RSA Conference 2026: What Security Professionals and Developers Need to Know Before April

RSA Conference 2026 takes place in San Francisco's Moscone Center in late April — and it arrives at a moment when cybersecurity has moved from a specialised IT concern to a front-page global story. The Iran conflict, the North Korea Bybit hack, AI-powered cyberattacks, and the looming post-quantum cryptography transition have made 2026 the most consequential year for security in the internet era. Here is what to expect from RSA 2026 and why it matters more to developers than in any previous year.

RSA Conference 2026: Dates and Format

RSA Conference 2026 runs from approximately April 28 through May 1, 2026, at Moscone Center in San Francisco (dates to be confirmed — RSA typically confirms the exact schedule 8-10 weeks out). The conference format includes:

• Keynote sessions: Major announcements from CISA, NSA, major security vendors, and typically at least one major tech CEO
• Technical sessions: Hands-on talks on attack techniques, defences, and emerging threats
• Innovation Sandbox: Competition for the most innovative early-stage security startups
• Expo floor: 600+ security vendors — the clearest snapshot of where enterprise security investment is flowing
• Developer-focused track: Growing every year as security shifts left toward developers

Online streaming of keynotes is available; in-person attendance prioritises the expo and networking.

The Three Big Themes at RSA 2026

Theme 1: AI Attacking and AI Defending

The 2025 RSA had AI as a buzzword. RSA 2026 has AI as an operational reality on both sides of every attack. The Mexican government breach, the Bybit hack's AI-assisted money laundering, Iranian APT groups using AI for reconnaissance — all of these will be dissected on the RSA stage. Expect major announcements from:

• CrowdStrike, Palo Alto, and Sentinel One on AI-native threat detection that can match the speed of AI-powered attacks
• Microsoft and Google on AI security features embedded in their cloud and developer platforms
• Anthropic and OpenAI (though their presence will be controversial given the Claude misuse incidents) on what responsible AI deployment in security contexts looks like

Theme 2: Post-Quantum Cryptography — The Countdown Is Real

NIST finalised the first post-quantum cryptography standards in 2024. RSA 2026 is where those standards stop being theoretical and start being implementation requirements. CISA has set timelines for US government systems to begin post-quantum migration. Financial services regulators in the EU and UK are issuing guidance. The "harvest now, decrypt later" threat — where adversaries store encrypted traffic today to decrypt it once quantum computers are available — has moved from hypothetical to documented threat actor behaviour.

For developers: if you handle long-lived sensitive data (medical records, financial data, legal documents, government information), the RSA 2026 post-quantum track will define what "compliant" means in 2027 and beyond. This is not a 5-year-away problem anymore.

Theme 3: Geopolitical Cyber — Iran, Russia, China, and North Korea

RSA 2026 is the first major security conference after the Iran conflict's active cyber phase. Expect detailed threat intelligence releases from CISA, NSA, and their partners on Cotton Sandstorm, Wezrat, and other Iranian APT groups' TTPs (tactics, techniques, and procedures) as seen during the conflict. This is typically how RSA works — classified threat intelligence gets declassified and shared with the industry in the weeks around the conference.

The North Korea Lazarus Group's Bybit hack will also have a major RSA presence — with sessions on the Safe{Wallet} supply chain attack vector and what cryptocurrency platforms must do differently.

What Developers Should Actually Do With RSA 2026

Watch the keynotes (streamed free) for the threat landscape overview from CISA — this is the clearest public statement of what the US government considers the top cyber threats for the year. It directly informs what you should prioritise in your application security.

Track the Innovation Sandbox — the 10 finalists represent where venture capital thinks the most important security problems are. In recent years this has surfaced AI security, identity security, and cloud misconfiguration as the top investment areas. The 2026 finalists will tell you what the next wave of security tooling looks like.

Post-quantum action items: If you use TLS (everyone does), RSA 2026 will surface the clearest guidance on when to expect TLS post-quantum hybrid modes to become standard and what you need to do in your stack. Libraries like OpenSSL and BoringSSL are adding post-quantum support; the RSA track will give you the timeline.

AI security track: Given the Claude attack case and rising AI-powered phishing, the AI security track at RSA 2026 will be one of the most practically relevant in conference history. Sessions will cover prompt injection defences, AI-powered SOC tools, and how to build AI-integrated applications that do not create new attack surfaces.

Why RSA Matters More for Developers in 2026

The historic split between "security people" and "developers" is closing. The attacks that dominate headlines — supply chain attacks, API vulnerabilities, AI-powered phishing, COBOL modernisation introducing new attack surfaces — all trace back to decisions made at the developer level. Security is not something you bolt on at the end of a project. RSA 2026 will be the most developer-relevant security event in the conference's history.

If you cannot attend in person, the RSA YouTube channel archives most sessions within days. The threat intelligence releases from RSA typically surface on CISA's website, vendor blogs, and security research repositories within the week.