RSAC Convention 2025 began off robust final Monday morning with the 20th annual Innovation Sandbox competitors. For these unfamiliar with the competitors, ten rising cybersecurity firms give a three-minute pitch to a panel of judges, who ask questions after which choose a winner and a runner-up.
For the reason that begin of the competition, the finalists have collectively seen over 90 acquisitions and over $16.4 billion in investments. Beginning this yr, the ten finalists will every obtain a $5 million uncapped easy settlement for future fairness (SAFE) funding offered by Crosspoint Capital Companions (proprietor of the convention) to additional develop their providing. An uncapped SAFE funding signifies that the investor’s SAFE observe doesn’t have a most valuation cap, so there is no such thing as a predetermined restrict on how excessive the corporate’s valuation may be when the SAFE converts into fairness on the subsequent funding spherical. It’s not clear what strings could also be connected to the funding and whether or not startups can refuse the funding and nonetheless take part within the competitors. One small firm we spoke with throughout RSAC 2025 (not an Innovation Sandbox finalist) admitted that their present buyers had been nervous in regards to the potential SAFE funding.
AI, Firmware, And Vulnerability Administration
This yr’s entrants (Aurascape, CalypsoAI, Command Zero, EQTY Lab, MIND, ProjectDiscovery, Smallstep, Twine Safety, Knostic, Metalware) represented a spread of cybersecurity classes protecting a number of totally different use circumstances and drawback units for safety leaders. Nonetheless, there have been few “class creating” distributors within the contest this yr. As a substitute, a lot of the distributors appeared to characterize attainable options (or merchandise) for platform distributors to snag by way of acquisition. As anticipated, agentic AI was generally referenced each as progressive and a shortcut to scale for distributors.
Throughout the break, whereas the judges deliberated, we tried to foretell the doubtless winner. Many people preferred Smallstep’s pitch round gadget attestation however didn’t suppose the judges would decide it. EQTY Lab (verifiable AI brokers) additionally acquired some votes. Heidi and Jeff each selected ProjectDiscovery, the eventual winner, of their Prime Three.
ProjectDiscovery, pitching open-source vulnerability detection, advantages from a built-in buyer base as a consequence of their neighborhood mannequin. The corporate’s pitch repeatedly in contrast itself to “twenty-year-old know-how,” and argues that advances in posture administration and assault floor administration don’t assist with the precise drawback in vulnerability administration: prioritization. ProjectDiscovery contends that its means to check exploitability – primarily based on its templates – is the distinction maker in comparison with legacy options as a result of that ingredient dictates whether or not to prioritize remediation of a vulnerability.
Firms Or Options?
At first of this yr’s Innovation Sandbox, Dr. Hugh Thompson, Govt Chairman, RSAC & Program Committee Chair, RSAC™ Convention displayed an inventory of 200 firms that had been finalists over the previous 20 years. The record included a number of – Axonius, Irregular, Enveil, Sonatype, Yubico – that stay standalone gamers within the safety house. Against this, this yr’s ten contenders and their succinctly-pitched choices appeared extra like glorified options and fewer like fully-baked firms. We anticipate nearly all of 2025 finalists to be acquired and bolted onto present instruments and platforms within the subsequent 18-24 months. The winner, ProjectDiscovery, appeared the almost definitely of the bunch to stay a standalone firm.
One problem within the Innovation Sandbox is that it’s not clear how a lot relative weight the judges assign to the standard of the pitch, the general market alternative, or how progressive the corporate or product is. Some pitches had been very direct about the issue and backed up their assertions with knowledge. Others struggled to reply questions on what drawback they solved or how they introduced their area of interest product to market. In a single case, it took two minutes (of a three-minute pitch) for the speaker to elucidate what the product was.
As for innovation:
- ProjectDiscovery is recreation altering in that it checks loads of containers for doing one thing in another way to deal with a transparent ache that has existed for some time, prioritizing vulnerability administration in accordance to what’s really exploitable. It additionally follows a beforehand profitable mannequin by mixing open supply, neighborhood effort, and enterprise help widespread in tech startups.
- EQTY Lab and Smallstep are recreation altering in numerous methods, addressing rising issues or introducing new applied sciences to unravel perennial issues. EQTY Lab focuses on establishing belief in AI brokers in order that they’ll run safely and at scale. Smallstep affords an strategy to gadget attestation utilizing the ACME protocol to assist combat phishing and exfiltration. Moreover, each startups developed a groundswell of help from main cloud suppliers and gadget producers respectively, lessening tech adoption friction.
- Knostic and AI each deal with issues associated to widespread adoption of enterprise AI for inside and exterior customers in numerous methods. Knostic approaches the issue of AI oversharing by invoking have to know but in addition helps by suggesting alternate info relatively than merely blocking customers. Calypso.AI’s agentic warfare resolution is a steady technique to consider the safety of AI by way of by adapting and refining approaches with agentic AI.
- CommandZero impressed with its presentation about agentic AI in safety operations. The three-minute pitch demonstrated the corporate understands the issues, vocabulary, and wishes of safety operations practitioners.
- Two entrants appeared to reinvent DLP in numerous methods. MIND’s pitch of a DLP platform lacked detailed metrics or quantifiable features over at the moment’s options. Aurascape’s message of innovating fearlessly didn’t match the answer, which targeted on AI utility discovery and DLP-esque use circumstances.
- The remaining entrants additionally left us with questions on their boundaries to entry. Metalware pitched a binary fuzzer to search out safety flaws in firmware. Fuzzing is a standard strategy within the IoT and OT safety world, however the vendor should navigate a crowded provide chain safety market, one thing the judges identified as properly. Twine Safety launched AI digital workers and offered some stable metrics on time saved, however the questions of accountability, governance, and belief should be addressed extra straight.
A couple of firms featured within the Innovation Sandbox mirrored rising applied sciences featured in Forrester’s The Prime 10 Rising Applied sciences In 2025, equivalent to IoT safety and agentic AI. Forrester purchasers ought to try that report and schedule an inquiry or steerage session with us to study extra.
