My first RSAC. And far from what I expected.
As a cryptography PhD researcher, I came to the RSA Conference 2026 thinking I knew what it would be: a big cybersecurity event, a few talks, some networking. Instead, it turned into one of the most intense, inspiring, and eye-opening weeks I've had.
San Francisco itself set the tone from the moment I arrived. My first conversation wasn't even at the conference, it was with a taxi driver complaining about how tech (Waymo, Uber, everything) was going to replace him, and how some big conference was making the city completely chaotic. That “big conference” was RSAC. And he wasn't entirely wrong, the entire city felt taken over.
But what really made RSAC special wasn't just the scale (40,000+ people), it was the feeling of being part of something bigger. This year's theme, “The Power of Community,” was not just a slogan, it was real. Everywhere you went, conversations were happening: in conference rooms, hallways, coffee lines, and even randomly across the city when crossing people with RSAC badges.
One of the highlights for me was giving a talk on work I had been developing over several months.
I spoke about how to systematize cryptography across multi-cloud storage environments, focusing on trust assumptions around components and key management. Starting from a simple question, what happens when outages are no longer rare but expected?, I explored why multi-cloud is becoming essential, why trusted proxies dominate but remain fragile, and how keyless protocols offer an interesting solution, if designed carefully. I concluded by encouraging the audience to translate these ideas into practice within their own organizations: identifying their multi-cloud needs, mapping critical secrets, and proactively anticipating compromise through simulated attack scenarios to better understand where security might fail.
What made the experience truly special wasn't just being on stage, it was the discussion afterward. The questions, the feedback, the different perspectives. It's one thing to do research, and another to see it resonate with people facing real-world constraints.
Another surreal moment: meeting the people whose names you've been studying and citing for years.
I had the chance to talk with Whitfield Diffie, Taher ElGamal, Ron Rivest, Mihir Bellare, Michel Abdalla, and many others. At some point, Ron Rivest (the “R” in RSA) was genuinely happy to hear that we use one of his inventions at Astran, the AONT primitive, which was a bit of a full-circle moment.
It made me realize something simple: cryptography is not just theory written in papers. It's a living field, shaped every day by people you can actually meet, talk to, and learn from.
Beyond the big names, what stood out the most was the community itself.
I had countless conversations about what we're building at Astran, our R&D work, our vision around multi-cloud resilience, and the importance of data sovereignty. What stood out was how strongly our vision resonated: ensuring critical operations running even in the face of outages or adversarial conditions. There was a shared understanding that resilience is no longer optional, it's a necessity.
And beyond the technical discussions, there was something else: the human layer. Many conversations drifted toward the same question: why does security still fail, even when we have the right tools? The answer often wasn't technical. It was about behavior, incentives, and how people interact with systems.
RSAC is also a bit surreal in its own way.
One moment you're watching Hugh Jackman on stage joking about coding. Next, you're listening to four former NSA leaders openly discussing real-world cyber operations, mistakes, and lessons learned.
That contrast captures the spirit of the conference: part inspiration, part reality check.
If there was one thing you couldn't miss this year, it was AI.
Everywhere, talks, booths, billboards, AI was the headline. Securing it, using it, defending against it. At some point, it felt like almost every session had “AI” in the title.
But beyond the hype, the message was clear: AI is changing the security landscape fast. Especially with the rise of agentic AI, systems are no longer just tools, they act, decide, and sometimes fail in ways we're still trying to understand. This is accelerating the speed of attacks and pushing organizations toward more proactive, adaptive security models. One remark that stuck with me (from Taher ElGamal) was that AI feels like e-commerce in reverse: with e-commerce, we built security first, then scaled usage. With AI, it feels like we are scaling first, and figuring out security afterward.
We're still at the beginning of this shift, and it's unclear where it will take us, but it will definitely be something to watch closely.
At the same time, another topic was discussed with good seriousness: post-quantum cryptography.
There is a clear push toward crypto-agility: the idea that systems must be designed to evolve as cryptographic standards change. This is no longer just a theoretical concern. With recent announcements from major players like IBM and Google accelerating progress in quantum computing, the timeline is becoming more tangible.
As a result, it is increasingly clear that organizations can no longer afford to delay; the roadmap toward PQC migration needs to be defined as soon as possible.
RSAC 2026 made one thing very clear to me: the future of cybersecurity sits at the intersection of cryptography, AI and resilience.
But more importantly, it reminded me that behind all of this, protocols, systems, models, there are people. A global community trying to solve hard problems, share knowledge, and build something that actually works in the real world.
And that's what makes this world special.