A Field Guide to RSA 2026
Every year at RSA the vocabulary rotates. The architecture doesn’t.
This year the big word is “agentic.” Last year it was “AI-native.” Before that, XDR. Walk enough booths and you’ll notice something: very different products using almost identical language to describe very different things. In general, buzzwords are fine - but only if they can deliver.
Here’s the field guide.
Part 1: The Word of the Conference #
Agentic AI / AI SOC / Autonomous SOC
2024 was the year of the theory. 2025 was the year every vendor slapped “agentic” on their homepage. 2026 is the year customers expect receipts.
Most don’t have them yet.
More teams have seen a demo. But production deployments are rare and struggling. A lot of what’s being called an Autonomous SOC is really a managed service with a software wrapper. The demos are compelling. But the evidence isn’t in.
And here’s what nobody’s addressing: most of these systems still run on the same partial, ingestion-limited data that made the SOC painful in the first place. AI doesn’t fix bad architecture. It inherits it.
If the AI can only see what was ingested into one platform, it hits the same ceiling your analysts already hit. Different interface. Same blind spots.
Ask: Does it operate inside your architecture, or are alerts shipped out and summarized somewhere else? Can it show the full investigation chain? Does it have access to all the data and context it needs, or are you still stuck with inaccessible data, high costs, and gaps?
If the answer is yes, the AI isn’t the bottleneck. The architecture is. When incidents escalate, accountability matters.
Part 2: The Zombies #
Been here for years. Still won’t die.
“Next-Gen SIEM.”
Every SIEM vendor calls themselves next-gen now. Including the ones running the same architecture they shipped ten years ago.
The model hasn’t changed. Move the data. Index the data. Query the data. Pay per byte.
That’s the ingestion tax. The cost, latency, and rigidity of requiring every byte to land in one place before anyone can touch it. And it’s the structural problem underneath everything else on this list.
A better SIEM isn’t the shift. A different model is. One where detection is separated from storage. Where analytics run across SIEMs, data lakes, cloud, and other systems without re-ingesting or duplicating anything. You query data where it already lives.
That’s not next-gen. That’s a replacement.
“Single Pane of Glass.”
Been on the banner for a decade. The fine print never changes. Consolidate into our stack first.
If the visibility only works after a migration project and a new ingestion pipeline, what you’re getting is a platform swap. You retire tools that were working. You take on new constraints. The vendor gets lock-in. You get a six-month project and a bigger bill.
That’s not simplification. That’s archaic consolidation with a better pitch.
Part 3: What Nobody Will Say Out Loud #
You won’t hear these at a booth. You should.
Visibility is still fragmented. Everywhere.
For a decade, the industry has said the same thing: centralize everything and you’ll get visibility. And after a decade, most organizations still can’t query across their own stack without exporting, re-ingesting, or switching tools. The model keeps failing because it requires centralization as a prerequisite for visibility. That’s backwards.
Decouple analytics from storage. Query data where it lives. You don’t have to centralize everything to see everything.
Most “cost savings” are just tradeoffs in disguise.
Pipeline filtering cuts ingestion bills. But it also creates blind spots. Auto-triage saves on analyst headcount and MDR spend but leaves the underlying problems intact. The team is still doing all the tuning, hunting, and remediation, without time to address the dark areas where no alerts are firing.
If saving money means trading visibility for a lower invoice, those aren’t savings. That’s debt.
Real cost transformation happens when detection is decoupled from storage. When analytics run against data in low-cost object storage without forcing full re-indexing. That changes the slope of the cost curve. Not just the edges.
Detection completeness. The metric nobody talks about.
Everyone talks about alert volume. Response time. Mean time to everything. But almost nobody talks about the fact that detection is a spectrum. Detection requires the right data, the right logic, optimal tuning, and a feedback loop.
The real work isn’t routing noise faster. It’s generating less of it. Automating the feedback loop for detection tuning and testing. Closing the gap between what you can theoretically detect and what you’re actually detecting across all your data.
That’s the work. And almost nobody at RSA is talking about it. But we are.
The Buzzwords Will Keep Coming #
The buzzwords at RSA keep cycling because the architecture underneath them hasn’t changed.
At Vega, we call the shift a Security Analytics Mesh, or SAM. Centralize analytics, not data.
Next-generation SIEMs still require ingestion. Data lakes still require centralization. AI SOCs still reason over whatever partial data they can access.
Until that changes, the vocabulary will keep rotating and the outcomes won’t.
Vega will be at RSA. Come find us and we’ll show you what we mean.