RSAC 2026 Marked a Turning Point for AppSec. The Reason – Agentic Security RSA Conference 2026 has just wrapped in San Francisco. If you’ve been to enough of these events, you know that while they’re valuable for innovation, connection, and hearing where the industry is headed, they tend to blend into the collective memory of past events after a couple months, with little to distinguish them. But then there’s the 1%. The rare moment you recognize immediately when something shifts. Not a gradual step forward, but a leap. When what felt experimental or theoretical suddenly becomes real. RSAC 2026 felt like one of those moments. What set this year apart was the emergence of Agentic AppSec, not as an idea or an experiment, but rather an operational reality already being adopted and executed, as part of the growing recognition that AI-driven development is fundamentally reshaping the software lifecycle – into Agentic Development Lifecycle (ADLC) – and security models that must evolve to support it. What Defined This Turning Point in RSAC 2026 To understand why RSAC 2026 felt so unique, it helps to take a closer look at the themes that consistently emerged across the event. From Assistive AI → Autonomous (Agentic) Security The biggest shift: Agents have grown to be more than ‘assistants’. Security is no longer just assisted by AI – AI agents increasingly execute it. Agents are moving from copilots to decision-makers who can investigate, triage, and act. The industry is transitioning from human-paced workflows to machine-speed security operations. “Security for AI” and “Security by AI” Converge A major theme across sessions: Organizations must secure AI systems (LLMs, agents, MCPs), while simultaneously using AI to secure software and pipelines. AppSec is now responsible for both sides of the equation: Protecting AI-generated code and AI components Using agents to secure the SDLC, and increasingly, the ADLC The Rise of the Agentic Development Lifecycle (ADLC) AI is reshaping how software is written, reviewed, and deployed. Security must adapt to a lifecycle where agents generate, modify, and ship code. AppSec implication: Security shifts from left → everywhere From reactive → embedded into autonomous workflows Explosion of AI Supply Chain Risk RSAC highlighted growing concern around the security risks introduced by new supply chain components and dependencies, such as LLMs, agents, MCP servers, plugins, and AI SDKs. There is a clear need for visibility (AI-BOM), provenance, and trust in AI components. AppSec implication: SBOM is evolving into AI-BOM You now secure not just code dependencies, but AI dependencies AI-Native Security Vendors vs. Legacy Players There’s a clear market shift: The rise of AI-native security companies is challenging traditional vendors. Winning platforms are being rebuilt from the ground up as AI-first, not AI-enhanced. AppSec implication: Expect consolidation around platforms that embed agents deeply Not bolt-on AI features Trust, Governance, and Identity Become Foundational As agents act autonomously, the question becomes: Who authorized the agent? What can it do? Identity and governance are now core security primitives, not add-ons. AppSec implication: Security must enforce: Agent identity Policy boundaries Auditability of decisions Taken together, these themes highlight a clear gap: traditional AppSec approaches were not designed for an agentic development lifecycle. That gap — and how to close it — was a central focus of what we introduced, as it raised the question: how do you secure an ecosystem that is agent-driven as much, if not more, than human-driven? At RSAC 2026, we introduced our new capabilities designed to address exactly that. Securing the Agentic Development Lifecycle At RSA this year, Checkmarx unveiled a new set of innovations designed to secure the ADLC: Expansion of the Checkmarx Assist family of agents Building on Checkmarx Developer Assist, we introduced two new agents: Triage Assist and Remediation Assist, designed to secure the critical post-commit phase. These agents help teams quickly prioritize real risks and fix them efficiently within pull requests (PR), reducing noise and accelerating secure code delivery. Introducing Checkmarx AI Supply Chain Security As organizations increasingly build with AI components, an entirely new layer is introduced into the supply chain, requiring dedicated security to address its unique challenges and risks. Checkmarx AI Supply Chain Security provides full visibility and risk assessment across the AI stack. With a centralized inventory and AI-BOM covering MCP servers, LLMs, AI agents, SDKs, and more, teams can move fast with AI, without losing control over security. SAST AI and DAST for AI Checkmarx enhanced its two core security engines to support AI-powered SAST scanning across virtually any programming language, helping organizations future-proof their technology adoption. In parallel, we strengthened our DAST engine to deliver runtime protection aligned with the realities of AI-driven and “vibe coding” development. Risk Orchestration within ASPM Checkmarx also announced a new and enhanced risk management and visibility solution across applications, projects, and repositories to improve decision-making, reduce noise, and highlight critical vulnerabilities. Agent identity Policy boundaries Auditability of decisions the tooling landscape must evolve to keep pace with the speed of AI-driven development. The shift is no longer about “AI in AppSec,” but about AppSec itself becoming an entirely different paradigm – agentic, autonomous, and continuous by design. Closing Notes The idea that “AppSec is becoming agentic” goes beyond a shift in tooling — it reflects a fundamentally different way of working with and understanding application security. AppSec is changing its DNA. That is why, compared to 2025, this year’s event was overwhelmingly focused on AI and Agentic Application Security, with a clear emphasis on how Tags: ADLC Agentic AI Agentic AppSec conferences RSAC RSAC 2026
