The Inflection Point
March was the month it became real.
We launched Surf AI from stealth at CyberSparx in Miami. Ten days later, we opened the Surf Shack at RSA Conference in San Francisco. Two very different rooms. One consistent signal.
The industry has hit an inflection point. And the gap between knowing it and acting on it is widening.
"Agents without context are just faster automation. Adversaries already know this."
CyberSparx: The Right Room at the Right Time
CyberSparx brings together CISOs, founders, and investors under Chatham House Rules. No booths. No pitches. Just direct conversation about where cybersecurity is actually heading.
What stood out was the alignment. Operators, builders, and investors are converging on the same conclusion: fragmented tooling and manual context reconstruction are not going to survive the agentic era. The conversations were not about whether AI changes security. They were about who is building the infrastructure to make it work safely.
That is exactly where we positioned the Surf AI launch. Our platform is built on three layers: Context, Intelligence, and Action. We ingest and connect data across enterprise systems to build a continuously updated Context Graph — a unified model of assets, identities, permissions, behavior, ownership, and dependencies. That graph powers specialized AI agents across identity, cloud, SaaS, and security that detect meaningful risks, validate intent with the right owners, and safely execute remediation with human oversight on every high-impact action.
The reception confirmed what we have been building toward: the market is ready for agentic security orchestration grounded in real environmental understanding.
RSA Conference: The Inflection Was Everywhere
43,000 attendees. 600 exhibitors. AI was no longer its own track at RSAC this year. It was woven into every session, every keynote, every conversation on the floor. By my count, close to half the agenda centered on AI in some form, spanning identity, cloud, threat intelligence, and CISO strategy.
A few observations stood out.
Breakout times have collapsed. Google Threat Intelligence presented data showing that the window between initial compromise and lateral movement has shrunk from hours to seconds over the past three years. When your adversary is operating at machine speed, defenders who are still reconstructing context manually have already lost.
The agentic risk surface is largely unmodeled. Cisco's keynote made the distinction clearly: chatbot risk is about wrong answers, but agent risk is about wrong actions. The industry is waking up to the fact that prompt injection, credential misuse, and unauthorized autonomous execution are not theoretical concerns. They are happening now. And most security programs do not yet have threat models that account for agents acting on behalf of users and systems.
Most security leaders are still in observation mode. The energy at RSA was a mix of urgency and uncertainty. There is broad recognition that something fundamental has shifted, but the majority of CISOs I spoke with are still evaluating where to start. The gap between accumulating intelligence and mounting an institutional response was the undercurrent of the entire week.
Context quality outweighed model sophistication. The companies drawing the most serious attention were not the ones with the flashiest AI claims. They were the ones with the deepest, most differentiated data foundations. That tracks with everything we believe at Surf AI: the quality of your context determines the quality of your outcomes.
On Stage at RSAC
It was an honor to contribute from the stage this year at the 35th anniversary of RSAC. I participated in two sessions on Tuesday, both on topics I care deeply about.
Getting Out of Security: Is the CISO Role Doomed? [CSO-T09]
This session tackled the growing pressure on the CISO position head on. Regulatory exposure, shrinking D&O coverage, accountability without authority. Experienced CISOs are moving toward fractional, advisory, and board roles at an accelerating rate, and this session explored what that shift means for the future of security leadership. It is a conversation the community needs to have openly.
Context is King: Building Agentic Defense for an Agentic Threat Landscape [BOF3-T10]
A Birds of a Feather session under Chatham House Rules. The premise: agents without context are just faster automation, and adversaries already know this. We had a candid, practitioner-led exchange on what it actually takes to build defenses that match the speed and sophistication of agentic threats. The energy in the room confirmed that this is not a theoretical concern. Security leaders are actively trying to solve this problem right now.
The Noise Was Real Too
Not every booth matched its banner. AI washing was on full display, with legacy products relabeled and agents that were really just rebranded workflows. The disconnect between marketing claims and actual product capability was a recurring theme in hallway conversations and post-show commentary from outlets like the CISO Series and the Google Cloud Security Podcast.
The US federal government's absence was also hard to miss. Historically a meaningful presence in cybersecurity partnership conversations, that voice was largely missing this year.
What This Confirms for Surf AI
Everything we heard at CyberSparx and RSA reinforced our thesis.
Security is no longer centered on devices or networks. It is centered on which AI agent is acting, on whose behalf, and whether a real, verified person authorized that action.
That is what Surf AI was built for. Our Context Graph maps people, systems, access, usage, ownership, and policies into a living model of your organization. Purpose-built agents for identity, cloud, SaaS, and security use that context to act with precision, not guesswork. Every automated action is validated by policy, risk-scored, and constrained to ensure it is safe, reversible, and governed by human approval.
No AI washing. No rebranded dashboards. Agentic security orchestration with the transparency, guardrails, and auditability that enterprises require.
Looking Forward
The inflection point is not coming. It arrived. The question is no longer "should we adopt AI in security?" It is "do we have the context layer to make AI trustworthy at enterprise scale?"
We are building that layer at Surf AI. More to share soon.
Thank you to everyone who visited the Surf Shack and joined us at Orangetheory during RSA week. The energy was exactly what this moment demands.
Yonesy Núñez
CISO, Surf AI
Further Reading
- 6 Key Takeaways from RSA Conference 2026 — CSO Online
- RSAC 2026 Highlights: From Agentic AI to Active Defense — GovTech
- RSA 2026 Recap: The Signal vs the Noise — Bolster AI
- The Cool and Not-So-Cool of RSA 2026 — CISO Series
- Reflections on RSA 2026: Beyond AI — Google Cloud Security Podcast
Yonesy Núñez is a five-time CISO with over two decades of experience securing some of the world's most complex financial institutions, including DTCC, Jack Henry, and Wells Fargo, and currently serves as CISO of Surf AI.