RSAC Convention 2025 began off sturdy final Monday morning with the twentieth annual Innovation Sandbox competitors. For these unfamiliar with the competitors, 10 rising cybersecurity firms give a 3-minute pitch to a panel of judges, who ask questions after which choose a winner and a runner-up.
Because the begin of the competition, the finalists have collectively seen over 90 acquisitions and over $16.4 billion in investments. Beginning this 12 months, the ten finalists will every obtain a $5 million uncapped easy settlement for future fairness (SAFE) funding supplied by Crosspoint Capital Companions (proprietor of the convention) to additional develop their providing. An uncapped SAFE funding implies that the investor’s SAFE notice doesn’t have a most valuation cap, so there isn’t a predetermined restrict on how excessive the corporate’s valuation may be when the SAFE converts into fairness on the subsequent funding spherical. It’s not clear what strings could also be connected to the funding and whether or not startups can refuse the funding and nonetheless take part within the competitors. One small firm we spoke with throughout RSAC 2025 (not an Innovation Sandbox finalist) admitted that its current traders had been nervous concerning the potential SAFE funding.
AI, Firmware, And Vulnerability Administration
This 12 months’s entrants (Aurascape, CalypsoAI, Command Zero, EQTY Lab, Knostic, Metalware, MIND, ProjectDiscovery, Smallstep, Twine Safety) represented a variety of cybersecurity classes masking a number of totally different use instances and drawback units for safety leaders. Nevertheless, there have been few “category-creating” distributors within the contest this 12 months. As an alternative, many of the distributors appeared to symbolize attainable options (or merchandise) for platform distributors to snag through acquisition. As anticipated, agentic AI was generally referenced each as modern and a shortcut to scale for distributors.
Throughout the break, whereas the judges deliberated, we tried to foretell the seemingly winner. Many people appreciated Smallstep’s pitch round machine attestation however didn’t suppose the judges would decide it. EQTY Lab (verifiable AI brokers) additionally received some votes. Heidi and Jeff each selected ProjectDiscovery, the eventual winner, of their prime three.
ProjectDiscovery, pitching open-source vulnerability detection, advantages from a built-in buyer base as a consequence of its neighborhood mannequin. The corporate’s pitch repeatedly in contrast itself to “20-year-old expertise” and argues that advances in posture administration and assault floor administration don’t assist with the precise drawback in vulnerability administration: prioritization. ProjectDiscovery contends that its capability to check exploitability — primarily based on its templates — is the distinction maker in contrast with legacy options as a result of that ingredient dictates whether or not to prioritize remediation of a vulnerability.
Corporations Or Options?
At first of this 12 months’s Innovation Sandbox, Dr. Hugh Thompson, government chairman of RSAC in addition to program committee chairman of the RSA Convention Program Committee, displayed a listing of 200 firms that had been finalists over the previous 20 years. The listing included a number of — Irregular, Axonius, Enveil, Sonatype, Yubico — that stay standalone gamers within the safety area. Against this, this 12 months’s 10 contenders and their succinctly pitched choices appeared extra like glorified options and fewer like absolutely baked firms. We count on nearly all of 2025 finalists to be acquired and bolted onto current instruments and platforms within the subsequent 18 to 24 months. The winner, ProjectDiscovery, appeared the almost certainly of the bunch to stay a standalone firm.
One problem within the Innovation Sandbox is that it’s not clear how a lot relative weight the judges assign to the standard of the pitch, the general market alternative, or how modern the corporate or product is. Some pitches had been very direct about the issue and backed up their assertions with information. Others struggled to reply questions on what drawback they solved or how they introduced their area of interest product to market. In a single case, it took 2 minutes (of a 3-minute pitch) for the speaker to clarify what the product was.
As for innovation:
- ProjectDiscovery is game-changing in that it checks a whole lot of containers for doing one thing in a different way to deal with a transparent ache that has existed for some time, prioritizing vulnerability administration in accordance to what’s actually exploitable. It additionally follows a beforehand profitable mannequin by mixing open supply, neighborhood effort, and enterprise help widespread in tech startups.
- EQTY Lab and Smallstep are game-changing in numerous methods, addressing rising issues or introducing new applied sciences to unravel perennial issues. EQTY Lab focuses on establishing belief in AI brokers in order that they will run safely and at scale. Smallstep presents an method to machine attestation utilizing the ACME protocol to assist combat phishing and exfiltration. Moreover, each startups developed a groundswell of help from main cloud suppliers and machine producers, respectively, lessening tech adoption friction.
- Knostic and CalypsoAI each deal with issues associated to widespread adoption of enterprise AI for inside and exterior customers in numerous methods. Knostic approaches the issue of AI oversharing by invoking need-to-know info but in addition helps by suggesting alternate information fairly than merely blocking customers. CalypsoAI’s agentic warfare answer is a steady option to consider the safety of AI by adapting and refining approaches with agentic AI.
- Command Zero impressed with its presentation about agentic AI in safety operations. The three-minute pitch demonstrated that the corporate understands the issues, vocabulary, and desires of safety operations practitioners.
- Two entrants regarded to reinvent information loss prevention (DLP) in numerous methods. MIND’s pitch of a DLP platform lacked detailed metrics or quantifiable positive factors over in the present day’s options. Aurascape’s message of innovating fearlessly didn’t match the answer, which centered on AI software discovery and DLP-esque use instances.
- The remaining entrants additionally left us with questions on their boundaries to entry. Metalware pitched a binary fuzzer to search out safety flaws in firmware. Fuzzing is a standard method within the IoT and OT safety world, however the vendor should navigate a crowded provide chain safety market, one thing the judges identified, as effectively. Twine Safety launched AI digital staff and supplied some strong metrics on time saved, however the questions of accountability, governance, and belief should be addressed extra straight.
A number of firms featured within the Innovation Sandbox mirrored rising applied sciences featured in Forrester’s report, The Prime 10 Rising Applied sciences In 2025, akin to IoT safety and agentic AI. Forrester purchasers ought to try that report and schedule an inquiry or steerage session with us to be taught extra.
