In the same way founders, if they are being proactive, if they're scheduling conversations ahead of time, if they're planning their calendar, if they're planning whom they're going to meet, which events they're going to attend to, they're getting a tremendous amount of value from all of that exposure to their customers, to prospective customers, to VCs, their other founders and learning from them and so on and so forth. Now at the same time, some people can obviously question the value of the conference because they want the conference to happen to them instead of being proactive about their own time and trying to get value. The other bit is like, the other way of in which I see this growing gap between the discourse on social media and in real life is how people discuss is is what people discuss. Right? If you
Sid Trivedi:go you go you go on LinkedIn,
Ross Haleliuk:you read some articles, everyone is talking about MCP, everyone is talking about agentic AI. Now you talk to buyers and you realize that they're still talking about the very same problems that they've been talking about five years ago. They're still talking about vulnerability management, endpoint security, email security, cloud security, network identity, and on and on and on and on. So the new technologies where the where the new technologies are more are most impactful is where they're applied to the old well understood problems, and and that's where where the difference is made.
Sid Trivedi:Yeah. I think for for you put a really good point, Ross, which is that I think the advantage of a big conference, certainly of RCC with whatever almost 45,000 attendees, is that it is truly where the world talks security. And there's this huge opportunity to go and meet people who are not in your network and get to know them, and as a result, get to go and get insights that you may not have been able to do one on one as you go and reach
Hugh Thompson:out to individuals, you know,
Sid Trivedi:over email or LinkedIn or, you know, through some other form. And I think that as as our listeners are thinking about whether to go to a big conference, particularly RSAC or Black Hat. I'd put those two as kind of very large conferences in our industry. And if you want to go and have those chance encounters and increase your network, these are the places to be. Mahindra?
Mahendra Ramsinghani:Well, speaking of chance encounters, Sid, I remember the first RSA I attended was thirteen years ago, And I was literally crossing the street coming into Moscone, and somebody I could hear somebody yelling out my name. And I turned around, and I walked back actually halfway from the street, and this person introduces me to this founder. Two seconds later, this person is gone. I have taken this founder's contact details, and then I'm gone. So that chance encounter led to one of my early investments that gave me an 8x outcome on a cash on cash basis.
Mahendra Ramsinghani:Right? So I am a big believer that these events, you know, 40,000 some people come. In one week, I had almost I don't know. I met about a 50, two hundred people. I mean, granted, these are not deep conversations.
Mahendra Ramsinghani:But if I look at the rest of my year, probably I'll have another 50 meetings, and then all of this is compressed in, like, three and a half days. Right? So the density and value is so immense. Now our world, you know, said your and my world is sort of intertwined between these three legs of the startup journey. On one side, you're founders.
Mahendra Ramsinghani:The second leg is, call it, investors, VC friends, if you will. And then the third leg is acquirers or, say, investment bankers. And so between those three, there were some pretty interesting observations. Amongst founders, I found some of these repetitive me to start up ideas. And my one request to our audience of founders is that do some research.
Mahendra Ramsinghani:There are tremendous opportunities out there, but also try to stay away from the ones that so many other companies are doing. A slight variant on agentic AI is not gonna give you a differentiation. It's not gonna get the VCs excited. So you have to think differently. I mean, to use the Apple slogan, think different.
Mahendra Ramsinghani:So that's one advice to founders. Now on the VC side, of course, a lot of parties, fancy dinners, a lot of, you know, events where you're sort of literally trying to jam four, you know, dinners in one evening, they tended to be a lot more interesting where you started to see how investors are thinking. And the big observation is investors are obviously, you know, being conservative, being very picky. In some situations, the valuation dynamics are, of course, playing to the invest investor's advantage. And then finally, on the acquirer side, I had, you know, conversations with people around Cisco, Palo Alto.
Mahendra Ramsinghani:I heard some people describe how CrowdStrike strategy is evolving. And I think there is a very interesting world that is starting to play out there. And being aware of those with with how the investment bankers are also working with those buyers, it's it's extremely important for our founders to know how the big company are thinking, how do they look at the geopolitical impacts, the changes in stock market, and how their own strategy is gonna evolve. Of course, a big surprise or the big sort of, you know, event that occurred re just prior to RSA is the Google Wiz acquisition. And I was hoping to get hold of some people around that acquisition, but I miserably failed because everybody was partying.
Mahendra Ramsinghani:So a couple of other high level observations. You know, in in AI, you know, there are these three areas. Right? One is how can the models be protected? And so we have, you know, companies like ProtectAI that got acquired by Palo Alto.
Mahendra Ramsinghani:The second is how can the SOC or the life of the analyst be improved? So you saw so many different opportunities coming out there. And there, I feel like the risk of differentiation still needs to be thought through. Finally, the third piece was how can the enterprise protect themselves when a lot of their employees are posing questions to chat GPD or how they are downloading models from Hugging Face, how they are going about using AI in somewhat of a Wild West manner. And so we saw a start up that covered those three areas, and I feel like it'll be interesting time to see how those three zones of opportunity play out for for our founders.
Ross Haleliuk:So is nobody going to talk about the goat on the floor? Have you guys seen Van Vandergot? I
Sid Trivedi:didn't see it, but I saw pictures of it. It was pretty crazy.
Ross Haleliuk:That was kinda cool. That was kinda cool. I hope I hope next year at on the floor, we can have a small petting zoo with goats and all the other kinds of animals, and people can just have fun with kids.
Sid Trivedi:Well, you know, some of some of the the the the feedback, though, was also that, like, that the one could argue that there's some level of animal cruelty, and the and the reasoning behind it is that they they also had puppies, and, you know, puppies are not supposed to actually be you know, they're not supposed to just like small babies, they shouldn't be spending a lot of time with a lot of people because it increases the risk of kind of them getting illnesses. So I think, like, they're they're positives, but they're all also negatives to just having animals kind of kind of bear. It feels a little bit gimmicky. So while it was it was a cool angle, I also worry a little bit about, you know, the the animal cruelty there.
Mahendra Ramsinghani:Wait. I think we should all unequivocally state for our audience that we do not support animals, human beings, or any other form of exploitation to promote your shit.
Sid Trivedi:Yes. That's true. That's a great point. I think only you can promote it. You should be promoting your stuff.
Mahendra Ramsinghani:And, I mean, to find an intelligent way to diverse, you know, differentiate yourself, if you think that you need an animal or a human being dressed in a certain way or, you know, something that kind of borderline is silly, then maybe you should not be doing that business at all because you're not gonna get attention from the intelligent buyers.
Ross Haleliuk:Agreed.
Sid Trivedi:Agreed. Thank you for joining us Inside the Network.
Ross Haleliuk:If you like this episode, please leave us a review and share it with others.
Mahendra Ramsinghani:If you really, really liked it and you have some feedback for us, wrap it on a bottle of Yamazaki and send it to me first.
Sid Trivedi:No. Don't do that. Mahindra gets too many GIFs already. Please reach out by email or LinkedIn.
